Those who engage in cybercrime know they need to stay ahead of technology to come up with new and different ways to cheat and swindle people.
If you believe you have a foolproof system, then you have failed to take into consideration the creativity of fools. Frank Abagnale>TextLuckily, the good guys (aka white hats) are also labouring in research labs, developing ways to counter the latest tricks employed by spammers, phishers and other criminals.
(Will they be successful? Maybe not – or at least, not completely and not for long. But without their efforts, would spam be even more rampant? Weigh in on this question – see our comments section at the bottom of the page.)
Here is a list of a dozen research projects that focus on new technology and techniques to stop spam of many types. While in many cases these projects are reacting to exploits already in use, such as image spam and phishing, the work by these researchers is designed to thwart spammers’ current developments and may also lead to prevention of future ones.
This list, by no means exhaustive, contains select papers made public last August at the Fourth Conference on Email and Anti-Spam (CEAS 2007). The President of CEAS is Gordon V. Cormack, Professor at the David R. Cheriton School of Computer Science at the University of Waterloo.
Spam filter makers were stumped when image spam made its debut last fall; by hiding the spam message inside an image that filters couldn’t discern, spammers got their messages through to in-boxes.
“Learning Fast Classifiers for Image Spam” is the name of a research paper from the University of Pennsylvania that describes how filters can be tweaked to quickly determine whether or not an inbound message containing an image is spam.
The paper discusses techniques that focus on simple properties of the image to make classifications as fast as possible, the development of an algorithm that can select features for classification based on speed and predictive power, and a just-in-time feature extraction that “creates features at classification time as needed by the classifier,” according to the paper. Researchers claim a 90% to 99% success rate using real-world data in their own tests.
Another project, “Filtering Image Spam with near-Duplicate Detection,” from Princeton University, also targets spam hidden in pictures. According to the researchers behind the project, image spam is often sent in batches with visually similar images that differ only with the application of randomization algorithms.
The researchers propose a near-duplicate detection system that relies on traditional antispam filtering to whittle inbound mail down to a subset of spam images, then applies multiple image-spam filters to flag all the images that look like the spam caught by traditional means. The prototype, its developers say, has reached “high detection rates” and less than 0.001% false positive (legitimate mail classified as spam) rates.
Out of Georgia Tech comes “A Discriminative Classifier Learning Approach to Image Modeling and Spam Image Identification.” This proposal takes a discriminative classifier learning approach to image modeling, so that image spam can be identified. By analyzing images extracted from a body of spam messages, the researchers have identified four key image properties: color moment, color heterogeneity, conspicuousness and self-similarity. Then multiclass characterization is applied to model the images, and a maximal figure-of-merit learning algorithm is proposed to design classifiers for identifying image spam. Researchers say when tested this approach classified 81.5% of spam images correctly.
Another approach is discussed in “Image Spam Filtering by Content Obscuring Detection,” from researchers at the University of Cagliari in Italy. This paper reviews low-level image processing techniques that can recognize content obscuring tricks used by spammers – namely, character breaking and character interference via background noise – to fool optical character recognition-detection tools.
The practice of scamming e-mail recipients by convincing them to input personal or financial information into a Web site that then steals the information is nothing new, but continues to be of particular interest as phishers relentlessly modify their tactics to net more victims.
Carnegie Mellon University (CMU) has been researching why phishing attacks work and learned that a little bit of education regarding online fraud goes a long way. Early findings of the research, presented in October at the Anti-Phishing Working Group’s eCrime Researchers Summit in Pittsburgh, showed that phishers are often successful because e-mail users ignore information that could help them recognize fraud.
Researchers at the university even developed an online game designed to teach Internet users about the dangers of phishing. Featuring a cartoon fish named Phil, the game, called Anti-Phishing Phil, has been tested in CMU’s Privacy and Security Laboratory. Officials with the lab say users who spent 15 minutes playing the interactive, online game were better able to discern fraudulent Web sites than those who simply read tutorials about the threat.
Blacklisting is the practice of publicizing known IP addresses that send spam so message-transfer agents won’t accept connection requests from these senders; it’s also used with Web sites that download malicious code so that inbound messages with URLs to these sites are blocked.
Blacklisting has been around as long as Internet exploits, but because of the practice’s inherently reactive nature (one must know that an IP address or Web site is “bad” before it can be blocked) researchers continue to try and perfect it.
From Dartmouth comes “Blacklistable Anonymous Credentials: Blocking Misbehaving Users without TTPs,” or trusted third parties. Published at the end of September, this paper suggests the use of an anonymous credential system that can be used to blacklist misbehaving users without requiring the involvement of a TTP. Because blacklisted users would remain anonymous “misbehaviours can be judged subjectively without users fearing arbitrary de-anonymization by a TTP,” the paper states.