Blog / Blog / Blogging

WhiteList Spam Attacks Threaten Blogs and Email

Spammers are employ­ing a new tac­tic to attack blogs, and it’s a tac­tic that could bring down anti-spam mea­sures pro­tect­ing not only the Blogosphere, but e-mail too.

Blog spam­mers are attack­ing blogs with their typ­i­cal mes­sages, but they have a new, inge­nious, and poten­tial­ly cat­a­stroph­ic trick. They’re incor­po­rat­ing links to legit­i­mate, respectable domains into those attacks. The net result is that auto­mat­ed spam fil­ters, even so-called “smart fil­ters” like Dr. Dave’s Spam Karma plug-in sys­tem for WordPress-based blogs, are Blacklisting domains like CNN​.com, IMDB​.com, MacCentral​.com, and dozens of oth­ers.

The anti-spam log­ic engine on one of my high search engine rank­ing sites, for exam­ple, Blacklists 15-25 respectable domains dai­ly. Should I actu­al­ly get a com­ment from some­one at MacCentral​.com, for exam­ple, the anti-spam sys­tem will kill the com­ment before I see it. In the past that site has received com­ments from peo­ple work­ing for, and e-mailing from, MacCentral​.com.

Although some­one might have already coined a dif­fer­ent term, I call this type of spam­ming Whitelist Attacks.

This is only the begin­ning of the Whitelist Attacks. Beginning with one or two per week 90 days ago, Whitelist Attacks are now up to an aver­age of two dozen per day on each of my Web sites and those of sev­er­al oth­er pro­fes­sion­al blog­gers. Whitelist Attacks are effec­tive, and their scope and fre­quen­cy is increas­ing.

Whitelist Attacks are designed to accom­plish two goals:
1. Exploit Whitelists of respectable domains to sneak past spam fil­ters, and;

2. Cause a suf­fi­cient num­ber of erro­neous­ly Blacklisted domains that blog­gers and e-mail admin­is­tra­tors aban­don auto­mat­ed fil­ters entire­ly.

While the top spam fil­ter­ing engines are cur­rent­ly too smart for goal #1 to work, #2 is quick­ly becom­ing a real­i­ty.

Follow Whitelist Attacking through to its log­i­cal con­clu­sion: Spam bots record where they attacklet’s say they try to hit YourBlog​.com. Once they’ve found and attacked that site, they can eas­i­ly incor­po­rate that domain into their future attacks against oth­er sites. Therefore, hun­dreds (and even­tu­al­ly hun­dreds of thou­sands) of auto­mat­ed spam fil­ters will begin Blacklisting YourBlog​.com. In the end, the blog­ging com­mu­ni­ty will be crip­pled by the fact that we’ve all Blacklisted each other’s domains.

The effects won’t be lim­it­ed to pre­vent­ing blog­gers from com­ment­ing on each other’s blogs.

The Blacklists gen­er­at­ed by blog spam fil­ters are fre­quent­ly sharedeven among non-bloggersand often export­ed for use as e-mail Blacklists. Imagine some, then half, then most of your per­son­al and pro­fes­sion­al e-mail being unde­liv­er­able because an auto­mat­ed sys­tem has your domain on a Blacklist.

Blacklists are also often pub­lished onlineview­able by the pub­lic and indexed by search engines. What would be the dam­age to your rep­u­ta­tion of being pub­licly labeled as a spam­mer? If you work at the Gap, it prob­a­bly wouldn’t both­er you too muchit might even raise your street cred­it. But if you’re a pro­fes­sion­al…

Three-List Exploits
Current anti-spam sys­tems typ­i­cal­ly eval­u­ate blog com­ment and e-mail con­tent look­ing for bad words, known bad domains, or the incor­po­ra­tion of more than an arbi­trary num­ber of links. If the sys­tems find any one of these con­di­tions, they stop the mes­sage from get­ting through by plac­ing into a mod­er­a­tion queue or mail fold­er, or by killing it out­right. The more advanced of such sys­tems oper­ate on a three-list prin­ci­pal:

Whitelists are known good domains and terms, and are usu­al­ly admin­is­tered man­u­al­lya human must delib­er­ate­ly add to the list a con­di­tion that, if met, pass­es the mes­sage through with­out fur­ther chal­lenge.

Blacklists are known bad domains and terms. These are the phar­ma­ceu­ti­cal, adult, and online game terms we all know and despise, and those (whom we despise even more) who ped­dle them through unso­licit­ed e-mail and blog com­ments. Messages con­tain­ing domain names or terms on the Blacklist are stopped and held or delet­ed before deliv­ery.

In between the two extremes of always deliv­er (Whitelists) and always stop (Blacklists) are Greylists. Greylists con­tain terms or con­di­tions that may be marks of spam­ming, but may also be innocu­ousthe eval­u­a­tion of which is too com­pli­cat­ed for cur­rent tech­nol­o­gy, and must be left to a human. Once a mes­sage meets Greylist con­di­tions, it is seg­re­gat­ed from the rest of the e-mail or com­ments, and placed into a mod­er­a­tion queue or spe­cial fold­er for lat­er human eval­u­a­tion. The e-mail admin­is­tra­tor or blog­ger will then man­u­al­ly enter the queue or fold­er and review the mes­sage con­tent to make a final deter­mi­na­tion of its fate.

Whitelist Spamming and Whitelist Attacks attempt to use the three-list sys­tem against itself by either slip­ping through on a Whitelist approval con­di­tion, or by caus­ing so many false pos­i­tives that denials and seg­re­ga­tion based on Blacklists and even Greylists become self-defeating and are aban­doned.

Because of the con­tent and qual­i­ty of their mes­sages, spam­mers are often char­ac­ter­ized as une­d­u­cat­ed, stu­pid, or ran­dom and dis­or­ga­nized. Nothing could be fur­ther from the truth.

Spamming is a prof­itable busi­ness, with annu­al glob­al rev­enues mea­sured in bil­lions of dol­lars. While some spam­mers are the une­d­u­cat­ed morons who believe every get-rich-quick scheme Carlton Sheets tries to sell them on late night tele­vi­sion, they are the not the ones from whom you will typ­i­cal­ly receive spam. The major­i­ty of spam comes from large, excep­tion­al­ly orga­nized, and high­ly moti­vat­ed syn­di­cates whose numer­ous crimes are ground­ed in the real world con­cerns of drugs, guns, and rack­e­teer­ing. Spam and spam-related activ­i­ties are mere­ly one of their busi­ness inter­ests. These orga­ni­za­tions have vir­tu­al­ly unlim­it­ed fund­ing for research and devel­op­ment of new tech­niques and method­olo­gies to defeat anti-spam mea­sures, and they employ some very intel­li­gent peo­ple for that pur­pose.

Those who per­pe­trate Whitelist Attacks under­stand how com­put­ers, the Internet, and your mind oper­ate. They real­ize the lim­i­ta­tions of three-list anti-spam tech­niques, and, more to the point, they rec­og­nize that admin­is­tra­tors of such sys­tems are too busy to baby sit them. Whitelist spam­mers know that the more time they force us to man­u­al­ly scru­ti­nize our auto­mat­ed White-, Grey-, and Blacklists, the less use­ful those lists become. Automated sys­tems only work for us so long as they remain auto­mat­ed; the moment we per­ceive admin­is­tra­tion of those auto­mat­ed sys­tems as becom­ing more labor-, time-, or mentally-intensive than our per­cep­tion of deal­ing with spam at the inbox phase, we will aban­don those auto­mat­ed sys­tems entire­lythus open­ing the flood gates to spam once more.

As spam­mers well know, three-list fil­ter­ing is the most effec­tive and acces­si­ble anti-spam method­ol­o­gy cur­rent­ly avail­able. In the eyes of the pro­fes­sion­al spam indus­try, three-list fil­ter­ing on blogs and mail­box­es is the sin­gle largest imped­i­ment to grow­ing their bot­tom line. Beating it is their high­est pri­or­i­ty. With Whitelist Attackssim­ply adding one more URL to their mes­sagesthey have indeed found an easy, effec­tive, and low-cost way of defeat­ing three-list spam fil­ter­ing.

Someone needs to find a way to com­bat Whitelist Attacksand they must do it swift­ly. More advanced algo­rithms need to be devised, algo­rithms that eval­u­ate the style, struc­ture, and ver­biage of blog com­ments and e-mail mes­sages, but that also have the abil­i­ty to rec­og­nize and extract rep­utable domains. Global Whitelists must be cre­at­ed to pre­vent the auto­mat­ic addi­tion of all domains ref­er­enced in a spam mes­sage from being added to Blacklists. If an eval­u­at­ed mes­sage con­tains adult-oriented text and a link to a domain that meets rule def­i­n­i­tions as being unde­sir­able, but just hap­pens to have a spoofed return address of Steve.​Jobs@​Apple.​com, the auto­mat­ed fil­ters pro­tect­ing the mail­box need to be smart enough to add the spam domain to the Blacklist for future match­ing, but to not add Apple​.com to the Blacklist

Whitelist attack­ing is an inge­nious response by pro­fes­sion­al spam­mers to the most advanced anti-spam sys­tems cur­rent­ly pro­tect­ing blogs and e-mail inbox­es. It’s a method­ol­o­gy that car­ries grave con­se­quences to hun­dreds of thou­sands of blog­gers, and whose effects will, if left unchecked, crip­ple the Blogosphere. More grave still, the reach and poten­tial dam­age of Whitelist Attacks hits e-mail fil­ter­ing sys­tems equal­ly and threat­ens the Internet far, far beyond blogs.

Blog, Blogs, Blogging, Blogosphere, Spam, Spamming, Whitelist Attack, Whitelist Spam, Whitelist Spamming, Whitelist, Blacklist, Greylist, Graylist, Spam Karma, WordPress, Ant-Spam, Email, E-mail, Inbox, Spam Filter, Spam Fighting, Combating Spam

You may also like...

10 Responses

  1. Matthew Treder says:

    Am I being naïve to sug­gest that whitelist domains such as Apple​.com in your exam­ple above sim­ply be giv­en “pro­tect­ed” sta­tus? There are user-defined ways to iden­ti­fy tru­ly worth­while sites (StumbleUpon​.com being one pop­u­lar appli­ca­tion of the tech­nol­o­gy) and sep­a­rate out the dri­v­el, or worse.

  2. Hi, Matthew.

    See, that’s just the prob­lem of whitelist spam: If you pro­tect Apple​.com, then any spam mes­sage that includes that domain would auto­mat­i­cal­ly get through. That’s exact­ly what spam­mers are hop­ing for, which is why they’re includ­ing sites like Apple​.com in their mes­sages. Three-list anti-spam engines aren’t yet smart enough to fig­ure out what to do with a mes­sage con­tain­ing two URLs, one being unknown to it (Apple​.com) and the oth­er known bad (a porn site, for exam­ple). In those cas­es, the anti-spam engine cre­ates an asso­ci­a­tion between the known bad and the unknown, decid­ing that the unknown must be had and there­fore should be black­list­ed.

    While it is fea­si­ble for humans to go in and indi­vid­u­al­ly whitelist good domains, it’s total­ly unweild­ly to whitelist the mil­lions of respectable domains out there. While most sites will nev­er get a frac­tion of those as blog com­ments or e-mail, there are still thou­sands of poten­tial domains from which desired mes­sages may come. One can­not whitelist them all, nor can one real­is­ti­cal­ly inves­ti­gate every black­list­ed mes­sage or domain on a busy site.

    See the prob­lem now?

  3. Matthew Treder says:

    Yeah. And I def­i­nite­ly think you’re on to some­thing that’s not get­ting much ink in main­stream press, but prob­a­bly should be. (Or would that only make things expo­nen­tial­ly worse?)

  4. Spammers tend to share infor­ma­tion like any oth­er pro­fes­sion. I don’t think main­stream press cov­er­age would exac­er­bate the prob­lem. It would, how­ev­er, get more peo­ple work­ing on a way to com­bat it.

  5. Tim says:

    I like your site.
    Blogs with com­ments win­dows that you have to click to open keep the dia­logue under wraps. Blogs like this one which string com­ments out in the open are much more proac­tive about spark­ing dia­logue.

  6. derf says:

    See the Sender Policy Framework (SPF) at http://​www​.open​spf​.org. If the email says it’s from Apple​.com but the send­ing email serv­er doesn’t match an allowed IP address for one of Apple’s list­ed email servers, it doesn’t get through. The SPF check needs to be before the whitelist check. It’s not per­fect, and sub­ject to a DNS attack, but it would make the spammer’s job more dif­fi­cult if every email domain had it imple­ment­ed.

  7. Someone else below asked this already about anti­spam scripts.
    I am get­ting nailed with Spam on my web­site mails and in our blog web­site - now its offline too

    much spam. Is there any­way to stop this? If not, there real­ly isn’t any point in leav­ing it up

    and active. Any help will be great­ly appre­ci­at­ed.

    Thanks for help, Keep up the good work. Greetings from Poland

%d bloggers like this: