Re: [Asrg] spam down?

Dotzero <dotzero@gmail.com> Wed, 30 January 2013 14:27 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7679221F8698 for <asrg@ietfa.amsl.com>; Wed, 30 Jan 2013 06:27:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lyBpP2rEFyiK for <asrg@ietfa.amsl.com>; Wed, 30 Jan 2013 06:27:11 -0800 (PST)
Received: from mail-lb0-f170.google.com (mail-lb0-f170.google.com [209.85.217.170]) by ietfa.amsl.com (Postfix) with ESMTP id 39F4421F8691 for <asrg@irtf.org>; Wed, 30 Jan 2013 06:27:10 -0800 (PST)
Received: by mail-lb0-f170.google.com with SMTP id ge1so2203492lbb.15 for <asrg@irtf.org>; Wed, 30 Jan 2013 06:27:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=86lZwEo4tw0/8B8F/3MLehXAez3UMEBkpaNIQ2PwQ5s=; b=zhHyz1OcmB4rdn5vfzMMZL5y62kDkNJJJ9l2kPXBDtkSCwwnT9Dl1Ce++wjBSaONjk ZagcZ3AnbUUknM6XPYfkqkW8H694FVh1pqmONlEY4JIHOinVCh0m5saEwn7BpbsjXi0v d2KCRkGLrG8xSXNqgjuk1CQo97MSM2My6ldzAnYLuHLvIlJPHuDtH0x6G6NLRXIBr046 EBn96ai7lqOf3XxRTEZIoAE45IIlfYAwdOQq2WhYP9UjmbRexH5wtpX1fU1WkYoi2ET5 Lgnn8ilO2PeZN9E/Eg4vZlRnuL69nl2jSbou80lKFbnI3s9fSF9UrMhQkoR026aSGGts jS0w==
MIME-Version: 1.0
X-Received: by 10.112.29.201 with SMTP id m9mr2024388lbh.96.1359556029686; Wed, 30 Jan 2013 06:27:09 -0800 (PST)
Received: by 10.112.180.105 with HTTP; Wed, 30 Jan 2013 06:27:09 -0800 (PST)
In-Reply-To: <5103FE36.7010908@mustelids.ca>
References: <5103DC4E.4090004@mtcc.com> <5103FE36.7010908@mustelids.ca>
Date: Wed, 30 Jan 2013 09:27:09 -0500
Message-ID: <CAJ4XoYdNpbeONbgR5unjNrMHtSv-302Kq7ycWZ559yoE4E1ZOw@mail.gmail.com>
From: Dotzero <dotzero@gmail.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [Asrg] spam down?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jan 2013 14:27:12 -0000

I'm late to the party but as opinionated as ever....

On Sat, Jan 26, 2013 at 11:03 AM, Chris Lewis <clewis+ietf@mustelids.ca> wrote:
> On 13-01-26 08:38 AM, Michael Thomas wrote:
>> There was a little side box in the current Economist that spam was
>> down from 80+% to 67% and credited it to, among other things
>> "sophisticated authentication" which I assume means DKIM and SPF.
>>
>> First is there actual evidence that spam is on the wane? And if so,
>> does it actually have to due in part with authentication? I'd be
>> ecstatic to hear that the latter was true, but correlation is not
>> causation.
>
> In the wane ... how?  Is the real question.
>
> Absolute volumes have indeed changed, as this graph (and many others) show:
>
> http://cbl.abuseat.org/totalflow.html
>
> but that doesn't tell the whole story.
>

Agreed

> The reality is that authentication (we're talking DKIM/SPF/DMARC) has
> relatively little effect.  They're pretty easy to make irrelevant.
>

I think it depends on what you mean by "relatively little effect".
>From my perspective - given the current statof adoption - it may not
have an effect on the overall ecosystem but it is certainly pushing
the bad guys from abusing (sending) domains that are implementing
strong email auth efforts to ones that are not. My comment is a
generalization but I see it with the domains I work with and I think
those who watch abuse against financials see similar behavior. The bad
guys still test but at the end of the day it is about ROI for them as
much as it is for a legitimate business.

It would be interesting to see (I don't have the data) if there is any
kind of shift from sending spam targeting accounts at mailbox
providers that validate to targeting (preferentially) accounts at
mailbox providers that don't.

> There are fewer bot families than there used to be.  Bot takedowns have
> made major inroads.   Still, there are a couple left that can dwarf what
> we've seen before _if_ it was attractive to fire them off.  Kelihos and
> Festi are bigger than Rustock or Srizbi ever were.  The defenses we have
> for bots are well-developed and widely-deployed.  The ROI has declined
> markedly, so the bot armies are often left idle.
>

True. It may also be true that the bot armies are being put to other uses.

> What we're seeing instead, is an evolution from the massive
> scatter-gunning of a Rustock infecting a home computer, to that of
> compromised servers, compromised user accounts etc.  These are harder to
> deal with, harder to stop, harder to filter.
>

"We" should certainly be blocking on malicious URLs even if they are
at otherwise legitimate sites. And if legitimate sites show a pattern
of not addressing their problems then they should be blocked as well.
This is no different than the open relay problem. I've had my share of
issues over the years but I think most folks would say that I pay
attention and deal with problems expeditiously.

> So, while there are fewer spams in the Internet, I strongly suspect that
> more of them are getting through.
>

I think it varies by mailbox provider.

> Spammers may not be spamming as much but they are spamming "better".
>

Darwin was right.