IETF Logo Mail Archive

Re: [Asrg] spam down?

Chris Lewis <clewis+ietf@mustelids.ca> Sat, 26 January 2013 16:03 UTC

Return-Path: <clewis+ietf@mustelids.ca>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 547EF21F8619 for <asrg@ietfa.amsl.com>; Sat, 26 Jan 2013 08:03:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.441
X-Spam-Level:
X-Spam-Status: No, score=0.441 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rnu8yztN7L7I for <asrg@ietfa.amsl.com>; Sat, 26 Jan 2013 08:03:11 -0800 (PST)
Received: from mail.mustelids.ca (unknown [174.35.130.2]) by ietfa.amsl.com (Postfix) with ESMTP id AAA5421F8551 for <asrg@irtf.org>; Sat, 26 Jan 2013 08:03:10 -0800 (PST)
Received: from [192.168.0.8] (otter.mustelids.ca [192.168.0.8]) (authenticated bits=0) by mail.mustelids.ca (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r0QG32sj009145 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT) for <asrg@irtf.org>; Sat, 26 Jan 2013 11:03:03 -0500
Message-ID: <5103FE36.7010908@mustelids.ca>
Date: Sat, 26 Jan 2013 11:03:02 -0500
From: Chris Lewis <clewis+ietf@mustelids.ca>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: asrg@irtf.org
References: <5103DC4E.4090004@mtcc.com>
In-Reply-To: <5103DC4E.4090004@mtcc.com>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] spam down?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jan 2013 16:03:14 -0000

On 13-01-26 08:38 AM, Michael Thomas wrote:
> There was a little side box in the current Economist that spam was
> down from 80+% to 67% and credited it to, among other things
> "sophisticated authentication" which I assume means DKIM and SPF.
> 
> First is there actual evidence that spam is on the wane? And if so,
> does it actually have to due in part with authentication? I'd be
> ecstatic to hear that the latter was true, but correlation is not
> causation.

In the wane ... how?  Is the real question.

Absolute volumes have indeed changed, as this graph (and many others) show:

http://cbl.abuseat.org/totalflow.html

but that doesn't tell the whole story.

The reality is that authentication (we're talking DKIM/SPF/DMARC) has
relatively little effect.  They're pretty easy to make irrelevant.

There are fewer bot families than there used to be.  Bot takedowns have
made major inroads.   Still, there are a couple left that can dwarf what
we've seen before _if_ it was attractive to fire them off.  Kelihos and
Festi are bigger than Rustock or Srizbi ever were.  The defenses we have
for bots are well-developed and widely-deployed.  The ROI has declined
markedly, so the bot armies are often left idle.

What we're seeing instead, is an evolution from the massive
scatter-gunning of a Rustock infecting a home computer, to that of
compromised servers, compromised user accounts etc.  These are harder to
deal with, harder to stop, harder to filter.

So, while there are fewer spams in the Internet, I strongly suspect that
more of them are getting through.

Spammers may not be spamming as much but they are spamming "better".

v2.23.0 | Report a Bug | By Email