An Actual Reduction in Spam

[daryn]

I think that over the last week or so, there has been an actual reduction in spam.

My Spamcop account was holding 30 - 50 emails a day, and I'm down to 10-15... and they are ALL the same thing (If anyone needs a good deal on a mortgage, apparently I'm on someone's pre-approved list)

I would never have predicted it... but I really think spam has dropped off over the last week...

[StevenUnderwood]

I think that over the last week or so, there has been an actual reduction in spam.

My Spamcop account was holding 30 - 50 emails a day, and I'm down to 10-15... and they are ALL the same thing (If anyone needs a good deal on a mortgage, apparently I'm on someone's pre-approved list)

I would never have predicted it... but I really think spam has dropped off over the last week...

Hate to be the bearer of bad news, but come back in a month and let us know if you still feel that way. spam (not spam® ) has a tendency to ebb and flow.

Good luck, I hope you are right.

[michaelanglo]

Hate to be the bearer of bad news, but come back in a month and let us know if you still feel that way. spam (not spam® ) has a tendency to ebb and flow.

Good luck, I hope you are right.

Too true. But SpamAssassin seems to be getting better (except for the recent outage on filter7/8)

My latest data

Month to date 2937 so projected 3790 or so

For December '06

3611 spams, 48 leakers (=1.3 %), 1 false positive

And for November '06

2735 spams, 56 leakers (=2.0 %), 2 false positive

And historical (August '06)

2519 spams, 66 leakers (=2.6 %), 2 false positives

OTOH some spam is down. I haven't had any spam on the email address that was hacked from this forum since the 14th of December.

[Wazoo]

I haven't had any spam on the email address that was hacked from this forum since the 14th of December.

Jury still out on that scenario.

[silentlarry]

Only two for me all day yesterday and today (to the forum hacked address, I might add). While this is delightfully few, I note that both scored dead ZERO on spamassain. This is a first I believe for the spam that's been coming my way since the hack. These are text spams, where I was getting almost exclusively GIF spam (which always scored higher than zero).

I can only hope it's a case of something that will soon be addressed by a SA rule update. SA's been way more usefull than the BLs for me lately.

http://www.spamcop.net/sc?id=z1203132348z9...550f5a2d283547z

http://www.spamcop.net/sc?id=z1202288926zd...65e6a176e1d7cbz

I also note these are the first I'm getting where they are breaking up their pharmacy's URLs. Which was enough motivation for me to add the abuse addresses manually to the reports (albiet to little affect say many).

[DavidT]

I note that both scored dead ZERO on spamassain. This is a first I believe for the spam that's been coming my way since the hack. These are text spams, where I was getting almost exclusively GIF spam (which always scored higher than zero).

I've had a lot of 0.0 scores on spams that made it into my inbox over the last week. Some of the text seemed pretty obvious...to me, at least, but not to JT's installation of SA.

I can only hope it's a case of something that will soon be addressed by a SA rule update. SA's been way more usefull than the BLs for me lately.

I think that incoming messages are first "seen" by the SA process, and then passed on to BL checking only if the SA score isn't above your personal threshhold. So maybe it's not really fair to compare the two processes, in that it's done in a serial, rather than a parallel fashion. If the BL checking came first, it's possible that we'd see a lot more stuff caught by BL hits in our Held Mail boxes, but I could be mis-remembering the order.

Speaking of rules...much of my mail passes through a Barracuda spam Firewall before it gets to the SpamCop servers, so I get to see two sets of scoring. For the recent "X-spam-Status: hits=0.0" spams, the Barracuda has had some "custom rules" being applied that boosted the scores. Here's a Tracking URL on one (I've edited the headers a bit, but I cancelled the report):

http://www.spamcop.net/sc?id=z1204439450z1...500beafd4bcc67z

The Barracuda applied "Custom Rule SA064" to the body of the message, thus boosting it past my "quarantine" threshhold on that box, but I have it pass all those on to my SpamCop address for further analysis and eventual delivery. This one was allowed through to my inbox, along with a bunch of others, because it doesn't seem that SpamCop's installation of SA is using "custom rules" on the body of spams. The only person who could clarify that would be JT, but he doesn't seem to have logged in here since November.

DT

[silentlarry]

I think that incoming messages are first "seen" by the SA process, and then passed on to BL checking only if the SA score isn't above your personal threshhold.

I agree.

>So maybe it's not really fair to compare the two processes, in that it's done in a serial, rather than a parallel fashion.

I wasn't, not on that basis. For a while, I was using "tag only" mode, which if I'm not confused, applies both SA and the BL check (in parallel). I was disappointed with the frequency of BL hits, SA was more effective on what was coming my way.

Thanks for the info.

[StevenUnderwood]

I wasn't, not on that basis. For a while, I was using "tag only" mode, which if I'm not confused, applies both SA and the BL check (in parallel). I was disappointed with the frequency of BL hits, SA was more effective on what was coming my way.

My undrestanding is that the process is no different for the "Tag only" mode except for where the resuling spam goes. If the SA threshold is met, it goes right to your inbox with the appropriate header, same as if it were redirected to the Held Mail folder, skipping the DNSBL checking.

[DavidT]

Update on the "custom rules" that were causing a significant differential in SA scoring between SpamCop and another host....now they're no longer these text-based "Viazzgra" spams, so I'm seeing a lot of them slide by two levels of filtering.

DT

[silentlarry]

My undrestanding is that the process is no different for the "Tag only" mode except for where the resuling spam goes. If the SA threshold is met, it goes right to your inbox with the appropriate header, same as if it were redirected to the Held Mail folder, skipping the DNSBL checking.

This has not been not my experience. I just switched back to "tag only", not got any spam yet. But I got a legit email that scored over my SA threshold setting, and has a populated "Spamcop-Checked" header. Normally (tag-only=off) the Spamcop-Checked header is empty if if the SA threshold was met.

I suspect that in "tag only", the SA theshold setting is disregarded. Evidence; there is no "X-Spamcop-Disposition: Blocked SpamAssassin=x" header present even though the score was over threshold.

Whereas you will see a "X-Spamcop-Disposition: Blocked [blocklist]" header if it had a blocklist hit in "tag only".

As I recall with "tag only", I was seeing spam that sometimes had both SA score over threshold and "disposition blocked [blocklist]" headers.

Uh, suppose I should have just waited for actual spam before starting this reply... oh well.

I'll let you know if I was wrong. And I often am.

Anyway, I assume the rational might be that doing both checks gives you more flexibility if you are doing client-side filtering based on the tags. Or, maybe it's just an accident.

[silentlarry]

Ok, I figured out what I did. I was almost not wrong. When I'd switched to "tag only", I had also unchecked the "SpamAssassin" box, because I wanted to see how the blocklists were doing. Anyway, the resulting mail gets both an SA score and the blocklist check, like so

http://www.spamcop.net/sc?id=z1207530126ze...52404517f59955z

Not that it particularly matters. Yeah, I know it doesn't make much sense.

[daryn]

Hate to be the bearer of bad news, but come back in a month and let us know if you still feel that way. spam (not spam® ) has a tendency to ebb and flow.

Good luck, I hope you are right.

well its been a week, and the spam at my primary account is still way down

however today, my secondary account got nailed but Viagra ads.

I'm getting one every 20 minutes or so on average..

you know.. its not getting one spam for Viagara that bugs me..

its getting 40-50

[daryn]

well its been a week, and the spam at my primary account is still way down

however today, my secondary account got nailed but Viagra ads.

I'm getting one every 20 minutes or so on average..

you know.. its not getting one spam for Viagara that bugs me..

its getting 40-50

Very interesting..

the Primary account spams are STILL way down.

my held mail folder only had 3 in it after 12 hrs..

but the secondary account spams, dropped from 50-60 Viagra spams/day to almost 0 of those

but now 40 or so, Mortgage offerings... all the same company of course.

[btech]

What's odd is that I've seen a reduction in the messages where my address was harvested *and* the messages that I receive from people that share/give away a throw-away address I used on a "MyFreeLaptop" site.

Maybe the rings are all on a vacation. *shrug*

[Farelf]

Maybe the rings are all on a vacation. *shrug*

Maybe yesterday's attack on the “G,” “L,” and “M” root DNS servers had something to do with it. It is claimed “There was no impact to Internet users,” said Mr. Witt. “There was no impact to DOD (Department of Defense) operations.” (Internet Attack Detailed - if true, I would bet there was a certain amount of choking-off of network traffic as part of the coping adaptation. And maybe some ISPs were quietly dropping mail on the floor rather than tagging it and sending it on in such a circumstance. As the article says, this sort of thing goes on all the time, to a greater or lesser extent. It's undoubtedly wishful thinking but maybe spam has outworn its welcome at the deep level.