• United States

How some spammers bypass spam filters

Apr 27, 20062 mins
Enterprise ApplicationsMalware

* Are spammers smart?

Just like almost everyone else, I regularly go through my spam quarantines to make sure that there are no valid messages that inadvertently get trapped in them. Typically, spam is easily identifiable because of goofy subject lines and the large number of variations in the way that a popular medication is spelled, or Leetspeak  (one source calculated that there are 1.3 quadrillion ways of spelling the name of that medication).

Other reasons are the fact that I don’t know anyone with extremely odd names, or anyone else with an auto-generated name, the presence of multiple messages in a row with the same subject line, obvious misspellings, and so forth. However, once in a while, I find a spam message in my quarantines that prompts me to look at the content because it might just be a valid e-mail that mistakenly got trapped – the subject line looks just valid enough. I open the message because I don’t want to risk overlooking a message that inadvertently got labeled as a false positive.

Interestingly, however, clever or convincing spam messages are the relatively rare exception, not the rule. Why? Since spam writers are trying to separate you from your money, it’s obvious they’re not sending their content for fun, so that doesn’t explain why most spam is so obviously spam. Is the average spam writer just not very bright? That’s probably not it either, since many spammers are relatively intelligent, able to earn significant amounts from their activities.

The most obvious explanation, of course, is that strange content, lots of nonsensical words, or passages from old literature are meant to fool spam filters into letting spam get through by making these filters think a human wrote the content. Many spammers are focused on creating randomization in their messages to bypass pattern-based filters (hash-busting), although for a lot of newer spam filters it’s not a very effective technique anymore. For example, neither of the anti-spam systems that I use (one on my local machine and another from a hosted provider) will typically allow this content through to my inbox.

However, this content still is pumped out by the billions by spammers in an attempt to bypass filtering systems.

I’d like to hear your thoughts on the changes you’re finding in spam, particularly the ease or difficulty with which you can find obvious spam in your quarantine – please drop me a line.