Abstract Spam has grown to become a major threat for email
positives are more dangerous by far, in a business environment
communication. Although spam filters' degree of sophistication
a false positive might have been a customer ordering a
has increased ever since, they still produce huge amounts of false
product. Failing to notice this message due to an overacting
positives and false negatives thereby reducing the reliability of
spam filter might not only mean a loss in sales but also
filtering
liability for not delivering the requested products, thereby
implemented, the hardware requirements for mail servers
increasing the potential financial losses from a false positive
increase to avoid the risk of denial of service situations. Some already claim that mail filtering has reached its limits and ask for more preventive solutions to fight spam. One would be to
Also, spam filtering increases the risk of security leaks on an
significantly increase the risk of a spammer being sued for
SMTP server: The more complex filters are, some even
damage compensation or, if legislation permits, for criminal
implement OCR to identify image spam, the more computing
offence. But spammers try to hide their real identity. This paper
power they consume, the higher are the requirements on the
discusses several methods to identify spammers and analyses
mail server's hardware. With each and every message taking
under which circumstances they might be a valid proof in court.
longer to be processed, the mail server will only be able to
Categories and Subject Descriptors
handle less requests per second. This again increases the risk
K5.0 Legal Aspects of Computing – General. Forensics,
of a denial of service attack on the mail server. [7][8][9]
On the other hand, each additional line of code increases the
General Terms
risk of bugs, which in turn might lead to a remote exploitable
security hole, decreasing overall system security. Keywords
Taking all this into consideration together with the limited
Spam, Forensics, Address trading, Identification
abilities of spam filtering, it is obvious that spam filtering isonly a short term solution helping to reduce the symptoms of
INTRODUCTION
the spam plague, but not a long term approach.
Although not anticipated by the founders of the Internet,
email has become one of the most accepted and often used
preventively reduce spam to work around the limits of spam
applications of the Internet. But with an ever increasing
filtering. Those methods have their focus on technical methods
percentage of unwanted email, users slowly start to think
to prevent spam. However, there might be non-technical ways
about switching to other means of communication. Some use
of reducing a spammer's return on investment, where an
instant messaging instead, others return to the fax, albeit it is
investment does not necessarily mean a financial engagement
but also other risks, such as being sentenced to prison, a
Although the definition of spam seems to float, with some
spammer is willing to take in order to earn their living.
authors restricting it to unsolicited commercial email and
Although there is no evidence of spammers assessing their
others broadening it up to any unsolicited bulk email,
individual risks and calculate their money-worth equivalent, it
including mass emails sent to distribute viruses, worms and
is likely that they only accept certain risks because of the
Trojans, hoaxes and even chain letters, they share the
chance to earn enough to out weight it. Different authors
observation that spam makes up for the vast majority of all
estimated that a spammer's daily income exceeds 5.000 US$
emails sent worldwide, be it more than 80% in July 2007
according to [1] or even more than 97%, as claimed by T-
If either the risk of being sued for spamming was higher or
Online, one of Germany's biggest email providers [2].
the expected revenue was less, less spammers were willing to
Unfortunately, spam filters only offer more or less accurate
take the risk associated to their business. This is plausible,
heuristics to help sorting spam and ham, as the opposite to
considering the extremes: With more countries changing their
spam is often called. Recent surveys [3][4][5] found that false
law and declaring spamming as a criminal offence, if every
positives rates of those filters might be as high as 18% and
spammer was arrested and sentenced, the risk would be too
false negatives easily reach 20%. Although false negatives, i.e.
high to pay off. The other extreme is obviously the spammers
spam not marked as spam, are annoying to the user, false
income being zero because no one would buy his advertisedproducts.
Permission to make digital or hard copies of all or part of this
Unfortunately, in reality, the later extreme seems unlikely to
work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or
come true soon. Obviously, there are enough users to buy
commercial advantage and that copies bear this notice and
those spamvertised products, although more and more people
the full citation on the first page. To copy otherwise, or
are aware that buying these is one of the main reasons for the
republish, to post on servers or to redistribute to lists,
spam problem. Unfortunately, with the low quality of current
requires prior specific permission and/or a fee. e-Forensics 2008, January 21-23, 2008, Adelaide, Australia. 2008 ICST 978-963-9799-19-6.
spam filters, there is no way to prevent people from buying
sentenced to jail with the consequence of either bailing out or
demanding a bigger share of the money earned.
Therefore, from an anti-spammer's point of view, it is
ORGANISATION OF THIS PAPER
enough, if some parties of the spam business are exposed,
This paper is organised as follows. Section describes the
even though some will have a chance to escape without being
spam business and the steps necessary to spam. It analyses
how division of labour is done in spam business. Section
For the following analysis of those tasks, it does not matter
than looks on how spam senders could be identified and
who performs them, but where to start investigating them.
knowledge, the majority of the concepts mentioned there have
Product provisioning
not been researched for their forensic use yet. The methods
Generalising, spammers only offer products out of four
described in the following section choice a different
approach in trying to identify another player in the spam
tangible goods, such as drugs or coffee machines
business, the address trader. Section proposes a new
intangible goods, such as mortgages, sexually explicit
method, the usage of a distributed tar pit network, to offer a
safe and probative way to investigate an address trader's
services, such as access to “adult” dating communities,
identitiy. In the last section we conclude and give an
email addresses to spam to or even email advertising
stock spam, where a spammer buys stocks and later
advertises them to sell them after they up ticked. OW SPAMMERS WORK
Obviously, products out of the last two categories do not
In order to find ways to attack spammers, it is helpful to
require a complex purchasing processes. Provisioning them is
analyse how they work, because this might offer hints on how
no problem, because there is no physical product.
to unmask them. A first step in this analysis is to determine the
Intangible products are often as easily provided: Software
different tasks involved in a spam run.
for download is in most cases a pirate copy easily copied as
In preparation of a spam run, the spammer needs to provide
often as needed, erotic pictures are available from lots of
the products intended for sale, acquire email addresses of –
sources in the Internet and might be reproduced as required.
from his point of view – potential customers, needs to provide
To sell tangible goods, a spammer has basically two options.
a secure and anonymous payment system and might need to
He might act as a sales agent or sell the items as a vendor
install an online shop or a web site somewhere. To send out
himself. The latter means stocking those products or ordering
the spam, a spammer needs ideally a system not listed on any
“just in time”, introducing the economic risk of overstocking
black list and a somewhat fast Internet connection to send out
and privacy risk of sending the items might identify the
as many messages as possible. As soon as the first complaints
vendor. Acting as a sales agent however reduces the potential
about him spamming are coming in, a spammer needs to have
income to the commission the vendor offers.
an infrastructure allowing him to work around the ban hisprovider might have imposed. Also, when the first orders are
Product delivery
placed, the spammer needs a delivery system hiding his own
Similar problems to provisioning tangible goods are
identity to protect him from nosy investigators.
associated to their delivery. If they are mailed with a validsender's address, the recipient might identify the spammer. Division of labour
However, depending on the product's value, the spammer
All those tasks do not need to be performed by the same
might have a strong interest in having it returned to him in
person, although this used to be the case in the early days of
spamming. By now, it is a business based on division of labour
de.admin.net-abuse.mail, a newsgroup, this fact let to the
and highly organised. This has implications on how successful
identification of a German spammer selling office coffee
forensic investigations might be in revealing the entire
machines. To work around this, the spammer might either not
give a return address or a faked one or use mail forwarding or
Often, the following services are identified:
mail box services readily available.
The manufacturer of the product sold or the service
Email address acquisition
Email addresses to spam to are usually either collected from
web pages using harvesting technologies [11][15] or from
users' hard disks using Trojans. Another way is to persuade
users to subscribe their email address to certain services, e.g.
Some therefore consider spamming to be organized crime,
an adult web site offering to email daily pictures of a certain
some even claim the Russian Mafia to support spam. Whether
kind. Subscribers to those email newsletters might be
this is true or not, having to do with criminals sharing their
interested in equivalent offers from other web pages and are
more likely to buy related products. Targeted mails raise the
companions has serious effects on the effectiveness of
response rate from 0,1% on non-target spam to up to 30%
investigation, because often only parts of a large cooperating
[13][14]. Unfortunately, most spammers still use harvesters
network might be uncovered. However, increasing the risk for
some involved in a crime, means that they will reassess theirchances of earning enough to cover their risk of being
Payment systems
programmes, because they send their messages from the
Dependant on the money earning scheme chosen by the
spammer's Internet connection, allowing to black list his IP
spammer, in most cases a secure and anonymous payment
and thereby reducing the spam run's effectivity, because the
system is a requirement for him. Only if there is no direct
message is filtered out by more spam filters. Additionally,
customer contact, spammers do not need a payment system.
using their own IP, spammers risk their anonymity. Spammers
Stock spam being an example, where the spammer buys stocks
therefore try to send their messages through multiple
later advertised and than sells them at an higher price. But in
computers to both distribute their mailing faster to avoid black
every other case, spammers need to accept payments made by
list updates and to hide their identity. To do so, they rent bot
their customers or a third party. A third party is involved, if the
spammer acts as a commission paid sales agent or promoter
for an online shop. In this case, anonymity requirements might
DENTIFICATION OF SPAMMERS
be less of an issue, because the shop operator might be trusted.
A very exposed party in the spam business is the spammer
In all other cases, a person buying a spamvertised product
himself. If they were at a higher risk of being sentenced to jail
might be an investigator trying to identify the anonymous
or loosing all their earnings, they might decide to choose a
spammer. Therefore, the spammer needs an online payment
system maintaining his anonymity to avoid prosecution. The
Methods to identify spammers are as old as spam, starting
system however needs to at least look safe to customers, i.e. it
with a simple mail header analysis to identify the sender's IP.
should operate on HTTPS or implement anything else a
Considering the increased usage of bot nets, mail headers
become less and less useful in tracking a spam mail's source.
In most cases, spammers want to offer their customers credit
But observation of the bot nets and who uses them might be
card payment. This means, spammers need to have some kind
helpful in the identification process.
of bank account to where the amount is paid. To avoid being
Other methods more oriented on the spammer's work flow
tracked using this account, they often use anonymous debit
include the observation of him buying the goods sold, the
cards as reference account or offshore bank accounts.
payments made by customers or affiliates and the servers usedto host spammer's web pages and online shops. To identify
Anonymous online shops and web sites
stock spammers, several governmental organisations like the
Similar anonymity requirements exist for online shops or
federal trade commission (FTC) in the United States started
web pages used to sell or promote the product, because there
investigating orders placed in context with a spam run.
the server's IP might be traced to the spammer. To avoid this,
All those methods are described in more detail in the
spammers either order their servers at a so called “bullet proof
following subsections and discussed with a view to their
hoster”, who for a surcharge usually ignore spam complaints
and do not ask for identification thereby maintaining theircustomers' anonymity. Mail analysis
Instead of trusting a bullet proof hoster, some spammers
Each email message consists of a body, where the message
prefer to use cracked servers, where they host their web pages
meant to be read by the mail's recipient is stored, and a header,
and even shops. This has the advantage, to be almost
containing several technical information on the message, such
untraceable, but also the disadvantage of an unexpected
as the To- and Cc- addresses, the date and the alleged sender's
interruption of service, either because of the cracked machine's
email address. As a mail message might be relayed through
provider disconnecting it due to spam complaints or because
several servers in the Internet, each mail transfer agent (MTA)
the machine's administrator locked the cracker out again. To
relaying it, adds a header line. In those “received”-headers, an
work around those risks, spammers usually have more than
MTA logs the name the remote machine sent during the
one cracked server ready and use special DNS servers with
SMTP's HELO-command, the remote IP-address and often
very short time outs so they might easily change the IP a name
also the reverse DNS entry for this IP. Also, a time stamp is
points to. From a technical point of view, this is similar to the
techniques used for dynamic DNS services, some users use to
Those headers allow to trace back from where a mail
run servers on their DSL line with a dynamic IP address.
message was sent. This information was used to identify
Often those DNS services are offered by spammer friendly
spammers' providers and request them to ban those senders
providers, to reduce the risk of an DNS entry to be removed
and / or giving out their names and addresses to allow legal
A rather new method is to use bot nets to host a web site on.
To reduce their risk of being discovered, spammers use
In this case, cracked and remote controlled home PCs are
either cooperating providers or send their spam from bot nets.
turned into web servers publishing a spammer's web site. As
Due to this, header analysis has become inefficient.
those machines might go off line at any time and might also
Observing bot nets
change their IP, a dynamic DNS-solution is again needed.
As bot nets became the major source of spam and are under
Often, it also needs to support multiple A records to offer an
the control of spammers at the time spam is sent, it is feasible
DNS round robin address resolution [16][17].
to try to observe bot nets to identify spammers. [21] described
Sending spam
Although bulk mail software is readily available from major
investigating who abuses bot nets for illegal action. According
download sites [18], it is rather inefficient to use those
to [21] they installed an out of the box Windows XP system ina monitored network and secured the network in a way, the
machine could not harm any other system. They then waited
species of apricots contain different amounts of cyanide, up to
for the machine to be infected with several worms and
poisonous levels [23]. Even though those “herbal” substitutes
Trojans. By monitoring the IPs from where the bots were
are dangerous on their own, their trading is often not
controlled and logging the commands sent to the bots, they
controlled. Therefore, it is almost impossible to track persons
were able to identify the bot net users.
acquiring those products in quantities needed for spamming.
Besides the irony involved of Microsoft using security holes
Just by comparing figures, it is obvious that spammers only
in their own products to identify attackers that would not have
been successful if Microsoft had built their software with
consumption. The ever increasing world wide production was
security in mind, there are a few considerations to be made in
2.8 million tons in 2000 [24]. Spammer's buys are unlikely to
order to have a proof accepted in court.
account for a substantial amount. Therefore, tracking sales of
First, the person contracting the Internet access provider
products seems not to be a promising approach, even though it
must not necessarily be the attacker. If the computer is shared
among several persons, each of them is suspicious. As there
However, if an investigator is able to track down a vendor's
are thousands of unsecured WiFi access points world wide, an
sales channels, this might offer a very good starting point, but
attacker could use any of these to control the bot net. The
this is then real world, “off line” investigation, which is
same is true for Internet cafés: Most of them do not require
any proof of identification to use their services, offering a
Partner shops
perfectly anonymous access point to bot nets.
Some spammers try to avoid the somewhat dangerous
Adding the possibilities of computers with remote back
process of interacting with customers and use partner shops of
doors to this, an attacker has plenty of possibilities to hide his
big web shops. There, they earn a commission on each
identity. The more systems he adds in between him and the bot
transaction initiated with their affiliate id and often a bonus for
net, the better he covers his traces. If the machines he used are
refering new costumers. Most of those shops have an anti
located in several countries, law enforcement has to deal with
spam policy, most of the time saying that commissions earned
different legal systems and agencies more or less willing to
cooperate. Due to privacy laws, in several countries data
Therefore spammers try to subscribe only a few days prior
needed to identify someone based on his IP and time of usage
to commission payment at the web shop, then start their spam
is impossible to get or only available for a very short time,
run and collect the money before complaints start pouring in
[13][14]. By doing so, they evade the risk of not being paid.
Taking this into account, it is likely to accuse an innocent
Partner shops could prevent this by waiting a certain time
instead of the real attacker. A professional attacker would take
between their customer making its purchase and cashing out
care of hiding behind a few owned systems. Albeit the method
their affiliate. Although serious shops implement several
is simple, straight forward and easy to implement, its precision
security measures, some web pages, mostly in the red-light
in identifying the target is not high enough.
districts of the Internet, are said to be less offended by being
However, the method offers a starting point for further
spamvertised and therefore have lower security measures set
investigation. This investigation should be unintrusive due to
up, thus offering spammers a certain income.
the high risk of accusing the wrong person.
In those cases, the web shop being spamvertised might be
Surveillance of purchases
liable as accomplice, according to German and some other
An approach used by the FTA to identify stock spammers is
countries' civil laws. The web shop could then be filed for
to look who invested into those stocks prior to them being
injunctive relief. To compensate its damages, disclosing the
spamvertised. This scheme might also apply to tangible and
spammer's identity is a possibility: Because the web shop
intangible goods sold by spammers. However, with those,
needs to pay the commission, at least a certain minimum of
most of the time, it is harder to track them, even though some
information needs to be known, e.g. a bank or credit card
are not freely available, such as medications. But just because
account or an address the spammer has.
access to those items is made difficult, this does not imply
This might be a starting point to investigate the spammer's
control and traceability, because there is a black market for
Payment process
In some cases, spammers might also try to work around
The same information is needed, if a spammer's customer
those restrictions by selling counterfeited products. This is
pays his bill. But again, spammers found ways of working
common practice if boxed software is sold, but also possible
around the risk of being identified by using anonymous bank
for watches or garment. Spammers also started to develop
accounts or credit cards, i.e. the spammer could have his
their own drugs, such as “generic Viagra” and “herbal Viagra”.
costumers pay to his anonymous credit card's account and then
Depending on what those products are based on, their
withdraw the money he feels he needs from any ATM.
consumption might by a life threat for their consumers. A risk,
However, if the spammer's credit card data is known,
spammers are still not willing to take. Therefore they often
identifying him might become possible if he withdraws money
resort to herbal or allegedly homoeopathic drugs, because they
at an ATM by using the surveillance cameras usually installed
believe those to be less dangerous. According to [22], Viagra-
to monitor ATMs. However, not all ATMs are secured that
substitutes are often made of apricot kernels, which are
way and often, the quality of the pictures they deliver is not
biologically equivalent to almonds and therefore might cause
good enough to identify someone. Also, a cautious spammer
severe anaphylactic reactions to nut allergics. Also, different
email address he could track back to the company's proxy.
All in all, although at first the payment process might seem
When confronted, they denied and threatened to sue him.
to be a method of identifying spammers, it is not.
Unfortunately, the case was not taken to court, therefore thereis no legal statement on the proof's quality. Server owner
Basically, the usual problems when trying to identify a
Often, spammer's have a web page dedicated to the product
person based on an IP address arise, i.e. it is only known from
they are currently advertising. This page might contain a web
which computer the attack was made, but it remains to be
shop, but might also only contain a redirection to some other
investigated who operated that computer. Fortunately, it is still
web page, e.g. if they try to take advantage of a third parties
uncommon to use bot nets or cracked machines to run
harvesters on. Therefore, the IP seems to be a good starting
Those web pages might be hosted on a proper server, a
cracked machine or on a bot net. If the later is the case,
Another issue is the algorithm used to hide the IP address
identifying the spammer might be possible using the methods
and access time in the email address generated. This algorithm
described above to identify a bot net's user.
needs to be bijective, that is, a given IP address and time
On a cracked server, the cracker might have left traces that
should always generate a unique email address and a given
identify him, but their analysis is again beyond the scope of
email address should resolve to one and only one IP and time
combination. Algorithms like this exists, however, to provide
A rented server might be located at a so called “bullet proof”
as an proof, those algorithms need to be proven to work as
hoster or at any regular provider. As usually most hosters only
described. The MD5-algorithm [28] used, does not come up to
authenticate their customer's payment details, but hot their
this requirement, as MD5 is not bijective.
claimed identity, spammers could use their anonymous credit
The algorithm should also generate email addresses that
cards to hide their identity, making it virtually impossible to
resemble regular email addresses, i.e. they should neither have
track them down without the help of the provider.
a too long local part nor should the local part look like
However, his log files might help in identifying the
generated. Ideally, the email address is a unique combination
spammer, because to install or update his web page, the
of names and maybe a middle initial. Then, a human operator
spammer needs to connect to the web server. This would
of the harvester is unlikely to notice the trap.
reveal the spammer's IP, which is a first step in identifying
Another disadvantage is the amount of time required to
him. However, the same restrictions apply as mentioned above
identify the address collector. From the moment the address
was harvested to when the email was received, there might be
Discussion
several hours up to weeks. This might give the offender a
Although there are a few options to identify a spammer,
chance to cover his traces or might otherwise have an negative
there are work-arounds. Most only provide a first step in
identifying him. However, in most real world situations,
Taking both, the complexity of the required algorithm,
criminals do not think of all possibilities of hiding their
requiring sophisticated explanation in court, and the time issue
identity, e.g. if they purchase an anonymous credit card, they
into consideration, this approach is interesting, but might only
might do so from their own computer and thus leaving their IP
be of limited use from a forensic point of view.
in the log files of the credit card provider, if they do not use an
Distributed tar pit networks
anonymisation service such as JAP [25]. Therefore it is worth
[29] suggested to use a network of HTTP tar pits to identify
investigating each step. But, if a spammer thinks ahead,
harvesters and use this information to block their access to
chances are, he is able to hide his identity. IDENTIFICATION OF ADDRESS TRADERS
An HTTP tar pit is a way to trap harvesters. Simply spoken,
Spammers need their potential customer's email addresses to
the tar pit publishes links to itself, thereby poisoning the list of
spam to. While acquiring them, traces might be generated
pages to visit the harvester maintains until finally the harvester
leading to address traders or even to spammers. At first
glance, the probability of this approach to be effective seems
Because the IP of the harvester is recorded while it is caught
to be higher, as spammers are used to anti spam measures, but
in the tar pit, the harvester is identified while collecting email
anti address harvesting is new and defensive, e.g. by
addresses. Therefore we suggest a distributed network of
obfuscating email addresses [26]. Attacking harvesters with
HTTP tar pits as a new method to investigate an address
trader's identity, because the HTTP tar pit is a resolution to thetime problem described above. Identifying mail addresses
It offers another major advantage: Because harvesters
[28] suggested to generate email addresses published on a
usually revisit a tar pit very often, [30] reports on hundred
web site on the fly. Those email addresses should either
thousands of visits within a day, the evidence gained is better
contain the remote IP address and the time of access or a
and offering less excuses to the spammer.
reference to those. As soon as an email is received, the
However, harvesting itself is not illegal in most countries,
harvester's IP would be known. Together with the access time,
therefore, the HTTP tar pit alone is not a valid proof of
the user of this IP address could be identified.
spamming. On the other hand, [31] showed that a HTTP tar pit
[28] claims to have identified a German phone book editor
publishing email addresses is by far more effective than it
as a spammer because he has received an advertisement on an
would be without mail addresses. If the tar pit is modified to
publish addresses identifying a certain harvester, then both the
[7] o. A. (apa), Spam-Attacke blockiert E-Mail-Verkehr in:
act of harvesting and the later spamming could be tracked
derStandard.at/Web, derStandard.at, Wien, 2003
[8] Frei, Stefan, Angriff via Mail. Mailserver als Verstärker für DoS-Angriffe
in: Heise security, Heise, Hannover, 2004
But, compared to only publishing specifically crafted mail
[9] Schüler, Hans-Peter, Spam-Welle überrollt die TU Braunschweig,
addresses, in this case, the investigator knows beforehand,
http://www.heise.de/newsticker/meldung/47575, 2004
from where spamming might later occur and could establish
[10] Eggendorfer, Tobias, Methoden der Spambekämpfung und -vermeidung,
Dissertation, FernUniversität in Hagen, BoD, Hagen, 2007
different other surveillance methods. This new method might
[11] Eggendorfer, Tobias, Methoden der präventiven Spambekämpfung im
be useful in identifying the offender.
Internet, Master thesis, Fernuniversität in Hagen, München, Hagen, 2005
[12] Ilgner, Michael et al., The Economoy of Spam in: , Universität Wien,
Discussion
By combining HTTP tar pit networks used to prevent
[13] Spammer X, Inside the spam cartel. Why spammers spam, Syngress
spammers from collecting email addresses from web pages
[14] Spammer X, Talk by Spammer X in Proceedings of EU Spam
and used to identify harvesting IPs to protect other web sites,
and using specially crafted email addresses, identifying
[15] Center for Democracy and Technology, Why am I getting all this spam?,
address traders IP and winning a time advantage over them is
http://www.cdt.org/speech/spam/030319spamreport.pdf, 2003
possible. This seems to be a promising approach. Currently,
[16] Partridge, Craig, Mail routing and the domain system,
http://www.ietf.org/rfc/rfc0974.txt, 1986
this seems to be very effective, because harvesting most of the
[17] Brisco, Thomas, DNS Support for Load Balancing,
time does not occur from bot nets or cracked machines, but
http://www.ietf.org/rfc/rfc1794.txt, 1995
from the address trader's or spammer's own network.
[18] Eggendorfer, Tobias, Tweak your MTA. Spam-Schutz mit Tricks in
Proceedings of 3. Mailserverkonferenz, Berlin, 2007
CONCLUSION AND FURTHER RESEARCH
[19] Wood, David, Programming Internet Email, O'Reilly, Sebastopol, 1999
This paper discusses methods to identify some of the parties
[20] Hochstein, Thomas, FAQ. E-Mail-Header lesen und verstehen,
http://www.th-h.de/faq/headerfaq.php3, 2003
involved in the spam business. Section 4 gave a new insight in
[21] Kornblum, Aaron E., "John Does" no more: Exposing Zombie Spammers
current approaches deficiences, section 5 presented new
in Proceedings of M.I.T Spam Conference 2006, Cambridge, MA, 2006
approaches. Although they do not help to discover the entire
[22] McWilliams, Brian, Spam Kings. The Real Story Behind the High-
network of spammers, it increases the risk of being discovered
Rolling Hucksters pushing porn, pills, and @*#?% Enlargements,OReilly, Sebastopol, 2005
for some of the spammers. Because risks and expected
[23] Suchard JR; Wallace KL; Gerkin RD, Acute cyanide toxicity caused by
earnings are often strongly correlated, those exposed to a
apricot kernel ingestion in: Annals of Emergency Medicine 12/98,
higher risk will raise their services' prices, this again has
effects on the other parties, because their economic risks
[24] Asma, Bayram Murat, Malatya: World's Capital of Apricot Culture in:
Chronica Horticulturae 01/2007, ISHS, Leuven, 2007
increase due to the higher prices resulting in some spammers
[25] Eggendorfer, Tobias, Ghost Surfing. Anonymous surfing with Java
Anonymous Proxy in: Linux Magazine (International Edition) 11/2005,
Even though spammers learned how they might work
around being identified while sending out spam, address
[26] Eggendorfer, Tobias, Dynamic obfuscation of email addresses - a method
to reduce spam in Proceedings of AUUG 2006, Melbounre, 2006
traders take less precautions. Therefore, identifying address
[27] Eggendorfer, Tobias, SMTP or HTTP tar pits? Which one is more
traders seems to be more likely. Our new suggestion is to
efficient in fighting spam? in Proceedings of AUUG 2006, Melbourne,
combine the publication of email addresses crafted to prove
[28] Rehbein, Daniel A., Adressensammler identifizieren - Ein Beispiel,
that spam has been sent out due to a specific harvesting action
and the advantages of HTTP tar pits in identifying harvesters
[29] Eggendorfer, Tobias; Keller, Jörg, Dynamically blocking access to web
as an effective way to provide court proof evidence has been
pages for spammers' harvesters in Proceedings of IASTED Conference
on Communication, Network and Information Security CNIS 2006,Cambridge, MA, 2006
Our current research is into finding an algorithm to generate
[30] Eggendorfer, Tobias, Stopping Spammers' Harvesters using a HTTP tar
email addresses that meets all requirements mentioned above,
specifically, we want it to only generate unique email
[31] Eggendorfer, Tobias; Keller, Jörg, Combining SMTP and HTTP tar pits to
addresses containing a human name, and to integrate it then
proactively reduce spam in Proceedings of SAM 2006 (The 2006 WorldCongress in Computer ScienceComputer Engineering, and Applied
into the HTTP tar pit. Currently, the algorithm only provides
random alphanumeric email addresses. REFERENCES [1] spam-o-meter, spam-o-meter statistics by percentage, http://www.spam-
[2] Kuri, Jürgen, T-Onine verzeichnet eine Milliarde Spam-Mails pro Tag,
http://www.heise.de/security/news/meldung/72324.html, 2006
[3] Schulz, Carsten, Erstellen eines Konzeptes sowie Durchführung und
Auswertung eines Tests zur Bewertung unterschiedlicher Spam-Filter-Mechanismen bezüglich ihrer Langzeiteffekte, Master thesis, Universitätder Bundeswehr, Neubiberg, 2006
[4] Eggendorfer, Tobias, Spam slam. Comparing antispam applicances and
services in: Linux Magazine (International Edition) 03/2007, Linux NewMedia, München, 2007
[5] Hosbach, Wolf, Test Spam-Filter. .die Schlechten ins Kröpfchen! in: PC
Magazin 10/2006, WEKA Computerzeitschriften-Verlag, München, 2006
[6] Heinlein, Peer, Genervt, blockier gefährdet: Wie sich Firmen gegen Spam
& Viren schützen können in Proceedings of CeBIT 2007, Hannover, 2007
Evidence for Chlamydia pneumoniae infection in steroid-dependent asthma David L Hahn, MD*; Don Bukstein, MD*; Allan Luskin, MD*; and Howard Zeitz, MD† Background: Chlamydia pneumoniae is an obligate intracellular respiratory strong association of C. pneumoniae pathogen capable of persistent infection. Seroepidemiologic studies and the resultsof open-label antimicrobial treatment o