Re: [Asrg] An "ideal" false positive (TMGRS take 2)

Rich Kulawiec <rsk@gsp.org> Wed, 07 July 2010 11:46 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 986823A67CC for <asrg@core3.amsl.com>; Wed, 7 Jul 2010 04:46:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.084
X-Spam-Level:
X-Spam-Status: No, score=-3.084 tagged_above=-999 required=5 tests=[BAYES_50=0.001, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_MED=-4, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8KxE6ShXL2ac for <asrg@core3.amsl.com>; Wed, 7 Jul 2010 04:46:47 -0700 (PDT)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) by core3.amsl.com (Postfix) with ESMTP id 4C5063A67AB for <asrg@irtf.org>; Wed, 7 Jul 2010 04:46:46 -0700 (PDT)
Received: from squonk.gsp.org (bltmd-207.114.17.131.dsl.charm.net [207.114.17.131]) by taos.firemountain.net (8.14.4/8.14.4) with ESMTP id o67BkiZH028754 for <asrg@irtf.org>; Wed, 7 Jul 2010 07:46:48 -0400 (EDT)
Received: from avatar.gsp.org (avatar.gsp.org [192.168.0.11]) by squonk.gsp.org (8.14.3/8.14.3) with ESMTP id o67BfMZ7005361 for <asrg@irtf.org>; Wed, 7 Jul 2010 07:41:22 -0400 (EDT)
Received: from avatar.gsp.org (localhost [127.0.0.1]) by avatar.gsp.org (8.14.3/8.14.3/Debian-9ubuntu1) with ESMTP id o67BkdP7004726 for <asrg@irtf.org>; Wed, 7 Jul 2010 07:46:39 -0400
Received: (from rsk@localhost) by avatar.gsp.org (8.14.3/8.14.3/Submit) id o67BkbLm004725 for asrg@irtf.org; Wed, 7 Jul 2010 07:46:37 -0400
Date: Wed, 7 Jul 2010 07:46:37 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20100707114637.GB4483@gsp.org>
References: <4B61D1BA.6060807@tana.it> <20100129135607.GB27203@gsp.org> <FBFC96085D5112AA96E23D0F@lewes.staff.uscs.susx.ac.uk> <20100214224735.GB11546@gsp.org> <60F30C47-57A0-4D27-ACAD-3501666F8229@blighty.com> <20100214235728.GA19491@gsp.org> <69337EC16D97A928D8EC3442@lewes.staff.uscs.susx.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <69337EC16D97A928D8EC3442@lewes.staff.uscs.susx.ac.uk>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [Asrg] An "ideal" false positive (TMGRS take 2)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2010 11:46:48 -0000

On Mon, Feb 15, 2010 at 10:18:12AM +0000, Ian Eiloart wrote:
> You're correct, of course, to caution that automatic reporting
> mechanisms will be subject to automated poisoning. We should, of
> course build mechanisms to defend against such attacks. 

Those mechanisms have already been defeated -- and now we're even
starting to see press reports about some of the many failures.

For example:

	http://www.mediapost.com/publications/?fa=Articles.showArticle&art_aid=130320#

which reads in part:

	The complaint details how Mizhen and his affiliates allegedly
	manipulated the statistics that Microsoft's anti-spam system
	relies on by creating millions of new email accounts and then
	moving up to 200,000 of their own messages a day from "junk"
	files into inboxes.

	An associate of Mizhen allegedly contacted Microsoft and
	said that the messages weren't spam -- as evidenced by the
	statistics showing that people moved the messages into their
	inboxes. Microsoft was taken in by the associate's representations
	and unblocked the spam messages, according to its complaint.

Of course, this is just one case that made the popular press, and it only
did so because the spammers involved were sufficiently heavy-handed that
they blew it, and because Microsoft was the target.  Smarter spammers --
of which there are plenty -- are more subtle, and are engaged in similar
creative efforts.  I trust that everyone on this list is capable of
figuring out how Mizhen et.al. could have been slightly more clever and
quite likely evaded detection indefinitely.

(Incidentally, note: "millions of new email accounts".  Which, among
other things, is another nail in the coffin of captchas.)

---Rsk