Chapter 8: Spam Filters: Advanced Detection and Evasion

Filters and Spammers

As demonstrated in Chapter 7, various simple elements inserted into spam can help reduce a spam’s chance of detection. If properly applied, ten lines of random data and Base64 encoding can mean a world of difference to a spam message. Although this methodology will bypass the majority of older filters and most new implementations of spam filters, what about the more extreme spam filters? In other words, how do you bypass filters that have advanced tools for catching spam?

Filters are becoming increasingly intelligent. A watchful mail server can now run at a 99.995 percent spam detection rate. Filters have become so sophisticated that they can detect the subtlest techniques used to evade legacy filters. The idea is to not only detect the content as spam-related, but to detect any evasion methods used within the spam that attempt to hide or obfuscate the content from the filter. Filter techniques such as Bayesian Noise Reduction (utilized by popular filter DSPAM) are capable of detecting purposely inserted random data, the lack of legitimate words, and obvious random strings that can be parsed out of an e-mail during a pre-parsing process, before the main Bayesian filter is even used. Meanwhile, hash-based spam filters are also becoming increasingly smarter, where hashes are generated from random locations of e-mail. The entire spam message must be unique for every recipient because the spammer has no idea which part of the body will be used to create the message checksum. The idea of natural language parsing is being debated as a method of true spam detection that would allow a machine to read and fully understand the context of e-mail, just as a human would. Based on the e-mail’s content, the machine would then judge whether it is or isn’t spam.

As you can see, life is getting harder for spammers because new filter techniques are ruining the means of their livelihoods. Luckily, the next generation of spam filters are small in their implementations; over 60 percent of mail servers on the Internet are running legacy-based technology for spam filtering. It will take several years for the majority of spam filters to be updated to this new breed of detection. By then, spamming and filter evasion techniques will have to evolve considerably in order for spammers to continue to profit from spam.

The game has also shifted from a technical game to a linguist’s game. Filters are becoming so smart that the only real way to evade a filter is to say exactly what you mean without the filter understanding what you mean. For example:

“She a bit of a go’er? Wink, wink, Nudge, Nudge, say no more, say no more.”

You may have an idea of what I’m talking about, but if the spam filter is unfamiliar with Monty Python language it will fail to understand what the body of this e-mail is hinting at.

This chapter focuses on the next generation of spam filters and the evasion techniques being used to bypass these cutting edge technologies. The majority of work in this chapter is in flux because the filters mentioned here are so new that ideas have not been fully researched. I believe there is much room for creative thought in this field. The focus of evasion has shifted from being sneaky and obfuscating the data, to trying to normalize spam and raise no suspicions from a filter. In other words, blending perfectly into a crowd is becoming the only evasion method available.