'Geek spam' emerges as spammers play new trick

By Matt Whipp

Posted on 2 Oct 2006 at 17:56

Hosted security firm Messagelabs claims geeks are being targetted explicitly by spammers using new techniques to subvert spam filters.

It says that over the past few weeks it has seen a new spamming trend arise, which uses 'technobabble' to confuse spam filters into trusting spam mail. MessageLabs is calling it 'geek spam'.

While gateway-level antispam systems can clean out a lot of unwanted mail, workers can improve on this and employ Bayesian rules within their desktop mail client which learn the characteristics of legitimate and spam mail from the content of email in their inbox over time.

Any particular profession has a lexicon of words and jargon, which naturally occur frequently in correspondence. Bayesian filters see this and rank mail that contains these words as more likely to be legitimate.

This latest spam trick recognises exactly this and poisons the filters by inserting vocabulary from the same lexicon in spam mail targetted at a particular profession.

And this not only mucks up the filters, but also means the recipient is more likely to open mail that uses directly relevant vocabulary.

The type of geek spam MessageLabs is picking up uses words such as '.NET,' 'cpan', 'xss', 'Java' and subject lines such as 'Bug #33006: Your review is necessary'.

Paul Wood, Chief Information Security Analyst at MessageLabs said: 'We first started to see this trend in the last three or four months. It's not unusual for spam to include passages of text from books such as Alice in Wonderland or Lord of the Rings ... but it's the thought that's gone into it that's new.

'Once the Bayes filters are poisoned I'd imagine you'd get to the point where you are getting as much spam as you ever were. You'd just have to start again.'

There are any number of professions to choose from, but the spammers chose tecchies as the 'guinea pigs' for this latest trick, said Wood.

'It's speculation, but it's most likely the tecchie type of users talking to others on forums that are being targetted, and with more knowledge of antispam technologies, they would be more likely to use Bayes filters,' said Wood. 'It tends to be the sort of person who is quite promiscuous, in that they happily post things about technical issues on forums using their real email address.'

Wood said that spam campaigns are always carefully targetted to get the best open-rate possible. 'That's how they get paid, getting people to open spam mail ... that's how they measure the success of their campaigns,' said Wood.

And geek spam is no exception.

Asked what type of spam is being sent to geeks using this technique, Wood responded: 'So far, it's been mostly pharmaceutical stuff.' And on whether this is the type of spam most likely to appeal to geeks, Wood said: 'Spammers would seem to think so.'