CamFraser
12-11-2006, 09:53 PM
This came up in some other threads, and Randall mentioned he'd hadn't heard about it. I figured if he hadn't, many others would appreciate a heads up. This is a general webmaster issue, not email specific.
This hit tech circles almost 3 years ago, so the enemy has had plenty of time to refine the technique:
http://www.silicon.com/research/specialreports/thespamreport/0,39025001,39120541,00.htm
http://weblog.infoworld.com/udell/2004/12/01.html
The original report was also very interesting, however it's on a site with "problematic" content, so I won't post a direct link. It's trivial to find.
I havn't seen any studies of how widespread this is, so for a small site that has not yet encountered problems, it may not be a serious issue. If you already have a CAPTCHA system in place, it may be simplest to leave things as they are.
This is a tough issue for forum/blog registration validation. I prefer the approach of confirmed signup, and forcing the applicant to wait. Here's a recent discussion of how this impacts blogs, with some very interesting ideas:
http://www.jforsythe.com/jforsytheblog/2006/09/21/BeyondCAPTCHAUsingAmazonsMechanicalTurkAsACommentApprovalSystem.a spx
Services like Hotmail, Yahoo, and Gmail are the ones with the biggest problem and risk, because they're offering a service which does not require an existing email address. Fortunately, most here aren't in that boat.
The #1 issue here is contact and related pages. As I mentioned in another thread (http://aota.net/forums/showthread.php?t=21799), when "CAPTCHA farming" (as someone has dubbed this) and more serious security issues hit my radar, a friend recommended I switch from using a web based mail form to a simple mailto with an embedded subject, then filter on the subject. That was very easy to set up in my CNC, and I found abundant threads here with detailed examples (thanks guys and gals!).
The cool thing is that if (when?) spammers try to break this simple technique, it's easy to turn this into a deadly trap for them. They'll have to crawl your site more often, and there are collaborative bot tracking tools that, even with a small userbase, have proven that bots can be accurately tracked and blocked. Even if you're in an early pass and the bot isn't blocked, you'll still be able to find out whether you were hit, and can immediately update the subject word/phrase.
Recently, I switched to using a PHP wrapper which gets the subject word/phrase out of a file. That makes maintenance a little easier, though happily I have yet to see any spammer even try to defeat our subject word filter. :P
Another trap is via the upcoming RBL I mentioned here (http://www.aota.net/forums/showthread.php?t=22198). It wasn't relevant to that thread, so I didn't mention that they plan to aggregate data from accounts that employ this technique. You just have to set up a forward or condredirect for emails that fail a subject test. That's even one of their recommendations for Alpha testers.
That project is being developed by a group of former AT&T Labs engineers, so their skills and expertise are above rational reproach. It's one of a few net security projects they've undertaken since 9/11-Nimda, as an alternative to enlisting. Don't mess with Technomages, particularly when they're angry. :yeah:
As I stated in that thread, mention of that project has offended many members here, so I will discuss it no further. I only post in these forums to promote Firefly (http://www.news-journalonline.com/column/247/03SceneTWEN072005.htm), and had sincerely felt it was disrespectful to do so without contributing some technical content at the same time. Apparently I misjudged (some?) local standards. :rolleyes:
This hit tech circles almost 3 years ago, so the enemy has had plenty of time to refine the technique:
http://www.silicon.com/research/specialreports/thespamreport/0,39025001,39120541,00.htm
http://weblog.infoworld.com/udell/2004/12/01.html
The original report was also very interesting, however it's on a site with "problematic" content, so I won't post a direct link. It's trivial to find.
I havn't seen any studies of how widespread this is, so for a small site that has not yet encountered problems, it may not be a serious issue. If you already have a CAPTCHA system in place, it may be simplest to leave things as they are.
This is a tough issue for forum/blog registration validation. I prefer the approach of confirmed signup, and forcing the applicant to wait. Here's a recent discussion of how this impacts blogs, with some very interesting ideas:
http://www.jforsythe.com/jforsytheblog/2006/09/21/BeyondCAPTCHAUsingAmazonsMechanicalTurkAsACommentApprovalSystem.a spx
Services like Hotmail, Yahoo, and Gmail are the ones with the biggest problem and risk, because they're offering a service which does not require an existing email address. Fortunately, most here aren't in that boat.
The #1 issue here is contact and related pages. As I mentioned in another thread (http://aota.net/forums/showthread.php?t=21799), when "CAPTCHA farming" (as someone has dubbed this) and more serious security issues hit my radar, a friend recommended I switch from using a web based mail form to a simple mailto with an embedded subject, then filter on the subject. That was very easy to set up in my CNC, and I found abundant threads here with detailed examples (thanks guys and gals!).
The cool thing is that if (when?) spammers try to break this simple technique, it's easy to turn this into a deadly trap for them. They'll have to crawl your site more often, and there are collaborative bot tracking tools that, even with a small userbase, have proven that bots can be accurately tracked and blocked. Even if you're in an early pass and the bot isn't blocked, you'll still be able to find out whether you were hit, and can immediately update the subject word/phrase.
Recently, I switched to using a PHP wrapper which gets the subject word/phrase out of a file. That makes maintenance a little easier, though happily I have yet to see any spammer even try to defeat our subject word filter. :P
Another trap is via the upcoming RBL I mentioned here (http://www.aota.net/forums/showthread.php?t=22198). It wasn't relevant to that thread, so I didn't mention that they plan to aggregate data from accounts that employ this technique. You just have to set up a forward or condredirect for emails that fail a subject test. That's even one of their recommendations for Alpha testers.
That project is being developed by a group of former AT&T Labs engineers, so their skills and expertise are above rational reproach. It's one of a few net security projects they've undertaken since 9/11-Nimda, as an alternative to enlisting. Don't mess with Technomages, particularly when they're angry. :yeah:
As I stated in that thread, mention of that project has offended many members here, so I will discuss it no further. I only post in these forums to promote Firefly (http://www.news-journalonline.com/column/247/03SceneTWEN072005.htm), and had sincerely felt it was disrespectful to do so without contributing some technical content at the same time. Apparently I misjudged (some?) local standards. :rolleyes: