Superconductor

The other day I posted about blog comments. I suggested that many blog comments are generated by an artificial intelligence program. These comments are posted only to get a hyperlink into the internet.

Within a few minutes of the blog entry being published, this comment was posted.

Hello, When you call Workers' Compensation, LLC, we will be sure to explain the process of obtaining workers' compensation and the factors that will determine whether or not you will be awarded specific benefits.

I deleted it, but it didn't completely fit in with my theory. I was thinking that the AI comments were posted to blog entiries a month or so old, so as to generate less scrutiny. I also figured the comments would nominally refer to the entry itself.

So why did this comment get posted? And why on that blog entry?

The field of AI still hasn't produced the general thinking machine. But as I understand it, one of the successes of AI has been to create programs that can act intelligently in a specialized area. For example, an AI program can help diagnose car problems or another one can parse customer questions and be a first line of support.

Apparently someone out there has written an AI program that reads blog posts and leaves comments. The purpose is to write a comment that gets by the spam filter so the hyperlink on the commenter's name gets through. (A hyperlink in the comment itself triggers red flags in spam filters, but the hyperlink in the commenter's name is part of the protocol.)

Suppose you're a spammer and you think that leaving comments in blogs will help you. Maybe you think that other people reading your comment will click through to the URL in your name. Or more likely you think that putting a link to your web site in a comment will make it look to search engines as if there are lots of links to your site. Your web site will move up the search rankings.

Remember, the best search engines don't just find all occurrances of a praticular word or phrase, they return results based on popularity, which is determined by how many other sites link to your site.

Here's what I think is happening. The program reads blogs. Then it finds older posts (from maybe a month or two ago). It reads the posts and constructs a comment based on the post. It then posts the comment with the hyperlink in the name of the commenter. The comment has to be close enough to the topic to get by the spam filter. Commenting on older posts increases the chance that no one looks too closely at it, so there's less chance it will be deleted. Our blog here requires registering in order to post comments, so the program will do that as well.

For example, here are two comments on my posts about financial web sites and passwords.

"However, many financial companies are some of the worst offenders in placing restrictions on passwords." by "lacoste outlet".

"It is good to hear that financial websites do not allow weak passwords, thus it is very necessary for us users to make a very strong password to be able to secure our finances online." by "private label seo".

Sometimes the comments are more generic.

"The blog is full of useful information for me. I gone through the whole blog and found it very interesting and beneficial. Thanks a lot for bringing the knowledge here. I enjoyed reading the blog and is very much impressed. Hope to see you soon with lots of more interesting blogs." by "diploma management of melbourne".

"Don't know what is wrong what is rite but i know that every one has there own point of view and same goes to this one" by "Hermes Bikini".

Here's one that was obviously spam.

"Super cute! My little man would look so stylin' in those!" by "moncler jacket".

So is there an AI program out there that reads a blog post and constructs a comment that sounds like it is real? Or are there people writing these?

At first glance, it doesn't seem likely that there are people actually surfing the web, finding blogs and then manually commenting on entries. I would imagine that to make a profit on this activity (creating links to web sites in order to boost search engine rankings), the cost would have to be low. Hence a program and not real people.

On the other hand, maybe some marketing firm that promises to get your web site higher in the rankings will hire some people from poor countries to do this. The English on some is broken enough that it sounds feasible.

Incidentally, one of my posts got a lot of these comments and others get none. Maybe that one blog post was linked to another blog or something else, and the fact that it was linked to other places made it a prime candidate for using it to create artificial links.

So when I get a comment like this on my workplace training post ...

"Training is the best way to improve the skill and we should take it seriously to get the best output. Hope everyone will appreciate it." by "website translation"

... should I let it remain or should I delete it?

In the June 2011 Symantec Intelligence Report, there's data that shows that the amount of spam sent these days is a a relatively low level, at least by historical standards. Here's a graph from this report that shows the number of spam messages sent over the past few years:

On the other hand, I've noticed that more and more spam is getting past our spam filter. Last year, I'd see only a spam message or two per week. Now, I'm seeing several spam messages every day. So from my unscientific and limited study of this topic, I'd guess that the spammers are getting smarter to make up for the decrease in the number of messages that they're sending.

I was reading a recent edition (PDF) of Symantec's MessageLabs Intelligence report when I came across this interesting bit of information:

This month, MessageLabs Intelligence uncovered evidence of spammers establishing their own fake URL-shortening services for the first time. Shortened links created on these fake URL-shortening sites are not included directly in spam messages; instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. Rather than leading directly to the spammer’s final Web site, these links actually point to a shortened URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s final Web site.

So services like TinyURL are apparently so useful that spammers have created their own versions. That's probably the best endorsement that TinyURL could get. As Charles Caleb Colton once said, "Imitation is the sincerest of flattery."

I just received an interesting spam email telling me about an opportunity to get my research published. The senders apparently don't know that I work for a vendor of encryption products, and that we really don't do the sort of research that you'd publish in a scholarly journal. Here's what the spam said:

Do you feel scientifically isolated? Do you find yourself sitting on the side-line while others take the field by the nose and lead it? Are you unable to publish a model that summarizes your data and ideas because reviewers label it as being too speculative and unsupported? Can’t get those experiments published in any regular journal? Do you find that nobody is citing your papers? Haven’t published in your field for some time, but want to show that you are still a player? Well, no need to worry! There is a special category of publication for you, ‘the invited review’.

The journals that this email was soliciting contributions for were all related to biology or chemistry, so it's not clear exactly why I got it, but it was interesting to see that there's apparently a market in providing a place for research that might be called "not quite up to generally-accepted standards" to get published.

What I found surprising was how little it costs to do this: it looks like there actually aren't any fees associated with getting your work published this way. These journals clearly aren't trying to be a prestigious place for the world's leading scientists to publish their best work. Maybe their model is more like commercial magazines that are supported by advertising.  

I just came across an interesting article (and podcast) on the IEEE web site. It seems that a team of researchers at Cornell have found a way to tell truthful on-line reviews from the fake ones that are sometimes called "opinion spam". 

A quick summary of what they found is that people write differently when they're writing fiction versus non-fiction, and it's possible to use this as the basis for detecting bogus on-line reviews.

You can get slides that the researchers used at a recent presentation about their findings here (PDF). There's a lot missing from the slides, but there's enough there to get a reasonable idea of what they found and how they found it.

I'm still getting those annoying spams that invite me to pay way too much money to have my name listed in some book that's supposed to be a thorough and definitive list of the best and brightest in today's business world.

It seems to be easier to get into one of these books than the publishers would like you to believe. Here's another invitation that one of my wife's stuffed animals recently got.

I've been getting lots of emails recently from various "open access journals" soliciting submissions. I'm not sure how useful the content of these publications is, but it looks like these publications are aimed at people willing to pay to get their work into print instead of getting in published some other way. So I classify emails like these as spam, even if our spam filter doesn't.

And because the emails that I've been getting often have something like "Open J. Statistics" as their subject, they often make me think that they might have Rocket J. Squirrel  and his friend Bullwinkle J. Moose on their editorial board.

Maybe that's why I haven't submitted anything to them yet.

As you will have read or watched in every media outlet today, Epsilon, a company that provides some of the top brand name companies with email marketing services had a data breach that uncovered the names and email addresses of millions of customers. These customers as reported in the New York Times and other blogs such as Byron Acohido's "The Last Watchdog", will now probably suffer from further attempts on their private information - Here's some resources that will help you make sense of the data breach and ensure that your company is not the next Epsilon:

		What do you need to know about the Epsilon Data Breach?
		By now, everyone has read about a company named Epsilon. In fact, many people most likely have direct involvement, having received one or more emails from companies they do business with warning them to be very careful after a recent incident. These notifications stem from Epsilon Interactive, a third-party service provider of managed email, getting compromised and having some of their 2,500 clients customer emails stolen. Epsilon provides email and customer loyalty services to more than 2,500 corporations, including seven of the top 10 Fortune 100 companies. The company sends more than 40 billion emails annually on behalf of these clients. So even if you haven't heard of it before, chances are high that your bank or your favorite retailer or hotel chain is using Epsilon for email and other services. The company touts itself as the world's largest permission-based email marketing provider and is believed to store more than 250 million email addresses. A list of companies whose customer data has been breached can be found at http://datalossdb.org/incidents/3540 and http://krebsonsecurity.com/2011/04/epsilon-breach-raises-specter-of-spear-phishing/ – these lists are being updated as companies send out their data breach notifications.
		What to tell your customers and employees to do now?
		If you yourself have received data breach notifications from companies that you do business with then chances are your own email was amongst those breached – here's some basic guidelines on how to avoid follow-up fraud from the perpetrators of this data breach: Don't open emails from people you don't know Don't respond to emails asking to verify your password or other personal details Hang up on phone calls from the bank or others who call asking to verify personal info Don't open email attachments - even 'Data Breach Notification' letters - if do you make sure anti-phishing countermeasures are active Do change your passwords - go direct to company website - don't click on a link in an email
		How to protect your data?
		Like most companies Epsilon had extensive security measures in place – however, sophisticated criminals found a way to breach those defenses. Once inside they were able to make off with millions of emails, because this type of data was lying around in the clear – no one thought the data was at risk. The best defense is to protect the data itself. That way, even if hackers force their way into your systems, the data itself is useless. The solutions to accomplish this – typically encryption or tokenization are widely available and are used extensively by payment processors, retailers, financial institutions and healthcare organizations to protect sensitive data – wherever it goes. In fact, the best approach is to encrypt information as quickly as possible and keep it encrypted for as long as possible until it is actually needed – this is often referred to as End-to-End Encryption. Voltage has provided some of the largest brand name companies in the world with solutions to protect emails, information stored in databases and used by applications – inside and outside the cloud. To learn more click on one of the following links: In addition: Consumers need to know what data is being captured, what it is used for, and how it is being protected as a matter of corporate policy Corporations must demand that their business partners and IT secure personal data so it cannot be exploited in this all to easy manner as illustrated by the Epsilon attack Protect non-regulated personal data – Email may not be a regulated field in regulations like PCI, but if it's being captured, it can be exploited Access to personal data within a corporation needs to be locked down – on a need-to-know basis – reducing access to e.g. the last 4 fields of an SSN instead of a whole one, or using encryption and tokenization to reduce the exposure of real data to employees, partners and customers. Communication with consumers and business partners needs to be secured and trusted – use a secure email solution but make sure it has anti-phishing countermeasures activated. Avoid using live data in test systems by de-identification and masking to reduce exposure outside production controls Learn how a top financial services firm protects sensitive data
		Making sure your 3rd party service providers protect your data
		The other big lesson to learn from the Epsilon data breach is that while you may implement safeguards to protect sensitive data within your datacenters, your third-party service providers must also do the same – it is critical that your sensitive information is protected via encryption or tokenizaton by the third party. In fact many in the industry are calling for contractual clauses that insist on data encryption by 3rd parties. Learn how a top insurance company made sure its service providers protected its data
		Consumer Data Protection Manifesto
		In order to safeguard sensitive customer information many customer advocates are calling for new rules that force companies to certify that they have adequate data protection in place to protect data even in the event of a breach – similar to Sarbanes-Oxley, this would bring board level visibility to a critical issue in the minds of consumers. Secondly to protect data that is being used by 3rd party service providers, companies should insist on a data protection clause in their contract that mandates the use of encryption of all consumer data. Data transferred to a service provider should be encrypted in line with making sure that consumer information is encrypted at the earliest opportunity and remains encrypted until needed. See Voltage co-founder, Matt Pauker's, Op Ed in Forbes on the subject.

I received yet another odd spam. This one invited me to submit an article to the journal Mental Illness. Here's part of the email:

Dear Reader,

We are writing you to bring to your attention a recent article appeared in Mental Illness. We think that you might be interested in this manuscript below about schizophrenia symptoms.

A new nosology of psychosis and the pharmacological basis of affective and negative symptom dimensions in schizophrenia
Costa Vakalopoulos
Mental Illness 2010; 1:e7

Towards the bottom of this email was the following:

[You are receiving this message because your address came up in a specific literature search; it was not included in any mailing lists, and is used for a single advice].

Now I've written a lot of stuff about cryptography, information security and risk management. Even a little about economics. But I don't recall ever writing anything related to schizophrenia. So is this just an odd spam, or do the editors of Mental Illness know something that I don't know? And why do they think that I would be interested in schizophrenia symptoms?

A very unusual spam managed to get past our filters recently. Here's what it said:

I can't quite figure out what this particular spammer wants. If they're trying to use this email to defraud people of money, they certainly need to work harder. Maybe they try to sucker you into paying some sort of charge to help process the "to and fro" air fare that they provide you, but I doubt that anyone would actually believe that this message is genuine. Maybe they're just trying to set a record for the least effective spam ever.

I recently attended a big industry trade show. The people who ran this show sent me all sorts of follow-up emails telling me about how to view on-line versions of the presentations from the show and other show-related stuff. On each of these emails there was a link that said to click on it to opt out of receiving future email from the organizers.

But when I clicked on the link, here are the choices that I was given (with the actual conference name concealed with CIA-style black highlighting):

Note that unsubscribing isn't even really option! You just get to pick how you get spammed in the future. Come on, guys, at least give us a way to actually say "Go away."

I was recently looking at FIPS 74, the old standard from 1981 that defined how to use the DES encryption algorithm. Section 5 of this document is "USING DES TO MAP A CHARACTER SET ONTO ITSELF," which seems to indicate that the idea of format-preserving encryption has been interesting to people since at least 1981. FIPS 74 may also be one of the first attempts to bypass spam filters.

In particular, FIPS 74 (at least in the version that's on the NIST web site) section 5 is called "IMPLEMENTATlON OF THE A1GOR1THM," which has the letters "L" and "I" replaced with a "1." The first spam email was actually sent in 1978, so 1981 is definitely within the Age of Spam.

I don't recall email discussions of encryption algorithms being particularly overwhelming back in 1981, but could the title of section 5 of FIPS 74 have been an early attempt by NIST to sneak their DES standard past spam filters, sort of like people do when they try to sell you "V!@gra" today?

The first spam is generally throught to be the message that was sent by DEC saleman Gary Thuerk to 400 unsuspecting users of the ARPANET back in 1978, but the history of spam may actually go back much further than that. Apparently as early as 1864, people were sending unsolicited commercial telegrams. Here's how The Economist described what may be first time that this was done:

ON A May evening in 1864, several British politicians were disturbed by a knock at the door and the delivery of a telegram—a most unusual occurrence at such a late hour. Had war broken out? Had the queen been taken ill? They ripped open the envelopes and were surprised to find a message relating not to some national calamity, but to dentistry. Messrs Gabriel, of 27 Harley Street, advised that their dental practice would be open from 10am to 5pm until October. Infuriated, some of the recipients of this unsolicited message wrote to the Times. “I have never had any dealings with Messrs Gabriel,” thundered one of them, “and beg to know by what right do they disturb me by a telegram which is simply the medium of advertisement?” The Times helpfully reprinted the offending telegram, providing its senders with further free publicity.

If we can actually trace spam back to 1864, the 150th anniversary of the first spam will be here in only a few years. Could this be a good excuse for a big industry-wide event to discuss the evolution of spam and other spam-related topics?

Holy cow! Spammers must be even more efficient that I would have thought possible. I do a few posts about some psychology research and its applicability to information security and I'm now getting spam that appears to be aimed at psychologists. That didn't take long at all. Or maybe it's just a coincidence.

There’s apparently a doctor out there with the same name as me. I say this because I often get requests for permission to reprint various medical articles as weall as spam from biomedical companies. One of these recent spams advertised a product that identifies proteins by using mass spectrometry.

That made me wonder if it would be possible to invent a device that could automate the identification of the books on my desk. Maybe this machine would burn one of these books and determine from the ash whether the content of the book was number theory, algebraic geometry, elliptic curves, etc. Such a machine, of course, would be called a "math spectrometer." 

I've received lots of spam emails recently that tell me that I've been selected for inclusion in some sort of Who's Who book. As far as I can tell, all of these are scams designed to get you to give them your credit card number so that they can charge you for expensive books that you didn't order. On the other hand, maybe there's actually a good use for these scams.

I have to wonder if being included in one of these books would help your chances for college admission these days. Imagine being able to add the following to your college application:

• Received first pre-approved credit card offer at age 2
• Included in Cambridge's Who's Who at age 4

Could that be the additional padding that will separate you from the other applicants at the more selective universities?

I received another one of those annoying spam emails from one of those operations that will include you in their exclusive Who's Who book because of your significant contributions to your field (i.e., having a valid email address). This particular spam, however, was apparently from "Satellite TV Quote." So it looks to me like some spammer couldn't quite keep his scams straight and included text from one scam in a message designed for another scam.

Come on, spammers, at least make a reasonable effort to make your messages look legitimate.

Spam and the uncertainty that spam filters cause has dramatically reduced the effectiveness one of the most popular uses of the Internet. Maybe it’s time for a different approach to filtering email.

Phones and email are both about equally useful: given the choice between giving up their phone of giving up email, people are about evenly divided. When comparing e-mail to other Internet technologies, however, it's no contest. Given the choice between giving up email and giving up browser-based web access, people cheerfully give forgo the web in favor of email. The web may be nice to have, but email is a necessity, and most businesses really can’t function without it.

Unfortunately, almost all of today’s email traffic is spam so it’s necessary to separate the spam from the legitimate messages before they get to users’ inboxes. If you don’t do that, users are quickly overwhelmed by the sheer volume of spam that they receive.

Spammers are clever, however, and quickly find a way to get around the latest updates to spam filtering software. That’s possible because filtering applications use the latest models of what spam looks like to help them decide whether or not to let a message pass. Once spammers learn what filters look for, they quickly invent a way to get their spam past the filters.

Maybe an entirely new approach to filtering email is needed, and the fact that most email is actually spam may be the insight that we need for this. In particular, instead of trying to identify spam, why not try to identify legitimate email messages instead?

Note that this is entirely different from white-listing. With white-listing, an approved list of names, domains or IP addresses is used to allow incoming email. Instead, this approach looks at the content of an email and tries to decide if a particular message is legitimate. White listing doesn’t look for valid email messages. An entirely different model may be needed to do that.

Information security vendors have spent lots of time and effort over the past several years developing ways to identify spam. The benefits of this research have been temporary at best because spammers quickly learn to avoid the most recent versions of anti-spam filters. But while the arms race between spammers and anti-spam vendors has led to all sorts of unusual messages that are designed to pass filters undetected, the format of legitimate emails hasn’t changed much at all, and because of this, identifying legitimate emails may be a better strategy than identifying spam.

Looking for legitimate emails seems to be very simple to implement because it can be done with a minimal change to existing networks. All that’s needed is different logic on anti-spam filtering products. Everything else can stay the same. That seems much simpler than some of the alternatives that have been proposed. Simple is definitely good. It might even be effective.

I haven't heard of this approach being used. Maybe there's some obvious reason why it won't work.

After the spam message that invited me to submit a paper to The 14th World Multi-Conference on Systemics, Cybernetics and Informatics, the conference that's probably most  famous for accepting a computer-generated paper, I received another similar message. This one was from the same people who organize WMCSI 14, and it turns out that they're also organizing the 2nd International Conference on Peer Reviewing. Here's an interesting blurb from the ICPR web site:

Empirical studies have shown that assessments made by independent reviewers of papers submitted to journals and abstracts submitted to conferences are no [sic] reproducible, i.e. agreement between reviewers is about what is expected by chance alone. Rothwell and Martyn (2000), for example, analyzed the statistical correlations among reviewers' recommendations (made to two journals and two conferences) by analysis of variance and found out that for one journal "was not significantly greater than that expected by chance" and, in general, agreement between reviewers "was little greater than would be expected by chance alone."

The Rothwell and Martyn (2000) reference is available here, and the ICPR blurb seems to be an accurate summary of its findings. It looks like your ability to flip a coin and have it come up "heads" is just as good a predictor of whether or not a reviewer will like your paper as any other indicator is. That's not entirely encouraging, is it?

I received an interesting email recently that began like this:

Dear Luther Martin:

We would like to inform you that the final set of deadlines for submitting a paper/abstract in the area of "Operation Research and Management Science" (or other area) included in The 14th World Multi-Conference on Systemics, Cybernetics and Informatics: WMSCI 2010 (http://www.sysconfer.org/wmsci) to be held on June 29th-July 2nd, 2010 in Orlando, Florida, USA, is the following:

Papers/Abstracts Submissions and Invited Sessions Proposals: April 7th, 2010
Authors Notifications: May 5th, 2010
Camera-ready, full papers: May 26th, 2010

I was about to delete this email when I realized that this conference is the one that accepted the randomly-generated paper Rooter: A Methodology for the Typical Unification of Access Points and Redundancy that was created by the SCIgen tool. That didn't stop me from deleting the email, of course. It just made me take a minute to do this blog post about it. Then I deleted it.

I recently received an interesting targeted phishing message. It claimed to be from Voltage's CFO and asked me to download and run a progam (malware) that it claimed would provide input into some sort of insuance paperwork that Voltage needs to fill out. This phishing mail was interesting because it claimed to be from our CFO and had our CFO's real contact information at the bottom of the message.

I was surprised by how targeted this phishing was. Voltage has lots of large customers. The last I heard, we have roughly 1,000 enterprise customers and about 10 million users of our technologies, so there are probably lots of people out there who wouldn't be surprised to get an email from Voltage's CFO. On the other hand, the number of people who could reasonably expect an email from Voltage's CFO is fairly small compared to the number of people who have accounts at Bank of America or Wells Fargo.

So while I can understand why a phisher might think that it's reasonable to send out millions of phishing emails in an attempt to trick a few of the BofA or Wells customers into giving up their username and password, I can't quite understand why a phisher would think that it's worth sending out targeted phishing emails in an attempt to get a few Voltage employees to install malware on their computers.

Maybe this really indicates that Voltage is more successful than I've heard. I remember seeing a press release recently that talked about how we had something like 70% revenue growth last year, are profitable, generating cash from operations, etc. Maybe we're really doing even better than that. Why else would phishers try such a targeted attack?

Intrigued by the possibility of becoming famous that I mentioned in the last post, I looked more closely at the email that invited me to get listed in some sort of prestigious publication and found a link that had my name in the URL. Once I saw this, I wondered how easy it would be for someone else to become famous. To test this, I removed my name from the URL and put in the name of one of my wife's stuffed animals.

Apparently Putsi Fischotter is also famous enough to get his name listed.

Maybe if I send these guys a picture of a stuffed otter dramatically staring off into the distance they'll add that image to their web site.

I recently received another one of those annoying emails that tell you that you're so famous that some publisher would like to include you in a book that lists other famous people and their accomplishments.

Here's what these guys said:

It is my honor to inform you that as of January 22, 2010 you are being considered for inclusion in our forethcoming [sic] edition of the 2010 directory representing the WHO'S WHO of Worldclass [sic] Professionals.

Our alliance is recognized by talented individuals who hold knowledge and experience in a particular industry, demonstrate a commitment to excellence, and seek career advancement or enhancement.

On behalf of the CEO and our esteemed staff, we wish you continued success.

I'm not sure how these emails manage to get past our spam filter, but they do it fairly often. I must get one of these at least once per week. I get them so often that I'm now convinced that the only criterion for getting listed in one of these books is having a valid email address. I'm not sure that counts as holding knowledge and experience in a particular industry. It's hard to see how that demonstrates commitment to excellence or seeking career advancement or enhancement, either.

I have to wonder if other talented individuals like sales@voltage.com and marketing@voltage.com are already listed in one of these fine publications.

A few days ago, I received what must be the lamest spam ever. Here's what it said:

Hi Sir, You have a wonderfull offer to getting world wide companies. Please. If you are increase your bussiness then me. Regard's Thomes

It's somewhat amazing that this message made it past our spam filter, but what's even more amazing is the fact that someone actually thought that he could make money off his email campaign that sent out this message.

I've seen some poorly-designed spam over the past few years. Some spammers didn't even take the time and effort to make the content of their spam consistent. Like messages that claim to be from one bank yet tells you that your account at an entirely different bank has been suspended and that you'll be unable to access your balance unless you click on a link that installs a virus on your computer.

At least that spam made a better effort. It at least had flashy graphics that made a reasonable effort of making the message look like it really came from a big commercial bank. This message from "Thomes," however, makes no effort at all to even try to look legitimate. It must the lamest spam that I've ever seen.

Hackers are clever, and they’ll find a way to exploit almost anything. One example of this is how they’ve learned to use blogs to distribute spam and other malware. But for every hacker finding a new way to carry out attacks, there’s apparently a security vendor coming up with a response. At the RSA Conference this week, I saw some interesting demos of the counters that security vendors have created to the problem of hackers using blogs to help them carry out attacks.

In most cases, spam email outnumbers legitimate email by a huge margin. This seems to be true with comments that are posted to blogs also. If I go to the management console for this blog, for example, I now see over 3,400 attempts by spammers to get this blog to link their sites that claim to be selling interesting products, but are probably just trying to collect sensitive personal information. Looking through a queue of over 3,400 items just isn’t feasible, but security vendor Websense has a product that will do this for you, and in most cases, they’ll actually do this for free.

This product is Defensio, and I saw a demo of it at the RSA Conference yesterday. Websense claims to have sophisticated adaptive algorithms that let their technology adapt to the efforts of spammers to bypass their filtering. That’s not the sort of thing that’s easy to show in a demo, so I’ll have to trust that this really happens behind the scenes.

Defensio works by routing potential malicious posts through Defensio’s servers, which make a decision about whether or not the post is spam. This architecture also lets Defensio identify and react to new attacks on blogs as they’re developed and used by hackers. I seem to recall that anti-virus products worked this way at one time, but anti-virus vendors seem to have now discarded this model. It will be interesting to see if this also happens to Defensio’s technology in the future.

Unfortunately, Defensio is only available for blogs that are hosted by WordPress. This blog uses TypePad, which means that I can’t actually try it and see how well it works in practice.

In addition to blogs, it seems that newer social networking services like Twitter have already been abused by hackers. Twitter users are already receiving spam (twam?), and if you follow the Twitter user @spam, you’ll see updates on how this spam is happening, who it’s coming from, etc. You might even find it amusing that when you visit the Twitter page for the user @spam, you see the message “Hey there! spam is using Twitter.”

Maybe there’s a start-up out there right now that’s figuring out a way to keep Twitter uncluttered. I’ll have to look for this at next year’s RSA Conference.

The recent story by The Sunday Times about the energy cost of using Google for a search seems to have been revealed as an exaggeration. We'll have to wait a while and see which people remember more - the correction or the original inaccurate claim:

Performing two Google searches from a desktop computer can generate about the same amount of carbon dioxide as boiling a kettle for a cup of tea, according to new research.

That's not just wrong – it's obviously wrong. The Times eventually added a few extra words to their original article that tried to clarify what they actually meant, but it still looks like a case of people trying to use statistics who shouldn't be using them. The fact that this article created such a stir may tell us that one of the ways proposed to combat spam may be impractical due to environmental concerns. This is the idea that one way to stop spam is to force senders of email to pay a tax in the form of lots of computation when they send an email.

The problem is, of course, that the computation that would be needed to send an email could also be quantified in terms of carbon dioxide. Imagine the uproar if the following was claimed about this anti-spam technique:

Sending a single email can generate the same amount of carbon dioxide as boiling two gallons of water, according to new research.

So it certainly looks like the idea of paying tax in computing power won't fly as a means of preventing spam these days. It's never been a very popular idea, but it certainly looks like the anti-spam researchers need to come up with another idea or two.

Over the years, I have talked to several people in the spam-prevention industry. I almost always ask the same question. And the conversation almost always goes like this.

Me: Who are the people who respond to spam? Has anyone done any research on why they respond?

Spam-Prevention Rep: The spammers don't need many people to respond. At even well below 1% response rate, they make a profit.

M: Yes, I understand that. I'm not asking that question. I'm asking, who are the people who respond to the spam?

S: It doesn't matter, all the spammers need are a small percentage to respond and they make a profit.

M: Look, I'm not sure you understand the question. Do we know anything about the people who respond to spam? If we did, maybe we could do a better job of educating the public on spam so that fewer people will respond. Besides, I'm curious as to why people buy products from spammers.

S: I don't know how I can be any clearer, even if only a very small percentage of people respond, the spammers make a profit.

At first I was a little offended, did the rep really think I didn't know what they were telling me? Then I realized what was going on. The people in spam prevention did NOT know anything about the people who respond, and rather than simply say, "We don't know," they deflect the question. In my opinion they were being dishonest.

Finally, one day someone from the spam prevention industry said it, they don't know who responds, nobody has done any research on why people respond. He said that information might be helpful in crafting strategies to eliminate spam. I have a lot of respect for that guy.

How does one find the people who respond to spam? Ask the spammers? Well, here's a story about one spammer's customer list that saw the light of day. The problem is, this is an example of a data breach, the spammer had a security problem that allowed anyone to see the customer list. The first question should be, is it ethical to use that list? If you are not a thief, but just a researcher or reporter, is it ethical to use information that was supposed to be private? I say no.

Hence, we still don't have a list of people who respond to spam.

I think this would be a great project for a Sociology major, maybe even a master's thesis or doctoral dissertation. Advertise on the internet, find people who have responded, or people who know people who have responded to spam. Pay them some money to answer some questions. Then come up with some analysis, why do people respond to spam? Why do they click on the links and why do they buy the products advertised?

Although that would not test my theory: wiring in the brain. We're all wired differently, for some of us, certain activities are easier, or other activities provide more enjoyment. For example, here is an example of researchers looking at brain activities of gamblers to see if there are differences between those with gambling problems and those without.

That would be another great test, watch people's brains while they read spam. Maybe even ask them to click through. What happens in the brains of those who buy the spammers' products, and those who do not.