29

Don't get me wrong, I'm mostly glad that this happened. However, I want to make sure that the reasons for it happening are sound - rather than there being a problem with our methods. I'd like to illustrate what's going on here with a graph:


(source: lightspeed.ca)

The bright green line here shows the rate at which our server has rejected messages from IP addresses listed in realtime blacklists over the course of the last 12 months. Last May, we were rejecting an average of about 175 messages every 5 minutes, or 35 per minute, using this filter alone. It's pretty clear that since October, it's tapered off to a fraction of that - we're now averaging about 8 rejected messages per minute on this filter:


(source: lightspeed.ca)

Since we see no corresponding rise in the number of messages being trapped by Spamassassin (the teal line largely drowned out at the bottom of the graph) or any other filters, I can come to one of two conclusions based on these statistics:

1) All of our filters have become ineffective.

or

2) Spammers aren't spamming as much as they used to.

Historically speaking, I find 1 to be much more likely than 2. However, from experience and customer complaints (rather, a lack thereof), 1 isn't true because we're not seeing much spam in our inboxes anymore. So what the heck is going on here? I can't fathom that spam has somehow become unprofitable. Have they moved on to softer targets? I'm seeing little to no spam on Facebook or Twitter or any HTTP forums. Have there been massive arrests, removing spammers from the wild, and discouraging new criminals from entering the ring?

Whatever the reason, it sounds to me like a hard-fought victory for someone out there. But I still want to make sure that it's either time to break out the champagne or start sharpening our swords.

Glorfindel
  • 1,213
  • 3
  • 15
  • 22
Ernie
  • 5,324
  • 6
  • 30
  • 37

4 Answers4

6

A few months ago, 'Rustock' (Which I think was the largest spam-producing botnet) was taken down (http://blogs.technet.com/b/microsoft_on_the_issues/archive/2011/03/17/taking-down-botnets-microsoft-and-the-rustock-botnet.aspx)
While it didn't produce 100% of spam, I think it was quite a big contribute. Also generally companies have been adding methods that slow down spam robots, even if you didn't do anything, say if GMail changed something that made BotNets take 1 second longer to deliver each message, it would slow spam delivered to your servers too.

Matthew Steeples
  • 1,303
  • 1
  • 10
  • 17
Smudge
  • 24,039
  • 15
  • 57
  • 76
  • Well, that explains the dip on my graph in March, where incoming spam was halved again, but what about the overall decline between October and December, and another abrupt dip in December? – Ernie Jun 09 '11 at 17:28
  • Not sure about that one, as I say it might be other people doing things that slow the bots down. If you look at the graphs in this article http://www.bbc.co.uk/news/technology-12126880?cmpid=prblog they show roughly a similar trend to your graphs – Smudge Jun 09 '11 at 17:58
  • 1
    The BBC article seems to suggest that many spammers have voluntarily stopped spamming. Considering that Rustock went nearly silent before it was nabbed by Microsoft, one might suspect that those running the Rustock botnet caught wind of the effort to stop them (and believed it to be a legitimate threat), and thus most of them ran before someone put them in prison. It may also have been sold to some unsuspecting patsy to be caught with that hot potato. – Ernie Jun 09 '11 at 18:45
5

Spam ebbs and flows like a great tide of sewage, lapping at the shores of our beloved email islands.

In all seriousness, this is a combination of two major factors -- As samarudge pointed out at least one big botnet recently got taken down. I've heard of a few others getting smacked down recently as well, and I believe MS may have made some impact with recent patches (though I could be remembering several patch sets ago too).

The other factor is that - yes - spammers are slipping past filters. I've noticed a slight rise in spam on a few of my accounts which is just beginning to taper off as SpamAssassin catches up with the new hotness in spam.


If your statistics look more-or-less like the SpamCop statistics your filters are probably working fine -- Enjoy the reprieve and be aware that when the tide rolls in again your users will be at your door crying that their forced to wade through raw sewage again.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
4

From what I'm seeing the biggest difference between now and a few months ago is that the spam originating from Russian systems has plummeted markedly, which suggests someone has taken positive action. Beyond that, it appears to me that the level has simply returned to what has been the long term norm after a bit of a peak over the last year.

This image shows the stats for our system since about August 2009. Ignore the numbers, only the trend is important.

enter image description here

The stats were pretty stable for about the 5 years prior to this, which is when I first started charting this stuff. I no longer have the old data though.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
-5

The real reason why the number of spam messages goes down is the http://www.uceprotect.net/ list. This list doesn't take care who sends and why... They will blacklist the complete ISP by blacklisting his AS number (which means all ISP's mail servers will be blacklisted no matter did they send spam).

The main goal is to force net admins to block port 25 and let only legit mail servers through the firewall. Then compromised computers can't be used as a mail servers.

Forcing users to use your mail server is the second part of the rope...

mangia
  • 589
  • 2
  • 6
  • That's only one of many blacklists and a pretty minor one at that. Are you really suggesting it's the only one that has any real effect? – John Gardeniers Jun 10 '11 at 01:00
  • Yes. That list is one of the biggest movement in spam fight. Imagine that complete ISP is blacklisted just because 10 users are infected with spam bots... – mangia Jun 10 '11 at 07:26
  • 1
    And this is the complete idiocy of the idea. As a mail admin, I'd never consider blocking mail due to this RBL listing **because** of the collateral damage it creates. I'd not even give it any weight in the spam score calculations. – the-wabbit Jun 10 '11 at 07:43
  • 2
    -1. Syneticon-dj is right. Not only is this site a bit player, it's one most serious sysadmins would never even use for a server with any diversity of clients whatsoever. Just as importantly, its mission to "force net admins to block port 25" is not a practical solution. – Ernie Jun 10 '11 at 16:11
  • OK. Did your ISPs left port 25 opened for all users? All ISPs in BiH closed port 25 for dynamic IP pools (pools dedicated to regular users) – mangia Jun 17 '11 at 14:06