back to article Spam volumes show massive drop - but why?

Spam levels have dropped massively in recent months, though researchers fear this is simply because botnet operators have switched their attention to more lucrative activities. Junk mail volumes - which reached 90 per cent last summer - are down to 75 per cent this summer, net security firm Symantec reports. The 15 percentage …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Junk mail?

    Either the spam filter catches it or - those rare mails that slip by - I delete them. This is what I believe the only reasonable procedure to deal with junk mail. If all users did the same junk mail had ceased to exist long time ago.

    Now, where are all those lusers who helped generating profit for spam producers? Maybe finally, they started to learn? (Still, never underestimate the stupidity of the user...)

    1. Vic

      Re: Junk mail?

      > If all users did the same junk mail had ceased to exist long time ago.

      Not so.

      As a recipient of spam, you have to remember that you are the *product*, not the punter.

      Spamming is a third-party service these days; the paying customers are those who want spam sent out, not those misguided idiots who actually buy the worthless tat. And there is no shortage of potential customers - even though most of them don't see themselves as spammers.

      I've abandoned several customers who have taken to third-party "marketing" techniques :-(

      Vic.

      1. Bassey

        Re: Junk Mail?

        > I've abandoned several customers who have taken to third-party "marketing" techniques

        Quite right. At a company I worked for a marketing bod came to ask what she could do about the fact that the marketing emails she was sending out kept getting blocked by the recipients' spam filters. We suggested she contact them and ask for them to put an exception in place.

        "Oh, but we don't know them. We're just sending out marketing emails to them"

        We argued with them until we were blue in the face but they were never going to aknowledge that they were sending spam.

  2. chr0m4t1c
    Unhappy

    Less spam you say?

    Odd that, I've had an incredible increase in spam the last few days, about 100x the level I had been getting.

    Mind you, it's not directed at me, it's someone send spam to .ru addresses from some .nl addresses and using generated reply-to addresses from my domain, so I'm getting all the bounced stuff.

    At least it's easy to filter.

    1. alain williams Silver badge

      Set up SPF

      Set yourself up a SPF record, it isn't hard: http://en.wikipedia.org/wiki/Sender_Policy_Framework

      Not everyone does SPF checking but it is enough to help if someone is using you like this.

  3. StephenD
    WTF?

    Something odd in the maths

    "Symantec reports that junk mail volumes that reached a high of 230 billion spam messages per day in July 2010, 90 per cent of all email traffic, are down to 39.2 billion messages per day, 72.9 per cent of all email."

    So in July 2010, total email was 230 / 0.9 = 256 billion

    Now, total email is 39.2 / 0.729 = 54 billion.

    Email volumes have not dropped by 80%. Shurely some mishtake.

    1. Anonymous Coward
      Paris Hilton

      Stats

      88.6% of all statistics are made up on the spot

      1. Al_21
        Paris Hilton

        Really?

        I thought it was 93.something?

        Perhaps it's been revised because Symantec released more stats.

    2. Tom Melly

      Right but wrong

      It's worded very confusingly...

      I think it means:

      before 10% legit email, 90% spam - eg. 10/90

      now 25% legit email, 75% spam - eg. 10/30 (since the amount of legit is unchanged)

      or not... no, you're right. It still doesn't make much sense...

    3. Anonymous Coward
      Thumb Down

      @StephenD

      You forgot to take away the spam.

      So it's actually 26bn of 'real' email reducing to 15bn, less than a 50% reduction, though still seems rather high.

      1. nyelvmark
        WTF?

        No, I think there's something wrong with the arithmetic.

        >>230 billion spam messages per day in July 2010, 90 per cent of all email traffic, are down to 39.2 billion messages per day, 72.9 per cent of all email

        So in 2010, 230bn was 90% of "all" email. Thus, there were 100 / 90 x 230 billion total e-mails. That's 276bn. 230bn spams and 46bn "real" emails.

        In 2011, 39.2bn was 72.9% of "all" email. Thus, there were 100 / 72.9 x 39.2 billion total e-mails. That's 53.8bn. 39.2 spams and 14.6bn "real" emails.

        Conclusion: "real" emails have shrunk from 46bn last year to 14.6bn this year.

        Is something wrong with my reasoning or arithmetic? I checked with several people, and 87.137% of them said "no".

  4. jai

    not seen any drop here either

    i've had a massive increase in incoming spam over the last couple of weeks.

    but i'm guessing that is because of the LulSec business, it's the same address i used for my playstation account so i'm assuming it's a result of that.

  5. Doctor_Wibble

    spam attempts here now ~0

    Around the middle of this month, spam attempts (harsh IP-blocking here, using 'deny' logs to count) suddenly dropped from 'lots' to one or sometimes two per day. It's unnervingly quiet - not that I'm ungrateful, but I have been wondering what's going on.

    Aside from this, I can't say I've noticed a long-term downward trend though.

    Do spammers really stop spamming? Do they update their lists to remove constantly-failing addresses? Has a spambot controller just dropped off the map?

    Or has someone been on holiday for a couple of weeks and simply hasn't started up again yet...?

  6. leon stok
    Unhappy

    same increase noted here

    Especially in the last 2 weekends i've seen a 5 fold increase of spam, as reported by my baracudas.

  7. Scarborough Dave
    Megaphone

    Just need more ISP's to block port 25 for domestic users!

    Surely that would sort the bulk of the SPAM out?

  8. Anonymous Coward
    Facepalm

    Spam increase

    I've seen a lot more spam.

    Some sent to my hotmail address claiming to be from people on Facebook trying to 'friend' me. I'm not signed up to Facebook with my hotmail account though and all of the links either point to http://www.facebook/something (an obviously in valid address) or redirect to a random pr0n site.

    The rest of the spam is the usual adverts for pills that will increase my tool size.

    Still lots of them though!

  9. Barry Tabrah

    Why are we still using decades old protocols?

    Email protocols were created in the days of implicit trust, where spam wasn't a problem. Isn't it time that we created a more trustworthy protocol which would nip the whole spam issue in the bud?

    If all emails were signed for example then any spam that made it through would at least be traceable to source, or if signing was compromised could be blocked by ISP blacklisting.

    1. Paul
      Black Helicopters

      DKIM? SPF?

      ever head of SPF? DKIM? not spam preventers, but they form part of a wider solution.

    2. copsewood
      Boffin

      Try upgrading your end

      No reason not to upgrade your server or encourage your server operator to upgrade to DKIM signing your outgoing messages http://www.dkim.org/ . No reason for your client software not to check DKIM signatures. Other than that maintaining and upgrading email infrastructure is hard work, and most of the world's email users don't even consider whether they would rather have their messaging data and attention be the commodity sold by the service providers to their data mining customers than pay a few quid a year for a service run in their interests. Oh, and the fact that you won't be able to reject unsigned messages for a very long time without losing messages you want. So long that there isn't enough incentive to push server operators to upgrade in preparation to being able to reject all unsigned messages.

    3. Stefan 6

      Blocking port 21

      My ISP is blocking port 21 (only allows access to their own mail server for sending out emails). If every ISP in this world would follow this very simple and effective method then SPAM would probably almost instantly cease to be a problem. Bootnet infected desktops would no longer be able to send emails directly to remote mail servers.

    4. nyelvmark
      Unhappy

      Yes. But...

      >>Email protocols were created in the days of implicit trust, where spam wasn't a problem. Isn't it time that we created a more trustworthy protocol which would nip the whole spam issue in the bud?

      To give an analogy: Korzybski was of the view that the majority of the world's troubles are ultimately down to communication problems resulting from the poor design of our human languages (also from the multiplicity of said languages, but people manage to mis-communicate even when they share a language).

      If Korzybski was right (and he probably was), then the obvious solution is for us to devise a language in which ambiguity is unlikely or impossible, and get everyone to adopt it.

      That's probably a much greater pipe-dream than than getting the entire internet to replace SMTP with a system employing end-to-end verification and encryption, but I hope the analogy is clear.

      It can't be done by tinkering with Simple Mail Transfer Protocol (SMTP). That was designed to be analogous to snail-mail. I write my message, put your address on it, and drop it into the nearest pillar-box. The mail system has no way of knowing who I am, and doesn't look at the content of the message. It just does its job and delivers it to you.

      Secure* messaging systems already exist, but they aren't like snail-mail. If you want people you don't know to contact you - and nearly every business does - then you're stuck with SMTP. Sorry.

      *Secure, that is, except from governments.

  10. Anonymous Coward
    Anonymous Coward

    Eh?

    Then why do I get more and more spam?

    1. Burch
      Holmes

      Because

      One person is not a representative sample.

  11. Alan Brown Silver badge

    @Scarborough Dave

    Blocking port 25 is a start but the botnets usually switch to using the ISP's smarthost instead.

    As most ISPs don't (won't) filter outbound mail this simply makes the hurdle a little higher.

    If ISPs and ESPs switched on OUTBOUND spam filtering, spam levels would halve overnight and it'd be a lot easier to nail what's left.

    Statstics are easily manipulated anyway.

    Are spam volumes what gets past the SMTP phase and into the mailserver's spamassassin queue, or what ends up in the enduser's mailbox?

    Right now $orkplace is rejecting 99%+ of all inbound mail attempts at RCPT TO:<> based on DNSBL hits and a huge chunk of what gets past that at the end of the DATA phase. (We found that if we issue rejects at HELO or MAIL FROM:<> then a lot of badly configured (microsoft!) hosts start woodpeckering at our mail ports.

    Of course a substantial %age of RCPT TO:<> are invalid addresses anyway. I've been toying with adding in IP reject rules if any given host exceeds a threshold of invalid recipients to give 'em time to end up in DNSBLs. (Greylisting works too, but most botnets have adapted to it already)

    1. Vic

      @Alan Brown

      > most ISPs don't (won't) filter outbound mail

      BT does.

      They log IP addresses in both directions that send spam, and reject all mail from those addesses.

      They do not whitelist their own customers.

      Then they rotate their dynamically-assigned customer IP addresses.

      I had this callout, you see. My customer couldn't send any email...

      Vic.

  12. Anonymous Coward
    Pint

    Spam, spam, spam, spam...

    Most of the junk e-mail I get at work comes from inside the company. I'd say that 75% of the mail I get I really don't need to see. Of course, that statistic I just made up on-the-spot, but it's in the right range. Distribution lists are a wonderful thing; that's why we have so many of them. Unfortunately they aren't well documented and their titles not very descriptive, so very frequently the wrong lists are used. Then there are the messages from Management that they try to make look informative but are really just propaganda.

    Ah well, tomorrow is a holiday here. Cheers mates.

  13. John Halewood

    Greylisting

    Dunno about reduced spam volumes - on 3 mail servers on a quiet backwater of t'internet (serving about 50 or so domains) I'm still seeing an average of about 1 spam every 5 seconds. Fortunately thanks to greylisting, most of these never get as far as the DATA phase, but it doesn't half decrease the load on the servers (and there's always a couple of legit senders with broken servers who don't understand a 4.x.x "try again later" message).

  14. Anonymous Coward
    Anonymous Coward

    drastic solution

    I took a more aggressive approach using iptables, geoip and home-brew daemons.

    I made a list of countries that my clients don't do business with, and block port 25 for just those for most of the day. (ukraine, brazil, india, vietnam etc...)

    At night the filters are lifted for an hour to allow any legitimate queued mail to be received.

    Then the usual first line filters are used as normal:

    zen.spamhaus.org, - rejecting anything from a known residential ip address.

    bl.spamcop.net - next check

    spf milter

    dkim, dk

    own dnsbl created from received spam, spamtrap addresses -> direct to spamcop

    mailscanner - spamassassin and other rules...

    high scoring -> direct to spamcop

    borderline -> holding folder for queue reinsertion

    Mail attempts, pop3 abuse/scanning caught with a syslog extension that adds to iptables ban list, creates a report and mails ip abuse history to the ISP responsible

    I also made bind dns server geo aware, so that mail senders in bad countries get served an MX record of 127.0.0.1, which is also quite effective. Unlike iptables, this doesn't throw out the baby with the bathwater. Only problem is that managing 200 different views of x domains is heavy on memory, and needs a database to remember combinations of what domains give what MX records depending on a query's origin.

    Spam is now virtually non-existent.

    1. Anonymous Coward
      Anonymous Coward

      any chance of a howto document?

      Or a link to the one you followed?

      How complex are your mail forwarding rules?

  15. json

    Let me verify that..

    ..hmm.. ok we're running an ISP. From a normally 450k listed IP's in our dynamically generated spam database its now down to 280k (IP's get removed after 7 days)... that's 37% less listed IPs, as for the actual volume about 10% less. What this means, at least from our point of view, is yes they've disabled a lot of servers doing C&C -- I dont think they can do much to zombied PC's which are probably still up and running and very much still hacked just waiting for a command to begin spitting out trash again.

  16. John Parker

    BitCoins

    Lot of them are now mining tiny amounts of BitCoin on the spare CPU cycles, more profitable per machine than spam.

  17. T J
    Megaphone

    Start charging Microsoft

    Since its all Microsoft's fault for producing the only 'OS' that can get viruses almost effortlessly, they should foot the bill for all the wasted time, bandwidth and the accrued aggravation. Oh, and loss of money by the gullible though then again, thats something m$ thrive upon isn't it.

  18. Anteaus

    Attacking problem from wrong end...

    SPF is easy to implement but fails badly with redirected or forwarded messages. DKIM is too complex for small sites to implement. But, IP-based filtering is attacking the problem from the wrong end, anyway. It's giving symptom-treatment priority over finding a cure for the disease.

    As Barry says, Email protocols were indeed created in the days of implicit trust, where spam wasn't a problem. The mailto: protocol is desperately out of date, and urgently needs to be deprecated in favour of a protocol which doesn't expose the email address to any passing robot. This indeed the very root of the problem, and in principle it's far simpler to take measures to stop spammers harvesting email addresses than it is to block botnets from spamming you.

    Pity they didn't take mailto: out of HTML5, at least that would steer webdesigners in the direction of using safer alternatives.

    If (say) 80% of webmasters implemented anti-harvesting measures, then the paucity of addresses to spam might well make the masmarketers decide that spamming is no longer profitable, in which case spam would virtually cease.

    The other approach which warrants some thought is that of hosting companies implementing a webserver module which blocks the publication of any page containing vulnerable mailtos, or alternatively which automatically munges any mailtos found in a page. Since such an add-on would drastically reduce the spam that the host receives via its own servers, I could forsee a rapid uptake by hosting companies once the idea has been proven.

    -Any Apache/IIS coders interested in taking the idea further?

  19. Tim #3
    Coat

    hmmm

    Curiously, the forum that I look after has had a huge drop-off in spammers joining it lately too. Am not complaining though.

    Maybe it's the lulz before the storm.

This topic is closed for new posts.

Other stories you might like