Fri Aug 8 22:24:55 UTC 2003
I had an idea after reading about the white-on-white tactic and thinking about other filter-busting tactics that spammers are using... For spam to be effective, it must have a link in it somewhere. Would it then be effective to checksum links separately as a Fuz3 checksum? It seems like this may generate false positives, so dcc would probably have to be configured to ignore Fuz3 by default and a good configuration would probably only block very high Fuz3 counts... but it seems like this might work. There are two issues I can think of: 1) It would have to ignore arguments, as URL encoded garbage could be added to a URL to randomize it. It would have to only count the *path* of the URL. 2) There could be a big false positive problem with free e-mail services and such that put URLs in the body of the message. One solution to #2 I can think of is to have the ability to whitelist URLs to be ignored in Fuz3 checksums, but this seems kludgy. Another solution to #2 might be to make a URL-based Fuz3 be calculated based on URLs and associated link text or image links. It's easy to hide text as white-on-white (or off-white on white, etc.) in the body of a message, but it's hard to introduce that much variation into your links unless you don't want your victi^H^H^H^H^Hcustomers to be able to understand you. :) Of course, a spammer might still be able to get around this by setting up a webserver to serve out images as it's 404 response and then using random image URLs as links, but this would make their spam unreadable to people with load images in e-mail body turned off.
More information about the DCC