Coding Horror

programming and human factors

POPFile vs. POPFile

In my previous blog entry on some plan(s) for spam, I mentioned that I didn't care for challenge/response "human-only" whitelists. I couldn't put my finger on exactly why I felt that way.. until I happened upon this John Graham-Cumming PowerPoint presentation:

I don't "do" Challenge/Response. If I mail you and you challenge me I hit delete, because, as Dan Quinlan put it: "Challenge/Response is the ultimate email diss. By using it you are saying, 'my time is more important than yours.'"
That about sums it up for me.

John Graham-Cumming is the author of POPFile, so naturally his presentation goes on to.. describe ways to defeat POPFile? It's actually titled How to beat an Adaptive Spam Filter. A fascinating read, with a disturbing conclusion: when pitting "evil" POPFile against good POPFile, the good guys lose. In other words, spammers can use bayesian filters to defeat bayesian filters-- if they get feedback about what mails are getting through!

This makes me very, very happy that Windows XP Service Pack 2 turned off HTML rendering in Outlook Express by default:

Pictures and images embedded in HTML e-mail messages can be adapted to secretly send a message back to the sender. These are often referred to as Web beacons. Spammers rely on information returned by these images to confirm active e-mail addresses. Some spam messages contain Web beacon images so small that they are invisible to the human eye -- but not to Outlook Express.

An improved defense against Web beacons is to stop pictures from downloading until you've had a chance to review the message. Outlook Express in Windows XP SP2 will now block images automatically in messages from people who are not in your address book. This goes a long way in preventing the verification of your e-mail address for spammers. It makes your e-mail name less useful to spammers and may result in your getting less spam over time.

Putting images in HTML seems innocent enough, but retrieving any image results in a direct request from your computer to the spammer's webserver. With this tiny bit of feedback, they could concievably defeat any anti-spam technology. Scary stuff!

Written by Jeff Atwood

Indoor enthusiast. Co-founder of Stack Overflow and Discourse. Disclaimer: I have no idea what I'm talking about. Find me here: https://infosec.exchange/@codinghorror