Inventory of Problems. Version 02.
4/11/2003


This is the Inventory of Problems document that was originally started by Liudvikas Bukys. I've made some changes based on feedback from others and myself. I thought that I sent this to the list after I sent the list of work items, but I could not find it to refer to it. Liudvikas will resume ownership of this document.

Evading accountability
	- forging envelope sender
	- forging From header

Exploitation of weak systems
	- exploit open smtp relay
	- exploit insecure web services (cgi formmail)
	- exploit open proxies (HTTP CONNECT, HTTP)

Aggressive database generation
	- directory harvesting (web, LDAP)
	- name guessing & probing
	- name guessing without probing [selling bogus data to others]
	- inappropriate database sharing/selling

Inadequate opt-in
	- no actual opt-in
	- deceptive opt-in
	- single opt-in without confirmation

Inadequate opt-out
	- opt-out not implemented
	- opt-out ineffective (pro forma removal from one list not all)
	- opt-out untimely
	- opt-out difficult to execute
	- opt-out hostile (used only for address verification & enrollment in even more databases)

Evasion of automated filters
	- content randomization
	- eyespace transformation
		- misspelling
		- punctuation and spacing
		- substitution of visually similar characters
		- html coding tricks
			- slice&dice tables
			- javascript-generated content
			- font size/color/background
	- mime multipart encoding
	- inclusion of non-spam chaff (visible or invisible)
	- content in images, not text
	- content in other external links

Evasion of human caution
	- fake DSN
	- fake content resembling common cgi-to-mail
	- "returned your call", "your account has a credit", etc

Not a real business
	- spam as chain letter/pyramid, selling software and bogus data to the naive
	- spam as DoS attack, no real solicitation in content

False claims
	- false claims regarding opt-in

Fraud & Crime
	- Nigerian 419
	- eBay password/credit card theft
	- payPal password/credit card theft