|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
Brendan
Lieutenant
Premium Member
Joined: Mar 29, 2004
Posts: 187
Location: UK
|
 Posted: Sat Dec 11, 2004 3:38 am Post subject: |
|
|
Hello Eggy.
Thanks for your posts and further comments.
| Quote: | | Specifically, AFAIK, if a virus-carrying message is sent to a spam-sink address hosted by an ISP that uses a server-side AV product to monitor incoming mail, and instead of delivering the original virus-laden message deilvers some sort of non-delivered noitce to the intended recipient (i.e. the spam-sink address) this legitimate notice of action taken is still forwarded to FA! becuase it is delivered to the spam-sink address. Note that this not a bounce in any sense. It is a simple substitution of a non-spam message for one that likely was spam, but which the ISP chose not to deliver. As such, it will fall totally on the FA! admins to review and not log these messages as KNOWN SPAM. |
Currently, there are many Mailwasher users that get a great deal of spam and actually decide to report everything, or possibly some because they look like viruses which claim you have a virus and incite the recipient to click on malicious links (etc). When this happens then this obviously shifts the balance of responsibility more towards the administrators, whereas most of us would afford more consideration and forethought when manually reporting spam. Furthermore, when individual reporters make false reports, these can be at any time of day or night.
The difference with automated reports the instant that spam-sinks are targeted with similar spams, does add a further dimension in the timing and similarity of messages and hyperlinks (etc) arriving from a variety of different networks. As more supporters join the project, then it becomes increasingly likely that similar message constructs from different networks would get reported early and therefore progressively improving the ability to more easily distinguish widespread abuse from legitimate generic messages sent by an ISP on one network or another - which are likely to differ between them.
Obviously the first line of defence in the form of report moderators will continue to exist until such a time that we can be confident in this or any similar approach to help avoid false positives, all as part of properly monitoring and adapting the service as the support-base gains momentum.
| Quote: | I suspect the second question concerns the spamforce disclaimer:
Quote:
We reserve the right to re-classify, suspend or close any member portal where misuse, misappropriation or abuse is suspected, or where provided contact details are invalid.
I interpret this question as a request to clarify under what conditions, or at what threshholds, will FA!/spamforce decide that a spam-sink address is being misued by receiving legitimate mail which results in additional work for the FA! admins. And this is the question which I don't think has been addressed. |
It's difficult to comment on specific scenarios or thresholds at this stage, though generally if a portal was identified as repeatedly forwarding what appear to be legitimate messages from legitimate senders (further evidenced by headers, etc), or if say the number of reports were to very dramatically increase within a short time-frame with message constructs ultimately not in evidence from other spamsinks for example, then this might suggest abuse of the spam-sinks or allocated portal. This disclaimer just points out the position of the administrators for any cases where misuse or abuse is suspected.
| Quote: | | This means of hiding text has long been known to the search engine operators, as it has been used in the past to spam their databases with terms which are inappropriate or unapplicable to the page on which they are hidden. |
Yes, this is a fair point. Though rankings may not be of particular concern to private users who might choose to construct websites for friends, family and associates, often with page rankings in the gadzillionth down the list anyway (perhaps simply directing others to their 10Mb of ISP space by providing their URL), this could have a negative impact for companies that rely on page rankings and a significant web presence bolstered by search engines.
I would therefore suggest that one safer means of hiding text on a page is to drop it into a comments section - such as bound by <!-- and --> markers. Anything in comments sections are not intended to be revealed on a web-page and therefore unlikely that anything bounded by comments markers (such as spam-sink addresses) would bring about a reduction in page ranking. Please let me know however if I am mistaken on this point.
Another safe method is where you have visitor feedback/enquiry web-forms set up on your page (i.e. parsing field contents to an Email address) and can filter incoming messages server-side, then the filter could apply rules on the Email account where the form is directed towards. If the repeatable header and/or content from the form is not present in the message then it is simply re-directed off to the portal (maybe via a spam-sink address).
Of-course the same approach could also be performed client-side, so that if your were to download what are intentionally completed web-form contents from your collection Email address and receive spam as a result of being harvested, then simple message rules on the client could be set to forward on to your spam portal any illegitimate messages identified in the same way.
Brendan.
_________________
_________________
NEVER say "Never"!
_________________
|
|
| Back to top |
|
 |
Eggman5X
Captain
Joined: Mar 13, 2003
Posts: 699
Location: HOU TX USA
|
| Posted: Tue Dec 14, 2004 9:57 am Post subject: |
|
|
Just to make sure we're on the same page:
| Code: | Date: Thu, 9 Dec 2004 13:27:05 -0600
Message-Id: <200412091327.AA2762801442@ISP.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
From: "postmaster" <postmaster@mail.ISP.net>
Reply-To: <postmaster@mail.ISP.net>
X-Sender: <postmaster@ISP.net>
To: <CUSTOMER@ISP.net>
Subject: WARNING: YOU WERE SENT A VIRUS
The virus software on ISP.net has reported that you were
sent a virus from supprefnum24@suntrust.com, with the subject "BANKING MAIL FROM SunTrust Bank [Thu, 09 Dec 2004 23:25:22 +0400]".
The E-mail containing the virus has been removed to prevent further damage. |
This is a slightly modified and pared down copy of an actual message I receive about 10-20 times a day.
The AV is controlled by the ISP. Unlike their server-side spam detection, I do not have the option of turning the AV or the notifications off, for one address or for all.
Thus, if I setup an address with this ISP to use as a spamsink - with the hopes it would catch the same spam as my "real" addresses, and thus serve as a spam-decoy (spam-condom?) - a similar message will be generated and sent TO THE SPAMSINK ADDRESS whenever a message arrives which the AV thinks carries a virus. The original message - the SPAM - has already been deleted and will not be forwarded to my portal, and thus not reported to FA! - - - BUT - - - the "legitimate" notice that a virus was detected, WILL BE FORWARDED TO MY PORTAL ADDRESS, etc., etc.
Now as I also understand things (could be mistaken, of course) when virus attacks occur they are aimed at the largest number of addresses, and thus machines, as possible. So I'm guessing that on "Thu. 09 Dec" I was one of thousands of customers of this ISP that received a warning about this particular message.
If enough of an ISP's customers were also participating in the SpamForce Project, a significant number of these messages would end up being automatically reported to FA!, and since the subject and content of this multitude of messages would obviously be very similar, it seems, as you say, that the burden of marking this message as "NOT KNOWN SPAM" (if you will) falls on the FA! Admins.
| Quote: | | It's difficult to comment on specific scenarios or thresholds at this stage, though generally if a portal was identified as repeatedly forwarding what appear to be legitimate messages from legitimate senders (further evidenced by headers, etc), or if say the number of reports were to very dramatically increase within a short time-frame with message constructs ultimately not in evidence from other spamsinks for example, then this might suggest abuse of the spam-sinks or allocated portal. This disclaimer just points out the position of the administrators for any cases where misuse or abuse is suspected. |
In the scenario described above:- A portal is repeatedly forwarding what are legitimate messages from legitimate senders.
- The number of reports dramatically increases within a short time-frame (typical for a virus attack).
- The message construct may or may not be in evidence from other spamsinks, depending on the number of customers of the same ISP who are reporting and how much similarity is required for the construct to be considered the same.
Now we have a two-horned dilemma: If the FA! Admins miss and let these become "KNOWN SPAM" other FA! users - at least those using the same ISP, and possibly those use using any ISP that uses the same server-side AV tool - get FALSE "KNOWN SPAM" results from FA! But, if the FA! Admins correctly mark these messages as NOT SPAM, the number of legitimate messages the spamforce user is reporting rises.
What I guess I'm trying to get at is that, as ISPs continue taking a more proactive attitude toward spam and viruses, and providing more "protection" to their customers, specifically when such protection is provided without an option to "opt-out", there needs to be an answer for what will likely become a couple of FAQs:
1) What can I do to keep from reporting legitimate automated messages from my MAILSERVER to my SPAMSINK address(es) to spamforce?
2) Will my SpamForce portal be shut down as a result of reporting legitimate messages over which I have no control?
For example, in my case, if I setup a spamsink address with this ISP, in addition to setting the mailbox to forward to my spamforce portal, the answer to 1) is to also set an incoming filter to catch this type of message based on Subject: (which is always the same) and From: postmaster. What I don't know is, if the forward occurs before or after the filter, or if I can control that.
I'm assuming the answer to 2) is "We will make every reasonable effort not to, but sometimes of course, T-H-I-S happens."
In fact, I'm thinking something similar to the instructions on the About SpamForce page re: catch-all addresses and not automatically reporting the "generic" addresses (abuse@, postmaster@, webmaster@, etc.) should be posted for the individual user re: filtering mail from postmaster@, mailer-daemon@, etc. At least for the "intermediate" user who is somewhere between "novice" and "technically advanced" perhaps?
Eggy
_________________
Lightly scrambled, over-easy and stuffed with all sorts of goodies.
|
|
| Back to top |
|
|
Brendan
Lieutenant
Premium Member
Joined: Mar 29, 2004
Posts: 187
Location: UK
|
| Posted: Fri Dec 17, 2004 2:26 am Post subject: |
|
|
Hello Eggy.
The essence of the SpamForce approach is that spam messages are identified not simply from content rules (e.g. Filters and common message traits) but actually by the extent of abuse.
Common spam, by its very nature, will target any Email address on any network and in significant volume, and therefore central monitoring by the FirstAlert! system adds a further dimension to spam identification which is not otherwise possible.
What this means is that spam is evidenced where like messages are arriving from a plethora of different accounts across different networks, and perhaps in a given timeframe.
Currently, the numbers of possible reports within a preferably short time from across a variety of networks is relatively limited when the spam-contributory support is not so widespread. Therefore, for the interim and before we develop that "critical mass", FirstAlert! report moderators will play a key role in assessing and logging spam such as they do already - particularly to guard out false reports which a minority of Mailwasher users irresponsibly do.
However, as SpamForce expands its supporter base and therefore the distributed number of spam-sinks in active service, then the probability of spam hitting a considerable number of different spam-sinks existing on different networks, and within a suitably short time-frame, will proportionally increase.
In turn, this will develop a progressive improvement in the quantity, speed and therefore accuracy of positive spam detection and further guard out logging of false reports that you mention. This is because the same legitimate message construct sent to your spam-sink from your particular server will not be reported in significant volume from other networks in the same way as spam.
That said, you need not be concerned about having your portal inadvertently and permanently black-holed as we're already expecting legitimate reports of this nature to arrive via spamsinks, and it is relatively easy to establish whether the source is legitimate from other aspects of the message.
I'm sorry that for security reasons I am unable to elaborate further, though hopefully you get the picture. 
Brendan.
_________________
_________________
NEVER say "Never"!
_________________
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
