taint.org: Justin Mason’s Weblog

Spam: my slides from the presentation I gave at Toorcon 2004, ‘Spam Forensics: Reverse-Engineering Spammer Tactics’, are now up. Hope they prove enlightening ;)

Tags: engineering, forensics, hope, presentation, reverse, spam, spammer, tactics, toorcon

Conferences: Hey — I’m talking at ToorCon 2004 down in San Diego this weekend! Come along and check it out, if you can.

I’d better hurry up and file my presentation slides pronto ;) The topic is:

Spam Forensics: Reverse-Engineering Spammer Tactics

In this talk, I’ll discuss how the SpamAssassin project has identified reliable signatures indicating that a message is spam, by reverse-engineering spammer tactics from the spam mails themselves. I’ll also discuss several specific features that we have identified, how we found them, and why the spammers add them.

Tags: conferences, forensics, hey, presentation, pronto, reverse, spam, spammer, toorcon, topic, weekend

Some folks reckon that mailservers should have reverse DNS — in other words, that the SMTP server should have a fully-valid forward-to-reverse mapping for its address, to cut down on spam and forgeries. All well and good.

Some other folks reckon that filtering on it is therefore a good way to cut down on spam.

It’s a nice idea, apart from 2 things:

• filtering based on this suffers the same problem some DNSBLs have: a false positive hurts the user, rather than the person who is at fault; also the user is virtually powerless to fix it.

• the correlation between spam and missing reverse DNS is no longer as strong as it used to be, as far as I can tell; spammers know they should pick a relay or proxy with a reverse DNS entry to get through filters, and as it becomes a requirement for relaying in general, more hosts have this anyway (regardless of exploitability or not).

Tags: address, dns, idea, mapping, reverse, server, smtp, spam, user, way