Yildiz.edu.tr

Abstract Spam has grown to become a major threat for email
positives are more dangerous by far, in a business environment communication. Although spam filters' degree of sophistication
a false positive might have been a customer ordering a has increased ever since, they still produce huge amounts of false
product. Failing to notice this message due to an overacting positives and false negatives thereby reducing the reliability of
spam filter might not only mean a loss in sales but also filtering
liability for not delivering the requested products, thereby implemented, the hardware requirements for mail servers
increasing the potential financial losses from a false positive increase to avoid the risk of denial of service situations. Some
already claim that mail filtering has reached its limits and ask for
more preventive solutions to fight spam. One would be to
Also, spam filtering increases the risk of security leaks on an significantly increase the risk of a spammer being sued for
SMTP server: The more complex filters are, some even damage compensation or, if legislation permits, for criminal
implement OCR to identify image spam, the more computing offence. But spammers try to hide their real identity. This paper
power they consume, the higher are the requirements on the discusses several methods to identify spammers and analyses
mail server's hardware. With each and every message taking under which circumstances they might be a valid proof in court.
longer to be processed, the mail server will only be able to Categories and Subject Descriptors
handle less requests per second. This again increases the risk K5.0 Legal Aspects of Computing – General. Forensics, of a denial of service attack on the mail server. [7][8][9] On the other hand, each additional line of code increases the General Terms
risk of bugs, which in turn might lead to a remote exploitable security hole, decreasing overall system security.
Keywords
Taking all this into consideration together with the limited Spam, Forensics, Address trading, Identification abilities of spam filtering, it is obvious that spam filtering isonly a short term solution helping to reduce the symptoms of INTRODUCTION
the spam plague, but not a long term approach.
Although not anticipated by the founders of the Internet, email has become one of the most accepted and often used preventively reduce spam to work around the limits of spam applications of the Internet. But with an ever increasing filtering. Those methods have their focus on technical methods percentage of unwanted email, users slowly start to think to prevent spam. However, there might be non-technical ways about switching to other means of communication. Some use of reducing a spammer's return on investment, where an instant messaging instead, others return to the fax, albeit it is investment does not necessarily mean a financial engagement but also other risks, such as being sentenced to prison, a Although the definition of spam seems to float, with some spammer is willing to take in order to earn their living.
authors restricting it to unsolicited commercial email and Although there is no evidence of spammers assessing their others broadening it up to any unsolicited bulk email, individual risks and calculate their money-worth equivalent, it including mass emails sent to distribute viruses, worms and is likely that they only accept certain risks because of the Trojans, hoaxes and even chain letters, they share the chance to earn enough to out weight it. Different authors observation that spam makes up for the vast majority of all estimated that a spammer's daily income exceeds 5.000 US$ emails sent worldwide, be it more than 80% in July 2007 according to [1] or even more than 97%, as claimed by T- If either the risk of being sued for spamming was higher or Online, one of Germany's biggest email providers [2].
the expected revenue was less, less spammers were willing to Unfortunately, spam filters only offer more or less accurate take the risk associated to their business. This is plausible, heuristics to help sorting spam and ham, as the opposite to considering the extremes: With more countries changing their spam is often called. Recent surveys [3][4][5] found that false law and declaring spamming as a criminal offence, if every positives rates of those filters might be as high as 18% and spammer was arrested and sentenced, the risk would be too false negatives easily reach 20%. Although false negatives, i.e.
high to pay off. The other extreme is obviously the spammers spam not marked as spam, are annoying to the user, false income being zero because no one would buy his advertisedproducts.
Permission to make digital or hard copies of all or part of this Unfortunately, in reality, the later extreme seems unlikely to work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or come true soon. Obviously, there are enough users to buy commercial advantage and that copies bear this notice and those spamvertised products, although more and more people the full citation on the first page. To copy otherwise, or are aware that buying these is one of the main reasons for the republish, to post on servers or to redistribute to lists, spam problem. Unfortunately, with the low quality of current requires prior specific permission and/or a fee. e-Forensics 2008, January 21-23, 2008, Adelaide, Australia. 2008 ICST 978-963-9799-19-6. spam filters, there is no way to prevent people from buying sentenced to jail with the consequence of either bailing out or demanding a bigger share of the money earned.
Therefore, from an anti-spammer's point of view, it is ORGANISATION OF THIS PAPER
enough, if some parties of the spam business are exposed, This paper is organised as follows. Section describes the even though some will have a chance to escape without being spam business and the steps necessary to spam. It analyses how division of labour is done in spam business. Section For the following analysis of those tasks, it does not matter than looks on how spam senders could be identified and who performs them, but where to start investigating them.
knowledge, the majority of the concepts mentioned there have Product provisioning
not been researched for their forensic use yet. The methods Generalising, spammers only offer products out of four described in the following section choice a different approach in trying to identify another player in the spam tangible goods, such as drugs or coffee machines business, the address trader. Section proposes a new intangible goods, such as mortgages, sexually explicit method, the usage of a distributed tar pit network, to offer a safe and probative way to investigate an address trader's services, such as access to “adult” dating communities, identitiy. In the last section we conclude and give an email addresses to spam to or even email advertising stock spam, where a spammer buys stocks and later advertises them to sell them after they up ticked.
OW SPAMMERS WORK
Obviously, products out of the last two categories do not In order to find ways to attack spammers, it is helpful to require a complex purchasing processes. Provisioning them is analyse how they work, because this might offer hints on how no problem, because there is no physical product.
to unmask them. A first step in this analysis is to determine the Intangible products are often as easily provided: Software different tasks involved in a spam run.
for download is in most cases a pirate copy easily copied as In preparation of a spam run, the spammer needs to provide often as needed, erotic pictures are available from lots of the products intended for sale, acquire email addresses of – sources in the Internet and might be reproduced as required.
from his point of view – potential customers, needs to provide To sell tangible goods, a spammer has basically two options.
a secure and anonymous payment system and might need to He might act as a sales agent or sell the items as a vendor install an online shop or a web site somewhere. To send out himself. The latter means stocking those products or ordering the spam, a spammer needs ideally a system not listed on any “just in time”, introducing the economic risk of overstocking black list and a somewhat fast Internet connection to send out and privacy risk of sending the items might identify the as many messages as possible. As soon as the first complaints vendor. Acting as a sales agent however reduces the potential about him spamming are coming in, a spammer needs to have income to the commission the vendor offers.
an infrastructure allowing him to work around the ban hisprovider might have imposed. Also, when the first orders are Product delivery
placed, the spammer needs a delivery system hiding his own Similar problems to provisioning tangible goods are identity to protect him from nosy investigators.
associated to their delivery. If they are mailed with a validsender's address, the recipient might identify the spammer.
Division of labour
However, depending on the product's value, the spammer All those tasks do not need to be performed by the same might have a strong interest in having it returned to him in person, although this used to be the case in the early days of spamming. By now, it is a business based on division of labour de.admin.net-abuse.mail, a newsgroup, this fact let to the and highly organised. This has implications on how successful identification of a German spammer selling office coffee forensic investigations might be in revealing the entire machines. To work around this, the spammer might either not give a return address or a faked one or use mail forwarding or Often, the following services are identified: mail box services readily available.
The manufacturer of the product sold or the service Email address acquisition
Email addresses to spam to are usually either collected from web pages using harvesting technologies [11][15] or from users' hard disks using Trojans. Another way is to persuade users to subscribe their email address to certain services, e.g.
Some therefore consider spamming to be organized crime, an adult web site offering to email daily pictures of a certain some even claim the Russian Mafia to support spam. Whether kind. Subscribers to those email newsletters might be this is true or not, having to do with criminals sharing their interested in equivalent offers from other web pages and are more likely to buy related products. Targeted mails raise the companions has serious effects on the effectiveness of response rate from 0,1% on non-target spam to up to 30% investigation, because often only parts of a large cooperating [13][14]. Unfortunately, most spammers still use harvesters network might be uncovered. However, increasing the risk for some involved in a crime, means that they will reassess theirchances of earning enough to cover their risk of being Payment systems
programmes, because they send their messages from the Dependant on the money earning scheme chosen by the spammer's Internet connection, allowing to black list his IP spammer, in most cases a secure and anonymous payment and thereby reducing the spam run's effectivity, because the system is a requirement for him. Only if there is no direct message is filtered out by more spam filters. Additionally, customer contact, spammers do not need a payment system.
using their own IP, spammers risk their anonymity. Spammers Stock spam being an example, where the spammer buys stocks therefore try to send their messages through multiple later advertised and than sells them at an higher price. But in computers to both distribute their mailing faster to avoid black every other case, spammers need to accept payments made by list updates and to hide their identity. To do so, they rent bot their customers or a third party. A third party is involved, if the spammer acts as a commission paid sales agent or promoter for an online shop. In this case, anonymity requirements might DENTIFICATION OF SPAMMERS
be less of an issue, because the shop operator might be trusted.
A very exposed party in the spam business is the spammer In all other cases, a person buying a spamvertised product himself. If they were at a higher risk of being sentenced to jail might be an investigator trying to identify the anonymous or loosing all their earnings, they might decide to choose a spammer. Therefore, the spammer needs an online payment system maintaining his anonymity to avoid prosecution. The Methods to identify spammers are as old as spam, starting system however needs to at least look safe to customers, i.e. it with a simple mail header analysis to identify the sender's IP.
should operate on HTTPS or implement anything else a Considering the increased usage of bot nets, mail headers become less and less useful in tracking a spam mail's source.
In most cases, spammers want to offer their customers credit But observation of the bot nets and who uses them might be card payment. This means, spammers need to have some kind helpful in the identification process.
of bank account to where the amount is paid. To avoid being Other methods more oriented on the spammer's work flow tracked using this account, they often use anonymous debit include the observation of him buying the goods sold, the cards as reference account or offshore bank accounts.
payments made by customers or affiliates and the servers usedto host spammer's web pages and online shops. To identify Anonymous online shops and web sites
stock spammers, several governmental organisations like the Similar anonymity requirements exist for online shops or federal trade commission (FTC) in the United States started web pages used to sell or promote the product, because there investigating orders placed in context with a spam run.
the server's IP might be traced to the spammer. To avoid this, All those methods are described in more detail in the spammers either order their servers at a so called “bullet proof following subsections and discussed with a view to their hoster”, who for a surcharge usually ignore spam complaints and do not ask for identification thereby maintaining theircustomers' anonymity.
Mail analysis
Instead of trusting a bullet proof hoster, some spammers Each email message consists of a body, where the message prefer to use cracked servers, where they host their web pages meant to be read by the mail's recipient is stored, and a header, and even shops. This has the advantage, to be almost containing several technical information on the message, such untraceable, but also the disadvantage of an unexpected as the To- and Cc- addresses, the date and the alleged sender's interruption of service, either because of the cracked machine's email address. As a mail message might be relayed through provider disconnecting it due to spam complaints or because several servers in the Internet, each mail transfer agent (MTA) the machine's administrator locked the cracker out again. To relaying it, adds a header line. In those “received”-headers, an work around those risks, spammers usually have more than MTA logs the name the remote machine sent during the one cracked server ready and use special DNS servers with SMTP's HELO-command, the remote IP-address and often very short time outs so they might easily change the IP a name also the reverse DNS entry for this IP. Also, a time stamp is points to. From a technical point of view, this is similar to the techniques used for dynamic DNS services, some users use to Those headers allow to trace back from where a mail run servers on their DSL line with a dynamic IP address.
message was sent. This information was used to identify Often those DNS services are offered by spammer friendly spammers' providers and request them to ban those senders providers, to reduce the risk of an DNS entry to be removed and / or giving out their names and addresses to allow legal A rather new method is to use bot nets to host a web site on.
To reduce their risk of being discovered, spammers use In this case, cracked and remote controlled home PCs are either cooperating providers or send their spam from bot nets.
turned into web servers publishing a spammer's web site. As Due to this, header analysis has become inefficient.
those machines might go off line at any time and might also Observing bot nets
change their IP, a dynamic DNS-solution is again needed.
As bot nets became the major source of spam and are under Often, it also needs to support multiple A records to offer an the control of spammers at the time spam is sent, it is feasible DNS round robin address resolution [16][17].
to try to observe bot nets to identify spammers. [21] described Sending spam
Although bulk mail software is readily available from major investigating who abuses bot nets for illegal action. According download sites [18], it is rather inefficient to use those to [21] they installed an out of the box Windows XP system ina monitored network and secured the network in a way, the machine could not harm any other system. They then waited species of apricots contain different amounts of cyanide, up to for the machine to be infected with several worms and poisonous levels [23]. Even though those “herbal” substitutes Trojans. By monitoring the IPs from where the bots were are dangerous on their own, their trading is often not controlled and logging the commands sent to the bots, they controlled. Therefore, it is almost impossible to track persons were able to identify the bot net users.
acquiring those products in quantities needed for spamming.
Besides the irony involved of Microsoft using security holes Just by comparing figures, it is obvious that spammers only in their own products to identify attackers that would not have been successful if Microsoft had built their software with consumption. The ever increasing world wide production was security in mind, there are a few considerations to be made in 2.8 million tons in 2000 [24]. Spammer's buys are unlikely to order to have a proof accepted in court.
account for a substantial amount. Therefore, tracking sales of First, the person contracting the Internet access provider products seems not to be a promising approach, even though it must not necessarily be the attacker. If the computer is shared among several persons, each of them is suspicious. As there However, if an investigator is able to track down a vendor's are thousands of unsecured WiFi access points world wide, an sales channels, this might offer a very good starting point, but attacker could use any of these to control the bot net. The this is then real world, “off line” investigation, which is same is true for Internet cafés: Most of them do not require any proof of identification to use their services, offering a Partner shops
perfectly anonymous access point to bot nets.
Some spammers try to avoid the somewhat dangerous Adding the possibilities of computers with remote back process of interacting with customers and use partner shops of doors to this, an attacker has plenty of possibilities to hide his big web shops. There, they earn a commission on each identity. The more systems he adds in between him and the bot transaction initiated with their affiliate id and often a bonus for net, the better he covers his traces. If the machines he used are refering new costumers. Most of those shops have an anti located in several countries, law enforcement has to deal with spam policy, most of the time saying that commissions earned different legal systems and agencies more or less willing to cooperate. Due to privacy laws, in several countries data Therefore spammers try to subscribe only a few days prior needed to identify someone based on his IP and time of usage to commission payment at the web shop, then start their spam is impossible to get or only available for a very short time, run and collect the money before complaints start pouring in [13][14]. By doing so, they evade the risk of not being paid.
Taking this into account, it is likely to accuse an innocent Partner shops could prevent this by waiting a certain time instead of the real attacker. A professional attacker would take between their customer making its purchase and cashing out care of hiding behind a few owned systems. Albeit the method their affiliate. Although serious shops implement several is simple, straight forward and easy to implement, its precision security measures, some web pages, mostly in the red-light in identifying the target is not high enough.
districts of the Internet, are said to be less offended by being However, the method offers a starting point for further spamvertised and therefore have lower security measures set investigation. This investigation should be unintrusive due to up, thus offering spammers a certain income.
the high risk of accusing the wrong person.
In those cases, the web shop being spamvertised might be Surveillance of purchases
liable as accomplice, according to German and some other An approach used by the FTA to identify stock spammers is countries' civil laws. The web shop could then be filed for to look who invested into those stocks prior to them being injunctive relief. To compensate its damages, disclosing the spamvertised. This scheme might also apply to tangible and spammer's identity is a possibility: Because the web shop intangible goods sold by spammers. However, with those, needs to pay the commission, at least a certain minimum of most of the time, it is harder to track them, even though some information needs to be known, e.g. a bank or credit card are not freely available, such as medications. But just because account or an address the spammer has.
access to those items is made difficult, this does not imply This might be a starting point to investigate the spammer's control and traceability, because there is a black market for Payment process
In some cases, spammers might also try to work around The same information is needed, if a spammer's customer those restrictions by selling counterfeited products. This is pays his bill. But again, spammers found ways of working common practice if boxed software is sold, but also possible around the risk of being identified by using anonymous bank for watches or garment. Spammers also started to develop accounts or credit cards, i.e. the spammer could have his their own drugs, such as “generic Viagra” and “herbal Viagra”.
costumers pay to his anonymous credit card's account and then Depending on what those products are based on, their withdraw the money he feels he needs from any ATM.
consumption might by a life threat for their consumers. A risk, However, if the spammer's credit card data is known, spammers are still not willing to take. Therefore they often identifying him might become possible if he withdraws money resort to herbal or allegedly homoeopathic drugs, because they at an ATM by using the surveillance cameras usually installed believe those to be less dangerous. According to [22], Viagra- to monitor ATMs. However, not all ATMs are secured that substitutes are often made of apricot kernels, which are way and often, the quality of the pictures they deliver is not biologically equivalent to almonds and therefore might cause good enough to identify someone. Also, a cautious spammer severe anaphylactic reactions to nut allergics. Also, different email address he could track back to the company's proxy.
All in all, although at first the payment process might seem When confronted, they denied and threatened to sue him.
to be a method of identifying spammers, it is not.
Unfortunately, the case was not taken to court, therefore thereis no legal statement on the proof's quality.
Server owner
Basically, the usual problems when trying to identify a Often, spammer's have a web page dedicated to the product person based on an IP address arise, i.e. it is only known from they are currently advertising. This page might contain a web which computer the attack was made, but it remains to be shop, but might also only contain a redirection to some other investigated who operated that computer. Fortunately, it is still web page, e.g. if they try to take advantage of a third parties uncommon to use bot nets or cracked machines to run harvesters on. Therefore, the IP seems to be a good starting Those web pages might be hosted on a proper server, a cracked machine or on a bot net. If the later is the case, Another issue is the algorithm used to hide the IP address identifying the spammer might be possible using the methods and access time in the email address generated. This algorithm described above to identify a bot net's user.
needs to be bijective, that is, a given IP address and time On a cracked server, the cracker might have left traces that should always generate a unique email address and a given identify him, but their analysis is again beyond the scope of email address should resolve to one and only one IP and time combination. Algorithms like this exists, however, to provide A rented server might be located at a so called “bullet proof” as an proof, those algorithms need to be proven to work as hoster or at any regular provider. As usually most hosters only described. The MD5-algorithm [28] used, does not come up to authenticate their customer's payment details, but hot their this requirement, as MD5 is not bijective.
claimed identity, spammers could use their anonymous credit The algorithm should also generate email addresses that cards to hide their identity, making it virtually impossible to resemble regular email addresses, i.e. they should neither have track them down without the help of the provider.
a too long local part nor should the local part look like However, his log files might help in identifying the generated. Ideally, the email address is a unique combination spammer, because to install or update his web page, the of names and maybe a middle initial. Then, a human operator spammer needs to connect to the web server. This would of the harvester is unlikely to notice the trap.
reveal the spammer's IP, which is a first step in identifying Another disadvantage is the amount of time required to him. However, the same restrictions apply as mentioned above identify the address collector. From the moment the address was harvested to when the email was received, there might be Discussion
several hours up to weeks. This might give the offender a Although there are a few options to identify a spammer, chance to cover his traces or might otherwise have an negative there are work-arounds. Most only provide a first step in identifying him. However, in most real world situations, Taking both, the complexity of the required algorithm, criminals do not think of all possibilities of hiding their requiring sophisticated explanation in court, and the time issue identity, e.g. if they purchase an anonymous credit card, they into consideration, this approach is interesting, but might only might do so from their own computer and thus leaving their IP be of limited use from a forensic point of view.
in the log files of the credit card provider, if they do not use an Distributed tar pit networks
anonymisation service such as JAP [25]. Therefore it is worth [29] suggested to use a network of HTTP tar pits to identify investigating each step. But, if a spammer thinks ahead, harvesters and use this information to block their access to chances are, he is able to hide his identity.
IDENTIFICATION OF ADDRESS TRADERS
An HTTP tar pit is a way to trap harvesters. Simply spoken, Spammers need their potential customer's email addresses to the tar pit publishes links to itself, thereby poisoning the list of spam to. While acquiring them, traces might be generated pages to visit the harvester maintains until finally the harvester leading to address traders or even to spammers. At first glance, the probability of this approach to be effective seems Because the IP of the harvester is recorded while it is caught to be higher, as spammers are used to anti spam measures, but in the tar pit, the harvester is identified while collecting email anti address harvesting is new and defensive, e.g. by addresses. Therefore we suggest a distributed network of obfuscating email addresses [26]. Attacking harvesters with HTTP tar pits as a new method to investigate an address trader's identity, because the HTTP tar pit is a resolution to thetime problem described above.
Identifying mail addresses
It offers another major advantage: Because harvesters [28] suggested to generate email addresses published on a usually revisit a tar pit very often, [30] reports on hundred web site on the fly. Those email addresses should either thousands of visits within a day, the evidence gained is better contain the remote IP address and the time of access or a and offering less excuses to the spammer.
reference to those. As soon as an email is received, the However, harvesting itself is not illegal in most countries, harvester's IP would be known. Together with the access time, therefore, the HTTP tar pit alone is not a valid proof of the user of this IP address could be identified.
spamming. On the other hand, [31] showed that a HTTP tar pit [28] claims to have identified a German phone book editor publishing email addresses is by far more effective than it as a spammer because he has received an advertisement on an would be without mail addresses. If the tar pit is modified to publish addresses identifying a certain harvester, then both the [7] o. A. (apa), Spam-Attacke blockiert E-Mail-Verkehr in: act of harvesting and the later spamming could be tracked derStandard.at/Web, derStandard.at, Wien, 2003 [8] Frei, Stefan, Angriff via Mail. Mailserver als Verstärker für DoS-Angriffe in: Heise security, Heise, Hannover, 2004 But, compared to only publishing specifically crafted mail [9] Schüler, Hans-Peter, Spam-Welle überrollt die TU Braunschweig, addresses, in this case, the investigator knows beforehand, http://www.heise.de/newsticker/meldung/47575, 2004 from where spamming might later occur and could establish [10] Eggendorfer, Tobias, Methoden der Spambekämpfung und -vermeidung, Dissertation, FernUniversität in Hagen, BoD, Hagen, 2007 different other surveillance methods. This new method might [11] Eggendorfer, Tobias, Methoden der präventiven Spambekämpfung im be useful in identifying the offender.
Internet, Master thesis, Fernuniversität in Hagen, München, Hagen, 2005 [12] Ilgner, Michael et al., The Economoy of Spam in: , Universität Wien, Discussion
By combining HTTP tar pit networks used to prevent [13] Spammer X, Inside the spam cartel. Why spammers spam, Syngress spammers from collecting email addresses from web pages [14] Spammer X, Talk by Spammer X in Proceedings of EU Spam and used to identify harvesting IPs to protect other web sites, and using specially crafted email addresses, identifying [15] Center for Democracy and Technology, Why am I getting all this spam?, address traders IP and winning a time advantage over them is http://www.cdt.org/speech/spam/030319spamreport.pdf, 2003 possible. This seems to be a promising approach. Currently, [16] Partridge, Craig, Mail routing and the domain system, http://www.ietf.org/rfc/rfc0974.txt, 1986 this seems to be very effective, because harvesting most of the [17] Brisco, Thomas, DNS Support for Load Balancing, time does not occur from bot nets or cracked machines, but http://www.ietf.org/rfc/rfc1794.txt, 1995 from the address trader's or spammer's own network.
[18] Eggendorfer, Tobias, Tweak your MTA. Spam-Schutz mit Tricks in Proceedings of 3. Mailserverkonferenz, Berlin, 2007 CONCLUSION AND FURTHER RESEARCH
[19] Wood, David, Programming Internet Email, O'Reilly, Sebastopol, 1999 This paper discusses methods to identify some of the parties [20] Hochstein, Thomas, FAQ. E-Mail-Header lesen und verstehen, http://www.th-h.de/faq/headerfaq.php3, 2003 involved in the spam business. Section 4 gave a new insight in [21] Kornblum, Aaron E., "John Does" no more: Exposing Zombie Spammers current approaches deficiences, section 5 presented new in Proceedings of M.I.T Spam Conference 2006, Cambridge, MA, 2006 approaches. Although they do not help to discover the entire [22] McWilliams, Brian, Spam Kings. The Real Story Behind the High- network of spammers, it increases the risk of being discovered Rolling Hucksters pushing porn, pills, and @*#?% Enlargements,OReilly, Sebastopol, 2005 for some of the spammers. Because risks and expected [23] Suchard JR; Wallace KL; Gerkin RD, Acute cyanide toxicity caused by earnings are often strongly correlated, those exposed to a apricot kernel ingestion in: Annals of Emergency Medicine 12/98, higher risk will raise their services' prices, this again has effects on the other parties, because their economic risks [24] Asma, Bayram Murat, Malatya: World's Capital of Apricot Culture in: Chronica Horticulturae 01/2007, ISHS, Leuven, 2007 increase due to the higher prices resulting in some spammers [25] Eggendorfer, Tobias, Ghost Surfing. Anonymous surfing with Java Anonymous Proxy in: Linux Magazine (International Edition) 11/2005, Even though spammers learned how they might work around being identified while sending out spam, address [26] Eggendorfer, Tobias, Dynamic obfuscation of email addresses - a method to reduce spam in Proceedings of AUUG 2006, Melbounre, 2006 traders take less precautions. Therefore, identifying address [27] Eggendorfer, Tobias, SMTP or HTTP tar pits? Which one is more traders seems to be more likely. Our new suggestion is to efficient in fighting spam? in Proceedings of AUUG 2006, Melbourne, combine the publication of email addresses crafted to prove [28] Rehbein, Daniel A., Adressensammler identifizieren - Ein Beispiel, that spam has been sent out due to a specific harvesting action and the advantages of HTTP tar pits in identifying harvesters [29] Eggendorfer, Tobias; Keller, Jörg, Dynamically blocking access to web as an effective way to provide court proof evidence has been pages for spammers' harvesters in Proceedings of IASTED Conference on Communication, Network and Information Security CNIS 2006,Cambridge, MA, 2006 Our current research is into finding an algorithm to generate [30] Eggendorfer, Tobias, Stopping Spammers' Harvesters using a HTTP tar email addresses that meets all requirements mentioned above, specifically, we want it to only generate unique email [31] Eggendorfer, Tobias; Keller, Jörg, Combining SMTP and HTTP tar pits to addresses containing a human name, and to integrate it then proactively reduce spam in Proceedings of SAM 2006 (The 2006 WorldCongress in Computer ScienceComputer Engineering, and Applied into the HTTP tar pit. Currently, the algorithm only provides random alphanumeric email addresses.
REFERENCES
[1] spam-o-meter, spam-o-meter statistics by percentage, http://www.spam-
[2] Kuri, Jürgen, T-Onine verzeichnet eine Milliarde Spam-Mails pro Tag, http://www.heise.de/security/news/meldung/72324.html, 2006 [3] Schulz, Carsten, Erstellen eines Konzeptes sowie Durchführung und Auswertung eines Tests zur Bewertung unterschiedlicher Spam-Filter-Mechanismen bezüglich ihrer Langzeiteffekte, Master thesis, Universitätder Bundeswehr, Neubiberg, 2006 [4] Eggendorfer, Tobias, Spam slam. Comparing antispam applicances and services in: Linux Magazine (International Edition) 03/2007, Linux NewMedia, München, 2007 [5] Hosbach, Wolf, Test Spam-Filter. .die Schlechten ins Kröpfchen! in: PC Magazin 10/2006, WEKA Computerzeitschriften-Verlag, München, 2006 [6] Heinlein, Peer, Genervt, blockier gefährdet: Wie sich Firmen gegen Spam & Viren schützen können in Proceedings of CeBIT 2007, Hannover, 2007

Source: http://www.yildiz.edu.tr/~aktas/courses/CE-0114890/g8-p1.pdf