Is there a spam storm?

Question

I realize this is a bit off-topic, but don't know where else to go to ask...

I've gotten an enormous amount of spam in the past 24 hours (hundreds), even after some relatively good spam filters. Virtually all of this stuff is hokey weight loss schemes, claimed to be forwarded from Beyonce, Pamela Anderson, et al. The email texts are quite varied, and the included links are to a number of different locations.

Is this something unique to my email address, or is there a general spam "storm" in the works? (Seems a little like the sort of childish stuff that spammers might do to "get even" for some of the recent policing actions.)

I don't pretend to understand this stuff, but here is some of the header info from a typical spam from today's flood:

Received: from adminteam ([203.123.157.82]) by na3sys009amx187.postini.com ([74.125.148.10]) with SMTP;
    Mon, 01 Apr 2013 10:47:16 CDT
Received: (qmail 3351 by uid 143); Mon, 1 Apr 2013 15:48:00 -0530
From: "No risk Katy Perry Free trials" <penelopetheir@cafb29b24.org>
To: <xxxxxxx@ieee.org>
Subject: Fwd: ..
Date: Mon, 1 Apr 2013 15:19:48 -0530
Message-ID: <005301ce2f1e$7ff59b90$7fe0d2b0$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0052_01CE2F1E.7FF59B90"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acjhs69UR3NtbvBhPNkurEv2AtSBlw==
Content-Language: en-us
X-pstn-levels:     (S: 0.00000/66.47495 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-dkim: 0 skipped:not-enabled
X-pstn-status: off
X-Bayes-Prob: 0.0001 (Score 0, tokens from: @@RPTN)
X-Spam-Score: 2.00 (**) [Tag at 3.80] HK_NAME_FREE,HTML_MESSAGE,SPF(none:0),RBL(rp-grey:1.0)
X-CanIt-Geo: ip=203.123.157.82; country=IN; region=25; city=Chennai; latitude=13.0833; longitude=80.2833; http://maps.google.com/maps?q=13.0833,80.2833&z=6
X-CanItPRO-Stream: 06202139 (inherits from 32_HI_TAG-LO_BLOCK,default)
X-Canit-Stats-ID: Bayes signature not available
X-Scanned-By: IEEE Spam Scanner (https://uce.ieee.org/) on 140.98.193.228

While here is some typical "legitimate" spam (that gets flagged by my mail forwarder):

From: "The New Yorker" <mailer@mail.realviewtechnologies.com>
To: <xxxxxxx@ieee.org>
Subject: ***[Possible UCE]*** =?utf-8?B?QXByaWwgOCwgMjAxMzogSGVucnkgQmxvZGdldDsgdGhlIHJpc2Ugb2YgVmljZSBNZWRpYTsgY29va2luZyBzaG93czsgYW5kIG1vcmUu?=
Date: Mon, 01 Apr 2013 22:31:44 +1000
MIME-Version: 1.0
X-Mailer: MailEnable
X-Priority: 3
Message-ID: <40efcf1c-741e-4e4e-b0ce-90fd5b422bc3.MAI@mail.realviewtechnologies.com>
Content-Type: multipart/alternative;
           boundary="--=_NextPart_01042013103144_006229358"
X-RVID: 101536031
X-pstn-neptune: 28/1/0.04/98
X-pstn-levels:     (S:30.17530/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-dkim: 0 skipped:not-enabled
X-pstn-status: off
X-Bayes-Prob: 0.9919 (Score 2.5, tokens from: @@RPTN)
X-Spam-Flag: YES
X-Spam-Score: 4.00 (****) [Tag at 3.80] HTML_MESSAGE,SPF(softfail:0),RBL(rp-mixed:1.5),Bayes(0.9919:2.5)
X-CanIt-Geo: ip=210.87.32.100; country=AU; region=07; city=Melbourne; latitude=-37.8139; longitude=144.9634; http://maps.google.com/maps?q=-37.8139,144.9634&z=6
X-CanItPRO-Stream: 06202139 (inherits from 32_HI_TAG-LO_BLOCK,default)
X-Canit-Stats-ID: Bayes signature not available
X-Scanned-By: IEEE Spam Scanner (https://uce.ieee.org/) on 140.98.193.228

It's curious that the spam score of this second is twice that of the first, and the Bayes probability (whatever that is) is near certainty, while for the first case it's essentially nil. Seems like somehow the first case was successfully eluding the spam filter.

(For what it's worth, the flood seems to have stopped.)

Answer 1

Every single day is a spam storm day.

To give you an idea, take a look at these statistics (on 04/02/2013) from Project Honey Pot, which is just one out of many such networks for identifying spammers and spambots:

Or check live statistics for past 10 minutes from UCEPROTECT network. These are some scary statistics, and it does not matter what day of the year you'll be checking them, they will never fall to impress. That said, if it's still not clear by now - this is the onslaught that your spam filters (or anti-spam networks, if you're using any to do the filtering for you) have to deal with on a daily basis.

To answer your question directly:

No, today is not a special or a particularly remarkable day in terms of the number of spam messages or spamming hosts trapped. I've also checked the log files on my own email server, and a few other providers I have access to just to be sure, and I didn't notice any unusual patterns. Results? A few hundred new email harvesters (robotic webpage crawlers trying to collect email addresses), another few hundred spam emails trapped per each user, a few new scam schemes promising millions for a small funds transfer fee (or similar yada yada), dozens of new stealth bots (crawlers that don't identify themselves and disrespect robots.txt configurations) per website I manage trapped, a few new network neighborhoods marked as untrusted for hosting or relaying a lot of unsolicited traffic, and so on, and so on. Nothing unusual really, when compared to any other day of the year.

So why are you receiving more spam than usual?

This part of your question is not so easy to answer as you're not providing enough information. But even if you did, we would probably have to resort to educated guessing at best. Have you published your email address on some publicly available webpage that was picked up by a random email harvester working hard for some spam network? Did any of the recipients of your previous messages get a virus on their computers and was your address collected from their mailing lists? Did you anger a script kiddie that submitted your email address to various spamming hosts? Are you using a generic email address composed of common names and is hosted by a busy provider, some spam bot got lucky, and you later enabled image display in received spam messages which confirmed to that bot that your email address exists and is not filtering its messages as spam? All this and a lot more reasons are all quite possible and also happen each and every day. Again, nothing unusual.

Chances are, you're not even receiving any greater number of unsolicited emails, but have noticed them now more as they found their way into your inbox due to your spam filters not being properly configured, one of your anti-spam networks that your filters depend on being temporarily down or inaccessible, or even your email server being infected with malware that opened it up to this kind of abuse.

EDIT: The headers you're including support one of my speculations that your spam filters might not be properly configured for your specific needs (looks like default settings to me, but is hard to judge by these headers alone). Your mailing system is depending on Google's Postini services to filter unsolicited emails out, which failed to mark Bayesian poisoning type messages out with other filtering methods. In short, messages were written in such a way to avoid detection by spam filter depending on Bayesian probability and other detection methods' sensitivity is set too low. See this answer to one of your previous questions on how Bayesian poisoning works.

Bayesian probability score isn't the only way such messages are filtered out, which is clearly indicated by X-Spam-Score: 2.00 header field value of your first example (a spam message that was not filtered out). To demonstrate this, let's analyze the other values in this message header:

• HK_NAME_FREE: Does the sender's name mention free stuff
• HTML_MESSAGE: Is message in a HTML format
• SPF: Sender Policy Framework
• RBL: Real-time Blackhole List

The results of all these methods in your case resulted in a spam score of 2 for the first message, and 4 for the second one. This is significant as it is the value that your system administrator can use to setup Postini services to mark messages as spam earlier than at detected score of 3.8 ([Tag at 3.80] indicates current value) by adjusting sensitivity levels of various spam detection methods. Your anti-spam filtering is also done by using two additional services, one by IEEE UCE/Spam Filtering Service, and the other by CanIt-PRO AntiSpam Software, probably residing on your organisation's mail server and setup by your system administrator. All of these have separate settings and might require a lot of work to set them up to suit your needs better. Consultation with your systems administrator is probably the most proper way forward.

Best of luck ;)