Category Archives: Spam

Lessons from a Spam Attack: Moderation, Alerts, and Beware Auto-Sharing

I had to clean up a spam flood last week. A reader sent me an email that Speed Force’s Facebook feed appeared to have been hacked. TL;DR: someone had posted a couple dozen spammy pictures to the site’s Flickr group, which were then auto-shared to Facebook and Twitter. Fortunately there was no unauthorized access, just misuse of an open forum, or cleanup could have been a lot worse.

So I removed all the posts from Facebook and Twitter, replied to all the reports, posted an “oops” on each network and the blog itself, banned the spammy account, and tightened moderation on the group.

Lessons learned:

  1. Don’t auto-share anything that you don’t control.
  2. Moderate all the things!
  3. Maybe notification alerts aren’t such a bad idea after all.

Continue reading

Spamfighting vs. Privacy

Here’s a fascinating look back at the spam wars by former Gmail spamfighter Mike Hearn.

SpamI was involved for most of the previous decade as (among other things) the email admin for a small ISP. We used a mix of public blacklists, a private blacklist, virus filtering, SpamAssassin with both shared rules and local custom rules, and various other tools all tied together, some at the Sendmail level and the rest through MIMEDefang. It worked tolerably well, though of course it wasn’t perfect. I find it amusing that Gmail declared victory on spam in 2010, the same year that I changed jobs to a position that was more software developer and less sysadmin.

Privacy is a growing concern these days, so he also talks about the impact that widespread end-to-end email encryption would have on spam fighting. If you’re the mail handler, you can’t filter on, say, links found in the message, or characteristics of the writing or formatting, or anything else in the content. You can’t even run statistical analysis on all known spam and non-spam to see which the new message fits better. All you can do is look at where it came from and where it’s going.

Moving the spam filter to the client lets you do content filtering on your own mail, but you can’t take advantage of the larger volume of data that an ISP can, which means your filtering isn’t going to be as effective. And if your main email client is your phone, that’s really going to slow it down — and chew up battery.

Encrypting more of our communication is probably the way to go, but we’ll have to come up with new approaches to some previously-solved problems like this.

It got me thinking: Most of us not only accept that our email providers will look inside our mail to filter spam and viruses, we expect it. That’s weird. The idea of the post office looking inside our letters is so abhorrent that even tracking programs raise concerns. The idea of an actual person reading our email in transit creeps us out. Many people have problems with the idea of automated systems (like Gmail) reading our email for purposes of targeted advertising. But spam filtering? We get upset if it’s not happening!

That says something interesting about our priorities, and about how big an impact unfiltered spam has on our email.

Via ma.tt. Image by geralt.

Autogenerate THIS!

Spam is annoying at the best of times, but over the years I’ve learned to tune it out (and in some cases find amusement in it). But a spam comment that I’ve been seeing across several blogs lately is just plain insulting.

I see a lot of interesting content on your page. You have to spend a lot of time writing, i know how to save you a lot of time, there is a tool that creates unique, SEO friendly posts in couple of minutes… [Search terms omitted because I don’t want to give them the publicity.]

Right: So I’ve got interesting content, I clearly spend a lot of time writing, but you’re telling me I should use some tool to auto-generate everything instead. Autogenerate this, jerkwad!

Though I do have to admit I’m amused at the idea of autogenerated spam clogging up the comment sections of autogenerated articles…

This Email Is Not Spam

Whenever you see “This email is not spam,” think of Obi-Wan Kenobi saying, “These aren’t the droids you’re looking for.” Of course, spammers are less convincing than Jedi (though they do rely on influencing weak-minded fools).

Legitimate Spam Reports

Return Path says the majority of spam complaints relate to legitimate emails.

There are two issues here:

  1. A lot of people don’t make a distinction between “email I don’t want anymore” and “email I didn’t want in the first place,” even though the appropriate responses are different. (One deserves an unsubscribe. The other deserves reporting, blocking, censure, etc.)
  2. A lot of marketers…how shall I put this?…make rather optimistic assumptions about whether people want their marketing messages.

Originally posted on Google+