rconner Posted December 10, 2009 Share Posted December 10, 2009 Over the last few days, my spam has moved up sharply from about 10-15 per day up to 90 (for today). Mostly drugz and watchz (gearing up for the Christmas rush). Now that NYSE seems to be in a less bearish phase, there's even a stock scammer sending his mail from his web server at cogentco (ought to be an easy catch, but they haven't done it yet). I'm also seeing a return of a lot of old-school obfuscation techniques such as encrypted message bodies. So far, SpamCop has caught 100% of it for me to LART with extreme prejudice. I've turned off my ISP's accept-and-discard filtering, so I don't think the rise is attributable to false negatives. -- rick Link to comment Share on other sites More sharing options...
Farelf Posted December 10, 2009 Share Posted December 10, 2009 Over the last few days, my spam has moved up sharply from about 10-15 per day up to 90 (for today). Mostly drugz and watchz (gearing up for the Christmas rush). Now that NYSE seems to be in a less bearish phase, there's even a stock scammer sending his mail from his web server at cogentco (ought to be an easy catch, but they haven't done it yet). I'm also seeing a return of a lot of old-school obfuscation techniques such as encrypted message bodies....Wow, that is some change. But good to hear SC mail is handling it without missing a beat. If some appreciable proportion of the users are seeing the same that is no mean feat. If spammers are sticking with their same old patterns, that has to help our cause. Noting my own spam has (relatively) gone berserk too - 3 in the last 24 hours and two of them are list/directory sales, pretty much indistinguishable from the spam I used to get "way back when". IronPort's 24% increase (above) was followed immediately by a 21% decrease. Those are huge numbers - extrapolated to include the 14% or so non-spam that works out to around 50 billion messages a day fluctuation. I suppose the infrastructure could handle that, especially since it is coming off a short-term high some 100 billion higher again. That is a really wild ride - as said/inferred previously, it is not necessary to postulate any sort of organizing 'principle' behind it, the proportional change history in pretty much indistinguishable from random. But the amplitude is staggering and certainly, in 'signal:noise' terms, the whole mail system is lousy which is why the majority need 'filters' to function at all. If my internet connection was that bad I wouldn't have any spam at all - I wouldn't have a connection at all. Hmmm, connection, S/N just 10dB but with low attenuation it is consistently workable. Global mail 'S/N' -16dB, practically unusable in the raw state, period. Link to comment Share on other sites More sharing options...
ufo-joe Posted December 15, 2009 Share Posted December 15, 2009 Some pretty interesting statistics and background to spam operations are available at: http://www.projecthoneypot.org/1_billionth...ssage_stats.php If you aren't already working with Project Honeypot, I would suggest that you do - it's yet another weapon in our arsenal, and has resulted in successful prosecutions of spammers. Joe Link to comment Share on other sites More sharing options...
ufo-joe Posted December 15, 2009 Share Posted December 15, 2009 The following link is to a record of what activity was detected on my web site, including address harvesting and spamming: http://www.projecthoneypot.org/list_of_ips....32500&by=9 Joe Link to comment Share on other sites More sharing options...
Farelf Posted December 16, 2009 Share Posted December 16, 2009 Some pretty interesting statistics and background to spam operations are available at: http://www.projecthoneypot.org/1_billionth...ssage_stats.php Thanks for that Joe, interesting reading indeed. I note that, for whatever reason, PHP and IronPort are pretty much on the same page regarding total spam volume. Those are staggering numbers. Hmmm ... I will take that link over to the newsgroups where there has been some discussion. The following link is to a record of what activity was detected on my web site, including address harvesting and spamming: ...Requires login. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 16, 2009 Share Posted December 16, 2009 I like this quote from the honeypots page (http://www.projecthoneypot.org/1_billionth_spam_message_stats.php): To give you a sense, we've seen the word "Viagra" spelled at least 956 different ways in order to try and trick spam filters (e.g., VIAGRA, V1AGRA, V1[at]GR[at] V!AGRA, VIA6RA, etc.). Link to comment Share on other sites More sharing options...
ufo-joe Posted December 17, 2009 Share Posted December 17, 2009 Requires login. Sorry about that, I thought it was a publicly available URL. Unfortunately, due to the form layout, I can't scrape it and paste it here. Joe Link to comment Share on other sites More sharing options...
Farelf Posted December 17, 2009 Share Posted December 17, 2009 Sorry about that, I thought it was a publicly available URL. Unfortunately, due to the form layout, I can't scrape it and paste it here.Not to worry. They have a small bug on that log-in page. It saysAttention The IP Listings / stats page you're trying to access requires a login. If you have a honey pot account, you can login and will be taken to that page. Otherwise, click here to see the global harvester stats collected by Project Honey Pot. ... but clicking the link goes to http://www.projecthoneypot.org/ip_listings.php and the message"No input file specified." Clicking the back button returns to the log-in, but this time without the "Attention" message. Nevermind, close enough Link to comment Share on other sites More sharing options...
Farelf Posted January 5, 2010 Share Posted January 5, 2010 ...It could (still) all be part of some majestic cycle, destined to reverse itself in good time. Periodicity in spam numbers has been seen before - but these reductions, apparently with no associated major incident, do seem a bit promising. As always, ICBW.Sure enough, the trend for the IronPort numbers in the longer-term revert to non-significance and the beginnings of the familiar 'wave' pattern we see so often in spam stats is (maybe) peeking out at us: http://img137.imageshack.us/img137/8845/ir...oct4jan2010.jpg Suka dan duka - sadness because the billions of spam are unabated, gladness because ... well, the greater part of them are never read nor even seen by human eye - and I have some more dandelion wine handy. Link to comment Share on other sites More sharing options...
ufo-joe Posted January 19, 2010 Share Posted January 19, 2010 Over the last couple of weeks, it crept up to 24/day-ish, but I was still happy as my previous rate before the apparent drop-off was about 30/day. Today I got 35.... ...and today, 60 but no corresponding increase on the spamcop stats. Maybe I am just unlucky.... Joe Link to comment Share on other sites More sharing options...
Farelf Posted January 19, 2010 Share Posted January 19, 2010 ...and today, 60 but no corresponding increase on the spamcop stats. Maybe I am just unlucky....As mentioned in http://forum.spamcop.net/forums/index.php?...ost&p=73805 - which included the presentation of http://img24.imageshack.us/img24/9859/ironportjan2010.jpg - the daily 'global' spam count appears to flop around with enormous fluctuations but with no effective net increase or decrease in the short-but-slightly-longer term. The spam count as seen by IronPort within that current period averaging well over 200 billion daily but the daily numbers varying as much as 61% from one day to the next within the 2½ months - but with those daily movements fairly-much cancelling each other out over time. If that is what is actually happening (or something even approaching it) then that volatility applying to those volumes can contain very large but quite random fluctuations in individual 'experience' - and certainly even very large movements and apparent trends either in accordance with or contrary to the 'global trend' - because there is no actual global trend at that timescale. Which is to say, in response to your supposition of 'luck', yes, I think so (in a very long-winded way ) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.