You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Ben Hanson <be...@transprintusa.com> on 2005/05/13 18:22:09 UTC
Spam Percentages
Shortly after the first of the year, I noticed the percentage of spam
messages for our organization dropped consistently by 10-15%. We had
been averaging 60 to 65% for the last year or so, ever since I began
with SA, right up until then, when it dropped consistently to just over
50%. I didn't really question it, as I saw no effective change in user
mail. Just before 3.0.3 was released, I suddenly noticed an increase in
these numbers, and now we are averaging 70 to 72% spam incoming on
weekdays. At the same time, I've seen more Nigerian type and medication
type spams hitting my inbox. Since SA tagging percentages are up, and I
have made no configuration changes, I'm not seeing any failure or errors
necessarily, but I'm very curious if others saw a similar patern in
these time frames at all, and if it's possible some network tests are
returning fewer hits or something that would cause threshholds not to be
hit, despite spam tagging, that would otherwise have caused my delete
rules to kick in? I have pretty much everything enabled with no errors,
and all the usual services (Razor, DCC, Pyzor, etc) all seem happy and
responsive. This is truly more a curiosity than a need for assistance,
so nobody break anything thinking too hard on this one!
Ben
Re: Spam Percentages
Posted by Fred <sp...@freddyt.com>.
Hamie wrote:
> How do you count 'unknown users'? Accurately I mean...
>
> Assuming you don't accept email in the first place if the user is
> unknown (Or you might I guess, but it seems like un-necessary
> processing to me) most spammers that I can see in our logs just keep
> re-trying again & again & again...
We block unknown users at our MXes (sendmail using mailer-table?), then with
MIMEDefang and GraphDefang, I just added a directive (in GraphDefang) to
have it process the logs and produce a graph based on the text produced by
sendmail when we have an unknown user attempt. It's elementary ;) hehehe
couldn't resist.
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-4400
Re: Spam Percentages
Posted by Hamie <ha...@travellingkiwi.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin Hepworth wrote:
>
> Hamie wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> Martin Hepworth wrote:
>>
>>
>>>
>>>
>>> Fred wrote:
>>>
>>>
>>>> Ben Hanson wrote:
>>>>
>>>>
>>>>> Shortly after the first of the year, I noticed the
>>>>> percentage of spam messages for our organization dropped
>>>>> consistently by 10-15%. Ben
>>>>
>>>>
>>>>
>>>>
>>>> I see between 83-85% spam. We use SARE rules + my own
>>>> home-brew rules + the new BLACK uribl lists + unreleased SARE
>>>> rules. In the past 24 hours the numbers are: spam-reject
>>>> 55,967 mail-in 11,089 total-mail 67,056
>>>>
>>>> Viruses not included in this count, it would skew things due
>>>> to the recent increase in new viruses lately.
>>>>
>>>> http://www.rulesemporium.com might have some helpful rules
>>>> for you to add to your setup.
>>>>
>>>> On another topic, I see just as many user-unknowns as I
>>>> reject spam. That's cause we are an ISP and customers like to
>>>> switch stuff around often ;)
>>>>
>>>> Frederic Tarasevicius Internet Information Services, Inc.
>>>> http://www.i-is.com/ 810-794-4400
>>>>
>>>
>>> Fred
>>>
>>> 70% of my inbound traffic is for unknown users, 20%
>>> spam/malware and 10% real mail.
>>>
>>
>>
>> How do you count 'unknown users'? Accurately I mean...
>>
> I can examine the reject log in exim to get counts.
>
>> Assuming you don't accept email in the first place if the user is
>> unknown (Or you might I guess, but it seems like un-necessary
>> processing to me) most spammers that I can see in our logs just
>> keep re-trying again & again & again...
>>
>
> yes, but given 70% of my inbound traffic is a pretty constant
> figure I'm not seeing this.
>
> also rejecting 70% of my traffic on MTA connection the small amount
> of proocessing to lookup valid email address is way way less than
> having to SA scann all these emails.
>
Ah yeah... That's what I meant. I re-read my sentence. I may have been
ambiguous & made it look like I considered validating the addresses to
be un-necessary.
>> For example on our mail server I reject far more than I accept.
>> Yet the rejects are in most cases repeated. As spammers appear to
>> be a thick bunch & don't take a 5xx very well.
>>
>> Currenty I have 'discussions' with various people round here over
>> the fact that we 'only' catch about 5-10% of our total accepted
>> email in SA as spam, yet MessageLabs et al always like to quote
>> the (To me) alarmist figures of 80% email is spam etc. But then
>> we reject email from un-verified addresses and don't accept email
>> for unknown users at the border MTA, not at SA. (And so don't
>> have an accurate count of them).
>>
>> H
>>
>
> lucky you, even taking out the uknown users I'm running 75% spam on
> my inbound.
>
The only thing I can think of (Since I can't see 70% of delivered mail
being spam) is that I have a user population that doesn't get spammed
very much. Probably because most of them only have an internet
presence for business emails & nothing else. Thus their mail addresses
don't get harvested.
Plus the sender validation of course. That seems to block a lot of
inbound spam.
H
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCjF6p/3QXwQQkZYwRAlStAKCsTq1XF8E0ZAukcoz+wtW5ysqFLQCeLuQt
Fk5vJNeKyrG+Ndo+mSczw+4=
=gv57
-----END PGP SIGNATURE-----
Re: Spam Percentages
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Hamie wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Martin Hepworth wrote:
>
>
>>
>>
>>Fred wrote:
>>
>>
>>>Ben Hanson wrote:
>>>
>>>
>>>>Shortly after the first of the year, I noticed the percentage
>>>>of spam messages for our organization dropped consistently by
>>>>10-15%. Ben
>>>
>>>
>>>
>>>I see between 83-85% spam. We use SARE rules + my own home-brew
>>>rules + the new BLACK uribl lists + unreleased SARE rules. In the
>>>past 24 hours the numbers are: spam-reject 55,967 mail-in 11,089
>>>total-mail 67,056
>>>
>>>Viruses not included in this count, it would skew things due to
>>>the recent increase in new viruses lately.
>>>
>>>http://www.rulesemporium.com might have some helpful rules for
>>>you to add to your setup.
>>>
>>>On another topic, I see just as many user-unknowns as I reject
>>>spam. That's cause we are an ISP and customers like to switch
>>>stuff around often ;)
>>>
>>>Frederic Tarasevicius Internet Information Services, Inc.
>>>http://www.i-is.com/ 810-794-4400
>>>
>>
>>Fred
>>
>>70% of my inbound traffic is for unknown users, 20% spam/malware
>>and 10% real mail.
>>
>
>
> How do you count 'unknown users'? Accurately I mean...
>
I can examine the reject log in exim to get counts.
> Assuming you don't accept email in the first place if the user is
> unknown (Or you might I guess, but it seems like un-necessary
> processing to me) most spammers that I can see in our logs just keep
> re-trying again & again & again...
>
yes, but given 70% of my inbound traffic is a pretty constant figure I'm
not seeing this.
also rejecting 70% of my traffic on MTA connection the small amount of
proocessing to lookup valid email address is way way less than having to
SA scann all these emails.
> For example on our mail server I reject far more than I accept. Yet
> the rejects are in most cases repeated. As spammers appear to be a
> thick bunch & don't take a 5xx very well.
>
> Currenty I have 'discussions' with various people round here over the
> fact that we 'only' catch about 5-10% of our total accepted email in
> SA as spam, yet MessageLabs et al always like to quote the (To me)
> alarmist figures of 80% email is spam etc. But then we reject email
> from un-verified addresses and don't accept email for unknown users at
> the border MTA, not at SA. (And so don't have an accurate count of them).
>
> H
>
lucky you, even taking out the uknown users I'm running 75% spam on my
inbound.
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
Re: Spam Percentages
Posted by Hamie <ha...@travellingkiwi.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Martin Hepworth wrote:
>
>
>
> Fred wrote:
>
>> Ben Hanson wrote:
>>
>>> Shortly after the first of the year, I noticed the percentage
>>> of spam messages for our organization dropped consistently by
>>> 10-15%. Ben
>>
>>
>>
>> I see between 83-85% spam. We use SARE rules + my own home-brew
>> rules + the new BLACK uribl lists + unreleased SARE rules. In the
>> past 24 hours the numbers are: spam-reject 55,967 mail-in 11,089
>> total-mail 67,056
>>
>> Viruses not included in this count, it would skew things due to
>> the recent increase in new viruses lately.
>>
>> http://www.rulesemporium.com might have some helpful rules for
>> you to add to your setup.
>>
>> On another topic, I see just as many user-unknowns as I reject
>> spam. That's cause we are an ISP and customers like to switch
>> stuff around often ;)
>>
>> Frederic Tarasevicius Internet Information Services, Inc.
>> http://www.i-is.com/ 810-794-4400
>>
>
> Fred
>
> 70% of my inbound traffic is for unknown users, 20% spam/malware
> and 10% real mail.
>
How do you count 'unknown users'? Accurately I mean...
Assuming you don't accept email in the first place if the user is
unknown (Or you might I guess, but it seems like un-necessary
processing to me) most spammers that I can see in our logs just keep
re-trying again & again & again...
For example on our mail server I reject far more than I accept. Yet
the rejects are in most cases repeated. As spammers appear to be a
thick bunch & don't take a 5xx very well.
Currenty I have 'discussions' with various people round here over the
fact that we 'only' catch about 5-10% of our total accepted email in
SA as spam, yet MessageLabs et al always like to quote the (To me)
alarmist figures of 80% email is spam etc. But then we reject email
from un-verified addresses and don't accept email for unknown users at
the border MTA, not at SA. (And so don't have an accurate count of them).
H
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCi1E9/3QXwQQkZYwRAikAAKC+vNzq1jqEkM7vr8AvevKUI/UWfACgmi3g
p72EJoSvuIKc862PAJFbf8c=
=OZV3
-----END PGP SIGNATURE-----
Re: Spam Percentages
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Fred wrote:
> Ben Hanson wrote:
>
>>Shortly after the first of the year, I noticed the percentage of spam
>>messages for our organization dropped consistently by 10-15%.
>>Ben
>
>
> I see between 83-85% spam.
> We use SARE rules + my own home-brew rules + the new BLACK uribl lists +
> unreleased SARE rules.
> In the past 24 hours the numbers are:
> spam-reject 55,967
> mail-in 11,089
> total-mail 67,056
>
> Viruses not included in this count, it would skew things due to the recent
> increase in new viruses lately.
>
> http://www.rulesemporium.com might have some helpful rules for you to add to
> your setup.
>
> On another topic, I see just as many user-unknowns as I reject spam. That's
> cause we are an ISP and customers like to switch stuff around often ;)
>
> Frederic Tarasevicius
> Internet Information Services, Inc.
> http://www.i-is.com/
> 810-794-4400
>
Fred
70% of my inbound traffic is for unknown users, 20% spam/malware and 10%
real mail.
The figures are even worse if I remove the various the email lists I'm
on like this one :-)
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
Re: Spam Percentages
Posted by Fred <sp...@freddyt.com>.
Ben Hanson wrote:
> Shortly after the first of the year, I noticed the percentage of spam
> messages for our organization dropped consistently by 10-15%.
> Ben
I see between 83-85% spam.
We use SARE rules + my own home-brew rules + the new BLACK uribl lists +
unreleased SARE rules.
In the past 24 hours the numbers are:
spam-reject 55,967
mail-in 11,089
total-mail 67,056
Viruses not included in this count, it would skew things due to the recent
increase in new viruses lately.
http://www.rulesemporium.com might have some helpful rules for you to add to
your setup.
On another topic, I see just as many user-unknowns as I reject spam. That's
cause we are an ISP and customers like to switch stuff around often ;)
Frederic Tarasevicius
Internet Information Services, Inc.
http://www.i-is.com/
810-794-4400