Martijn Grooten | 27 Nov 01:44 2014

Labelling spam through the analysis of protocol patterns

(In the interest of full disclosure, I should say that this paper was
published by my company and presented at a conference we organise. I
have not been involved in the research myself.)

Alexandru Trifan and Andrei Husanu, two researchers from Bitdefender in
Romania, published a paper in which they looked at IP packet sizes in
SMTP connections and how oddities in the sizes could help spot a
spammer. I thought it is a neat idea, that may have applications in
other areas of security.

The full paper is here:

Here's a video of the conference presentation:


This is the asrg mailing list.  To change your subscription settings, see

Alessandro Vesely | 13 Sep 18:27 2014


Discard this message, it's just to see if the From: is being rewritten
doesn't say whether it's done for all or just p=reject)

This is the asrg mailing list.  To change your subscription settings, see

Barry Shein | 11 Jan 05:18 2014


I think I fat-fingered a response on the Taxonomy link John posted...

I liked it, it's fairly complete and already in a good format.

My question was where is "law enforcement" and "civil lawsuits" even
just for completeness' sake?

Is that what's meant under "reputation", reporting to "professional
organizations"? If so it seems like it could be worded better and the
idea is big enough that maybe it deserves its own section.

Or did I miss something?


        -Barry Shein

The World              | bzs <at>           |
Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, Canada
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*
This is the asrg mailing list.  To change your subscription settings, see

Barry Shein | 6 Jan 04:26 2014

Let's try to be productive...

Ok, if we do these tit-for-tats nothing will be accomplished.

It's too easy to take some overly literal interpretation of someone
else's words and spin a rebuttal. And paragraphs of anecdotes from
one's own mailbox really isn't useful either, maybe you're just lucky?

That said:

What's a current taxonomy of what we're trying to deal with?

If I may be so bold, what can we agree on, where should effort be

1. High volume "bulk" mailers with no discernible business
   relationship with intended recipients whose intentions may or may
   not be per se malicious.

   e.g., Hawking herbal viagra -- if that's really what you get it's
   not necessarily malicious. Doing it to a billion mailboxes per day
   unsolicited is a problem. Hawking what appears to be a product
   which is in high rotation on late night TV (e.g., those expandable
   hoses) when all you want is a credit card number to abuse is
   malicious and a problem.

2. Phishers -- those who specifically create deceptive email intended
   to lure recipients into a position of trust soas to defraud them.

3. Direct fraudulent or trust appeals such as 419 ("Nigerian Scam".)
   Also falsely appearing to be a legitimate charity and similar (or
(Continue reading)

Alessandro Vesely | 21 Dec 14:13 2013

Water tight opt-in (yet another FUSSP)

Hi and season greetings to all!

This Final Ultimate Solution to the Spam Problem is based on two
existing techniques:

1. tagged email addresses

2. web-based subscriptions to newsletters and other marketing stuff.

#1 can be provided by either the user's MSA or a third party.  In
either case, each tagged address should be registered in a DB, along
with some notes such as which company was the address given to.

#2 is obviously the main way that marketers use to collect addresses
legally.  The FUSSP[1] consists in enticing those marketers to declare
the domain name and a List-Id, envelope sender, or similar token that
can be used for email authentication[2].  With such additional data,
the user-side server (their MSA or 3rd party) can have the user login
and confirm the subscription --a step that many marketers still omit
because they fear that users won't click on a link they found in an
email message.)  It will then be able to check sender's compliance.

The term "water tight opt-in" was coined by David Hofstee on SDLU, and
the mechanism is further described in my wiki[3].  I think you don't
have to read the latter to guess how subscribing, checking, and
certifying that a proper subscription was performed can work.  A
reason why marketers would want those subscription certificates is the
upcoming Canadian law enforcement.

(Continue reading)

Martijn Grooten | 18 Jun 22:30 2013

Web host spam vs spam filters

So. I had promised I'd do some research into spam sent from web hosts. Which I did.

I used 64,000 spam messages sent between 27 April and 13 May 2013.

They were sent through 20 spam filters in parallel and real-time.

I defined a 'web host' as an IP address that was listening on port 80 around the time the email was sent.

About 30% of the spam in this corpus was sent from web hosts.

Web host spam bypasses a filter with a probability of 1.04%.

Other spam does so with a probability of 0.29%.

That's a significant difference. (Note that the spam I use tends to be easy to filter. Relatively little
snowshoe spam and dodgy ESPs.)

There's the usual correlation versus causation disclaimer. It could well be that those spammers who use
web hosts (most of which I assume to be compromised, but I didn't look into this) for sending spam are better
at sending spam.

A bit of context here



Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
(Continue reading)

Hal Murray | 26 Apr 11:51 2013

Re: Spam sent from compromised (web)hosts vs botnet spam

> Alternatively you could send an ICMP packet back.

Single packets are easily forged.  I think it spirals downhill from there.


These are my opinions.  I hate spam.

This is the asrg mailing list.  To change your subscription settings, see

Barry Shein | 27 Mar 16:26 2013

Speaking of spamhaus...

Possibly interesting:

Big DDoS against SpamHaus, allegedly by CyberBunker...

  ...Recently, Spamhaus blocked servers maintained by Cyberbunker, a
  Dutch web host which states it will host anything with the exception
  of child pornography or terrorism-related material.

  Sven Olaf Kamphuis, who claims to be a spokesman for Cyberbunker,
  said, in a message, that Spamhaus was abusing its position, and
  should not be allowed to decide "what goes and does not go on the

  Spamhaus has alleged that Cyberbunker, in cooperation with "criminal
  gangs" from Eastern Europe and Russia, is behind the attack...


  "If you aimed this at Downing Street they would be down
  instantly," he said. "They would be completely off the internet."

  He added: "These attacks are peaking at 300 gb/s (gigabits per

  "Normally when there are attacks against major banks, we're talking
  about 50 gb/s."...

(Continue reading)

Barry Shein | 26 Mar 18:15 2013


Here's a research-y topic:

How will the various expansions of the network space affect spam and
related? Can we put more flesh on these bones than "a lot!"

1. IPv6 address space expansion
2. 1000+ new TLDs
3. IDN (Int'l'ized domain names, Chinese, Arabic, etc)
4. Just growth in general, any correlation worth reporting
   or extrapolating?
5. Expansion of mobile etc (smartphones, tablets.) Have there
   been any smartphone botnets (yet)?
6. Evolution of internet governance, for example would entry
   of the ITU/WCIT as a significant governance/regulatory body
   affect current or likely anti-spam measures? Jurisdiction?

One issue I see is that every govt'l or pseudo-govt'l body which steps
up to the plate imagines in their mind's eye that they merely need to
identify what they don't want (e.g., their culture's definition of
"porn"), say it must not be possible -- think of the children!, and
that makes it so.

I often suggest back that humanity would be better served if they
would just outlaw cancer.

But expansion and diffusion of internet governance loci (since no
one's in charge of the internet everyone's in charge) is growing
rapidly as lawmakers around the world discover its power. Even the
Pope tweets!
(Continue reading)

Martijn Grooten | 20 Mar 17:59 2013

Spam sent from compromised (web)hosts vs botnet spam

So, research.

A few people (Chris a.o.) have mentioned the large volume of spam sent from compromised webhosts.

Here someone looked at CBL's stats and found that the ten worst senders of spam are all hosting companies:

I think this isn't just an interesting statistic about spam (like reports listing the ten worst
spam-sending countries), but it may indicate a problem. I suspect most of these senders are normal MTAs,
running Sendmail or Postfix, against which many anti-botspam techniques won't work as well - as such,
these emails may be more likely to slip through filters.

Now I have this setup where I can measure this sort of thing. And I intend to do so. But: any suggestions as to
how to easily and automatically distinguish (web)hosts from bots?

The simplest thing to do would be to check if these machines are listening on port 80. That may be good enough,
but port scanning feels a bit wrong, even if the volumes are pretty small (and I can do it through Tor). I can
also check ASNs, or whois records, but I'm worried I'll end up having to decide whether small Bulgarian or
Brazilian companies are ISPs or hosting providers, or both.

Suggestions are welcome. (As always, "your research idea is flawed" and "you're making wrong
assumptions" are valid suggestions too.)



Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
(Continue reading)

John R. Levine | 20 Mar 14:55 2013

asrg - research or die

For the past couple of days, all I've seen is people rehashing their 
favorite FUSSPs, with nothing new, and no indication that anyone plans to 
do any implementation, research, or anything else.

If you want to have that kind of discussion, the SDLU list which is the 
most recent reincarnation of SPAM-L is here:

Unless I see some indication of research interest, e.g., my often stated 
desire to collect statistics on DNSxL cache behavior so we can try to 
predict how it will or won't work with IPv6, I will shut this list down at 
the end of the week.

John Levine, johnl <at>, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail.

PS: My server, my rules, you know.
This is the asrg mailing list.  To change your subscription settings, see