What are common input-space adversarial attacks used to bypass spam classifiers (e.g., obfuscation, token insertion)?

1. Classic tactic — word/token insertion and “marginal” attacks

One of the oldest and most consistently observed input-space tricks is to insert benign-looking words that are common in ham but rare in spam; this “injection” or marginal attack shifts feature statistics so that a spam message appears more like legitimate mail ^{[1] [2]}. Papers dating back over a decade document attackers appending rare-but-hammy tokens or deliberately mixing in “good” words to reduce a filter’s spam score; defenders may later see those poisoned examples in training and have to re-learn ^{[1] [2]}.

2. Obfuscation at the character level — fuzzing, misspelling, and glyph substitution

Attacks that alter the surface form of tokens — e.g., inserting extra punctuation, zero-width characters, homoglyphs, or intentional misspellings — aim to break tokenization or hide trigger words from string-matching features and simple embeddings ^{[3] [4]}. Research highlights that character-level adversarial strategies can be effective even in black-box settings and that models relying on brittle tokenization are particularly exposed ^{[3] [4]}.

3. Semantic or paraphrase attacks — synonym replacement and token substitution

Adversaries substitute synonyms or rephrase sentences to change a sample’s representation in feature space while preserving human-readable meaning. Studies applying adversarial perturbations and word‑level replacements (sometimes called “Mad‑lib” style substitutions) show a real threat, though effectiveness depends on whether a model captures semantics (e.g., BERT vs. bag‑of‑words) ^{[5] [4]}. Some papers emphasize that translating feature‑space perturbations back into natural text is nontrivial and can reduce attack success unless carefully engineered ^[4].

4. Higher-level and AI-generated content — sentence/paragraph-level and image spam

Beyond token tweaks, adversaries craft sentence- or paragraph-level perturbations and even AI-generated text to change model decision boundaries; recent comprehensive evaluations attack models at word, character, sentence and AI‑generated paragraph levels and report severe drops in accuracy for deep models ^{[6] [3]}. For image-based spam (text embedded in images), universal adversarial perturbations and image-domain attacks have been studied and found effective against image spam classifiers ^[7].

5. Attack vectors by attacker knowledge: black-box vs white-box realities

Academic work tests both black-box (limited model access) and white-box scenarios. Character-level and query-based black-box attacks can succeed even without gradients, while white-box gradient-based methods tend to be more effective when available; undergraduate and conference studies note white-box attacks generally degrade accuracy more than black-box ones, but real-world attackers often have partial or surrogate-model access ^{[8] [3]}.

6. Practical limits and defense trade-offs — why success rates vary

Authors repeatedly caution that success depends on dataset, model architecture, and how textual perturbations are rendered back into natural language: feature-space perturbations don’t always map cleanly to fluent text, reducing practical attack strength ^[4]. Defenses such as adversarial training, feature hardening, and robust tokenization can reduce vulnerability, and the feedback loop of poisoned examples showing up in retraining may actually improve robustness over time if detected ^{[1] [3]}.

7. What the literature does not settle (and what to beware of)

Available sources do not provide a single ranked list of “most effective” input-space tricks across all spam systems; instead, effectiveness is dataset- and model-dependent, and some claims about universal success are limited to specific experiments ^{[3] [7]}. Also, while many papers document techniques, real-world adoption and the operational cost/stealth trade-offs for spammers are not uniformly quantified in these sources (not found in current reporting).

Summary takeaway: the community recognizes a recurring toolkit — insertion/marginal attacks, character obfuscation, synonym/substitution, and higher‑level text or image perturbations — and modern deep models remain vulnerable in many experimental settings, but practical impact varies and defenses can reduce risk when tailored to realistic attack models ^{[1] [4] [3]}.