18
- November
2010
Posted By : Gom Jabbar
Cockblocking with the CSC-SSM-10

Late night at home, remoted into a customer’s firewall to do some recreational tweaking of a spam filter. (There’s nothing good on TV except reruns of the Addam’s Family movies from the early 90s, the brief golden age of Barry Sonnenfeld.)

The spam filter’s a CSC-SSM-10 card sitting in a Cisco ASA 5510. A box within a box. It’s got its own processor, RAM, IP address. The email traffic, web traffic and/or FTP traffic that pass through the ASA get handed over to the CSC-SSM-10 for spam-filtering, antivirus-checking, and content filtering by the Trend Micro InterScan engine.

My customer has been plagued by a particularly enthusiastic purveyor of pharmaceuticals. Oxycontin, Vicodin, Viagra. A stream of chemical nomenclature that hint of bliss and tumescence for the lonely and unloved. It is not enough to block the word alone. You have to block deliberate misspellings and compound words. The spam content is increasingly designed to defeat the simplest keyword filters.

Trend Micro InterScan Incoming Content Filter on the CSC-SSM-10

On this particular night, the most common spam email subject contains the string “PenisEnlargement”, although some spam subjects contain multiple words clumped together like those incredibly long German compound words. Oui bien, everything in the spamlord philosophy screams bigger *is* better.

What we need here are wildcards. It is not enough to block “penis” or “enlargement”. The only effective string in this case would be “penisenlargement”. A better option, requiring less future tweaking, would be to block the string *penis* (that’s “penis” bookended by asterisks) and hope that not too many of our users get blocked for mentioning CeCe Peniston in their emails. See, the key here is plausibility and probability. A Katamari Damacy of the sender’s reputation and inappropriate word strings and whitelists and blacklists and greylists. With the constantly-changing sender’s address, it is futile to block the sender. We have to block the content.

In the background, Nick Cave on iTunes sings plaintively, appropriately:

I think of you in motion and just how close you are getting
And how every little thing anticipates you
All down my veins my heart-strings call
Are you the one that I’ve been waiting for?

It feels like that sometimes. Waiting for something, as yet unseen, on a trajectory towards you. Can past patterns foreshadow the arrival of the future? I am predicting the arrival of the next iteration of the slightly-more-munged communiques from the Spamlords of Eastern Europe. It feels like I am anticipating a chess opponent’s next move, on a chessboard with infinitely more squares and chess pieces, mostly shaped like phallic sex aids. Or maybe on a fundamental level, every anticipatory strategy here is no better than the reading of entrails.