Re: checksumming image spam

[Paul Matthews]

I see in my webmin module, 'Location of DCC client program' but I don't
think I have it installed, what package should I be looking for, i'm
running rhel4 can i installed it from up2date or is there an rpm out
there? Any information on using DCC with spamassassin and rhel would be
great.

> http://www.nytimes.com/2006/05/21/business/yourmoney/21spam.html
>
> Matt Sergeant (of MessageLabs, and one of the early SpamAssassin
> committers too!) is interviewed about spam, with a bit of relevance
> regarding image checksumming (which we've been talking about recently):
>
>
>   The spammers were trying to circumvent the world's junk-mail filters by
>   embedding their messages -- whether peddling something called China
>   Digital Media for $1.71 a share, or a "Hot Pick!" company called GroFeed
>   for just 10 cents -- into images.
>
>   It worked, but only briefly. Antispam developers at MessageLabs, one of
>   several companies that essentially reroute their clients' e-mail traffic
>   through proprietary spam-scrubbing servers before delivering it, quickly
>   developed a "checksum," or fingerprint, for the images, and created a
>   filter to block them. [...]
>
>   Shortly after MessageLabs created a filter to catch the stock spams, the
>   images they contained changed again.
>
>   They were now arriving with what looked to the naked eye like a gray
>   border. Zooming in, however, the MessageLabs team discovered that the
>   border was made up of thousands of randomly ordered dots. Indeed, every
>   message in that particular spam campaign was generated with a new image
>   of the border -- each with its own random array of dots. [...]
>
>   "We actually developed some technology to detect borders in images and
>   figure out the entropy -- that is, to figure out if the border was
>   random," Mr. Sergeant said. "So that was fine." Of course, shortly
>   afterward, "they decided to stop using the borders," he added.
>
>   From there, the senders began placing a small number of barely
>   perceptible and, again, randomly placed dots -- a pink one here, a blue
>   one there, a green one near the bottom -- throughout the images. Then
>   they shifted to multiple images, with words spelled partially in plain
>   text and partially as images, so that the content, when viewed on a
>   common e-mail reader like Outlook or AOL, would look like an ordinary
>   message.
>
>
> Aside from that techie stuff, it's a good interview too ;)
>
> --j.
>


-- 
Paul Matthews
Junior Network Technician | The Cathedral School
Ph  (07) 47222 194 |  Fax (07) 47222 111
PO Box 944 Aitkenvale Q 4814
E:  [EMAIL PROTECTED]
W: www.cathedral.qld.edu.au

Anglican coeducation | Day and Boarding | Early Childhood to Year 12
Educating for life-long success



***

IMPORTANT NOTICE REGARDING CONFIDENTIALITY

This electronic email message is intended only for the addressee and may
contain confidential information. If you are not the addressee, you are
notified that any transmission, distribution or photocopying of this email
is strictly prohibited. The confidentiality attached to this email is not
waived, lost or destroyed by reasons of a mistaken delivery to you.

RE: checksumming image spam

[Sietse van Zanen]

DCC is at: http://www.rhyolite.com/anti-spam/dcc/
 
Don't know about rpm's, you can try http://rpmfind.net (Don't think they have 
RH EL rpms)
Or http://dag.wieers.com
 
But probably you'll have to compile it yourself (As I did for my RH EL3), which 
is pretty simple.
 
-Sietse



From: Paul Matthews [mailto:[EMAIL PROTECTED]
Sent: Mon 22-May-06 13:16
To: users@spamassassin.apache.org
Subject: Re: checksumming image spam



I see in my webmin module, 'Location of DCC client program' but I don't
think I have it installed, what package should I be looking for, i'm
running rhel4 can i installed it from up2date or is there an rpm out
there? Any information on using DCC with spamassassin and rhel would be
great.

> http://www.nytimes.com/2006/05/21/business/yourmoney/21spam.html
>
> Matt Sergeant (of MessageLabs, and one of the early SpamAssassin
> committers too!) is interviewed about spam, with a bit of relevance
> regarding image checksumming (which we've been talking about recently):
>
>
>   The spammers were trying to circumvent the world's junk-mail filters by
>   embedding their messages -- whether peddling something called China
>   Digital Media for $1.71 a share, or a "Hot Pick!" company called GroFeed
>   for just 10 cents -- into images.
>
>   It worked, but only briefly. Antispam developers at MessageLabs, one of
>   several companies that essentially reroute their clients' e-mail traffic
>   through proprietary spam-scrubbing servers before delivering it, quickly
>   developed a "checksum," or fingerprint, for the images, and created a
>   filter to block them. [...]
>
>   Shortly after MessageLabs created a filter to catch the stock spams, the
>   images they contained changed again.
>
>   They were now arriving with what looked to the naked eye like a gray
>   border. Zooming in, however, the MessageLabs team discovered that the
>   border was made up of thousands of randomly ordered dots. Indeed, every
>   message in that particular spam campaign was generated with a new image
>   of the border -- each with its own random array of dots. [...]
>
>   "We actually developed some technology to detect borders in images and
>   figure out the entropy -- that is, to figure out if the border was
>   random," Mr. Sergeant said. "So that was fine." Of course, shortly
>   afterward, "they decided to stop using the borders," he added.
>
>   From there, the senders began placing a small number of barely
>   perceptible and, again, randomly placed dots -- a pink one here, a blue
>   one there, a green one near the bottom -- throughout the images. Then
>   they shifted to multiple images, with words spelled partially in plain
>   text and partially as images, so that the content, when viewed on a
>   common e-mail reader like Outlook or AOL, would look like an ordinary
>   message.
>
>
> Aside from that techie stuff, it's a good interview too ;)
>
> --j.
>


--
Paul Matthews
Junior Network Technician | The Cathedral School
Ph  (07) 47222 194 |  Fax (07) 47222 111
PO Box 944 Aitkenvale Q 4814
E:  [EMAIL PROTECTED]
W: www.cathedral.qld.edu.au

Anglican coeducation | Day and Boarding | Early Childhood to Year 12
Educating for life-long success



***

IMPORTANT NOTICE REGARDING CONFIDENTIALITY

This electronic email message is intended only for the addressee and may
contain confidential information. If you are not the addressee, you are
notified that any transmission, distribution or photocopying of this email
is strictly prohibited. The confidentiality attached to this email is not
waived, lost or destroyed by reasons of a mistaken delivery to you.

RE: checksumming image spam

[Paul Matthews]

> DCC is at: http://www.rhyolite.com/anti-spam/dcc/
>
> Don't know about rpm's, you can try http://rpmfind.net (Don't think they
> have RH EL rpms)
> Or http://dag.wieers.com
>
> But probably you'll have to compile it yourself (As I did for my RH EL3),
> which is pretty simple.

okay, i'll install it from source, were do I find the source? and can you
also tell me what is Pyzor? and what do it do?

RE: checksumming image spam

[Sietse van Zanen]

Source can be found at the URL I gave you  
http://www.rhyolite.com/anti-spam/dcc/ <http://www.rhyolite.com/anti-spam/dcc/> 
.
 
Pyzor is basically the same as razor2. Major difference is that pyzor is 
written in python and raozr2 in perl.
Don't know if there is much sense in using pyzor, as it seams close to dead. 
The main server is quite unresponsive and the project has not been updated for 
about 1.5 year.
It can be found at http://pyzor.sourceforge.net
Read the Mailing List before you decide to compile and use it. Somebody has 
set-up a new server recently and it does give me some positives, also nearly 
not as many as razor.
 
 
Razor is also a good check, but it only free for personal use (same as dcc): 
http://razor.sourceforge.net
Razor compile and install is a bit more difficult than dcc or pyzor, as it 
might need a whole lot of perl modules (depending on what is already there), so 
better get your CPAN right and use perl newer than 5.8.3.
 
-Sietse
 


From: Paul Matthews [mailto:[EMAIL PROTECTED]
Sent: Mon 22-May-06 15:16
To: Sietse van Zanen
Cc: users@spamassassin.apache.org
Subject: RE: checksumming image spam



> DCC is at: http://www.rhyolite.com/anti-spam/dcc/
>
> Don't know about rpm's, you can try http://rpmfind.net <http://rpmfind.net/>  
> (Don't think they
> have RH EL rpms)
> Or http://dag.wieers.com <http://dag.wieers.com/> 
>
> But probably you'll have to compile it yourself (As I did for my RH EL3),
> which is pretty simple.

okay, i'll install it from source, were do I find the source? and can you
also tell me what is Pyzor? and what do it do?

RE: checksumming image spam

[SRH-Lists]

 
> Razor is also a good check, but it only free for personal use 
> (same as dcc): http://razor.sourceforge.net
> Razor compile and install is a bit more difficult than dcc or 
> pyzor, as it might need a whole lot of perl modules 
> (depending on what is already there), so better get your CPAN 
> right and use perl newer than 5.8.3.
>  
> -Sietse

As of March 30, 2006, Razor2 no longer has the "Personal Use Only"
clause.

http://sourceforge.net/mailarchive/forum.php?thread_id=10079360&forum_id
=4258


Folks,

I am pleased to announce that with the release of razor-agents
2.81[1] a new service policy has been introduced, that makes the
use of Razor2 service completely open and free. A license
introduced in 2003 restricted usage by third party integrators,
but the new license unencumbers all usage, commercial or
otherwise.

My company, Cloudmark, hosts and manages the backend
infrastructure that Razor2 agents use for reporting spam and
checking fingerprints. Cloudmark retains the right to deny
service to anyone abusing the backend, but will not, under
normal circumstances, restrict usage in any way.

Share and Enjoy!

vipul

[1]
http://prdownloads.sourceforge.net/razor/razor-agents-2.81.tar.bz2?downl
Oad

RE: checksumming image spam

[Paul Matthews]

>> Razor is also a good check, but it only free for personal use
>> (same as dcc): http://razor.sourceforge.net
>> Razor compile and install is a bit more difficult than dcc or
>> pyzor, as it might need a whole lot of perl modules
>> (depending on what is already there), so better get your CPAN
>> right and use perl newer than 5.8.3.
>>
>> -Sietse
>
> As of March 30, 2006, Razor2 no longer has the "Personal Use Only"
> clause.

http://sourceforge.net/mailarchive/forum.php?thread_id=10079360&forum_id=4258

So I see that razor is now free, but what about DCC? I went to the DCC
website  shown in another post.

http://www.rhyolite.com/anti-spam/dcc/

And I didn't see anything about payment, or being free for only personal
use, the only thing I found about is this.

The Distributed Checksum Clearinghouse source carries a license that is
free to organizations that do not sell filtering devices or services
except to their own users and that participate in the global DCC network.
(I.e. ISPs that use the DCC to filter mail for their own users are
intended to be covered in the free license.) You also can't call it your
own or blame anyone for using it.

And to me that sounds like me running a Small Business Server I should be
alrighht?