Where Has All My Spam Gone?

An anonymous reader writes "I have my own domain, which has its own email server, where I receive all my personal email. I've been getting about 800 emails a day, of which perhaps 20 are real. Suddenly, Sunday or Monday evening, the spam pretty much stopped. My volume of mail has plummeted to less than 100 a day, and as far as I can tell, I'm not missing any real mail — I'm still getting the email list subscriptions I'm expecting, and every time I ask someone to send me a test message, it gets through. My domain host insists that it doesn't do any spam filtering before mail gets to my inbox, and that they've changed nothing about their configuration. I run SpamAssassin on my server to mark, but not delete, spam, and download the whole mess to my home client, and I'm still seeing the occasional message tagged by SpamAssassin. But it's virtually all gone. And I haven't changed anything about my own mail configuration, or the harvestability of my site (my personal email has been harvestable for almost a decade). So what's going on? I can't believe that several major botnets would have vanished overnight. Any ideas?"

Hmm

[geminidomino (614729)]

*Checks mail logs*

Yeh, you need to ask the ISP again. No sign of slowing here.

Re:Hmm

[urbanriot (924981)]

Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

Re:Hmm

[Southpaw018 (793465)]

Thirded over here. Solid 7000/day for months (small business).

Re:Hmm

[VenomPhallus (904463)]

Yup, and here; still getting 250 a day+ or so.

Maybe they finally clicked that you've already got a huge penis and legendary bedroom performance?

Re:Hmm

[tha_mink (518151)]

Perhaps the botnets are busy fighting amongst themselves, vis a vis the Georgia v. Russia conflict.

Re:Hmm

[Like2Byte (542992)]

Perhaps the botnets are busy fighting amongst themselves, vis a vis the Georgia v. Russia conflict.

Ok, Agent Mulder, settle down.

Re:Hmm

[by Anonymous Coward]

The Russian spammers can't get bandwidth because the military is busy using it against Georgia.

Re:Hmm

[swb (14022)]

There's something to that, even if the original poster's claim of not having spam anymore is local to him through unknown upstream changes.

Its long been suspected that the Russian government and Russian organized crime have cooperative links, if not outright overlapping "membership" (Putin is FSA/KGB, and its well known that ex-KGB members have been deeply involved in the Russian Mafia).

With this in mind, its not hard to speculate that if botnets controlled by Russian organized crime were put use against pro-Georgian assets, the ensuing defenses, publicity and exposure at the political/military level could possible cause these botnets to be far more vulnerable than they otherwise would be in the course of normal criminal activity.

This higher level exposure might lead to weakening them and reduce their effectiveness at normal tasks like spam.

Its also possible they may also be overutilized and prioritized for cyberwarfare and not for spam.

Re:Hmm

[xtinct (30851)]

yeah, that guy got arrested & sentenced to minimum security prison.

then he proceeded to escape, kill his wife & baby daughter (a teenager escaped) and then himself.

pretty crazy, no?: http://www.dailycamera.com/news/2008/jul/26/spam-king-murder-suicide-surviving-daughter-in/ [dailycamera.com]

Re:Hmm

[Random BedHead Ed (602081)]

Oh ... so you're address is bill@billrocks.org? Interesting ...

Re:Hmm

[Random BedHead Ed (602081)]

Not sure if we've exchanged comments before, but I have some genuine replica watches of the finest quality.

Re:Hmm

[Random BedHead Ed (602081)]

Also, visit my Canadian Pharmacy online drugstore to choose from a great selection of products of high quality produced according to the strict pharmaceutical standards.

Re:Hmm

[y86 (111726)]

Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

You should REALLY consider trying postgrey.

http://postgrey.schweikert.ch/ [schweikert.ch]

Postgrey on non whitelisted servers rejects the first mail attempt with a fail. The sending email server will retry X times, but the 2nd time it accepts it and adds the server to the whitelist.

Postgrey will add a 5 minute lag to an email that's sending server has never sent an email to you. It's worth it to screw the spammers zombies over IMHO.

Also, I would check your postfix/whatever you are using for a mail servers policy. I get 0 spam emails now and my address is posted all over the web.

I do have spamassassin running as well with sieve filtering to put what is marked as spam in a junk folder but the junk folder is empty, every now and then I'll see something -- but very rarely. Like once every 2 months.

Here's my spam prevention system :-)

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_destination,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    check_policy_service inet:127.0.0.1:60000

Re:Hmm

[j-cloth (862412)]

A huge second to PostGrey. It kills 90% of my incoming spam before it even touches spamassassin. However, I have noticed a few people who receive failure messages from their mail systems telling them that they've been greylisted before the mail goes through. Then uppy-ups whine to me.

Re:Hmm

[ElizabethGreene (1185405)]

A group of the original SpamAssassin developers got together with a group of mercenaries and created SpammerAssassin. It's in alpha, and looks good except it seems to have started a teeny-tiny war in the eastern bloc. Oops. They have an open bug ticket on it.

:D

Re:Hmm

[oldspewey (1303305)]

Seriously though ... if spammers started turning up dead where would the police even begin their investigation? There's only a pool of what, half a billion suspects?

Something did change...

[r_cerq (650776)]

I've just checked my work's logs (an ISP). The number of hits in the spam taggers fell from 12/sec to 3/sec earlier this week.

So either we're identifying less spam, or there is in fact less of it.

I'm getting it

[digitrev (989335)]

My spam has tripled over the past few days. So I'm not getting all of it, but I'm getting a chunk of it.

Re:I'm getting it

[ShadowBlasko (597519)]

Heh, we've got a virus running around the site lately that is titled "CNN Gold Medal tracker".

Sneaky ...

Re:I'm getting it

[SatanicPuppy (611928)]

We've been getting a lot of "reverse spam"...The organizational emails are necessarily public, so some enterprising Russian has harvested the entire set and is using them as "REPLY-TO" addresses, so we get all the bounce messages from their damn spamming.

It's all the fun of having an exploited mail server without actually having an exploited mail server. The mail doesn't actually come from us so we're not having any blacklist problems, but the floods of bounce messages zip right through the spam filters and piss off the users.

Re:I'm getting it

[nabsltd (1313397)]

Don't you hate it that you have to deal with this sort of thing because some other mail server isn't configured correctly?

If all mail servers instituted the policy of "reject...don't accept then bounce", then there wouldn't be any blowback spam. Unfortunately, there is some MTA software that can't do the right thing without non-standard add-ons (qmail, I'm looking at you).

Re:I'm getting it

[petermgreen (876956)]

and you will block quite a few legit bounces too for two reasons

1: 12 hours is nowhere near long enough
2: the message may be routed through multiple servers before finally getting bounced.

Re:I'm getting it

[KillerBob (217953)]

I've seen a huge increase in both spam and particularly spam that makes it past my spam filter.

It's an arms race. They come out with a new message that tricks the filters into thinking it's real. The filters update and adapt. They rethink things and come out with a new junk message which sometimes succeeds, sometimes doesn't. When they find one that works, I start getting spam again until the filters adapt. Ad nauseum.

I've got my SpamAssassin filters set to update on a daily cron job, and it's always the same... Every week or two, I get a handful of spam messages getting past the filters. They're all basically the same. And it lasts for about a day before I stop getting spam again. So it comes in bursts for me, every time the spammers rethink the message they send out.

I've had my domain, and the same e-mail address for half a decade. My IP address did recently change when I moved into a new colo, but all of the DNS has updated already, so the spammers still know who I am. It's annoying. But it is manageable.

Did you install Skynet 1.0?

[bugeaterr (836984)]

Did you install Skynet 1.0?

Hey, what's that siren going off for....

Because...

[Capt James McCarthy (860294)]

When spammers took over your box, they didn't want to flood it with their own mail.

One down

[canderley (1234622)]

Per Ars, a 100,000 machine bot net was shut down recently. http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html [arstechnica.com]

Oops...

[bhamlin (986048)]

Sorry, we've been down for maintenance and it's taking a lot longer than we originally planned. You can expect normal service to resume by next monday.

So it's become real...

[Seakip18 (1106315)]

Spam Assassin is actually assassinating spam.

On another note, has anyone heard from cousin who is a Nigerian prince? He hasn't called in days and we're beginning to get worried.....

those chinese spam factories are shut down ...

[by Anonymous Coward]

... to save the health of the athletes.

The Russians are busy in Georgia...

[NMBob (772954)]

...and the Chinese are busy watching 13-year olds win gold metals. Bob

We Can Test

[awitod (453754)]

We're happy to help you solve this mystery.
What is your email address?

We got bored of the joke

[Bogtha (906264)]

Okay, here's the thing: nobody but you ever got spam. We all just thought it would be funny to fool you into thinking there was some kind of worldwide scamming epidemic. You don't seriously think people would be stupid enough to buy pills off strangers who email them out of the blue, do you? I thought we'd gone a bit too far and stretched the limits of credibility when we came up with the idea for the Nigerian scams, but I was wrong, you even fell for that! Nobody is stupid enough to send all their money to a "Nigerian prince".

Anyway, enough's enough. The joke's stale now, so we decided to stop sending it all to you.

Spam has relatively few sources

[Toe, The (545098)]

A large chunk of spam comes from a very small group of spammers. It may just be that you are only targeted by one of them, and he took a break recently.

Hang in there... he'll come back from vacation soon, and you'll be able to mortgage your penis to Nigeria again.

I can kinda confirm this.

[suso (153703)]

I run a web hosting company and over the past couple weeks I've had a few customers report that the amount of spam has dropped. Of course, they thought that this was something wrong, but I couldn't find any evidence of increased failures, it was just that there was slightly less mail coming in.

Botnets current tasked to higher priority jobs

[Wrath0fb0b (302444)]

http://it.slashdot.org/article.pl?sid=08/08/12/191255&from=rss [slashdot.org]
http://bits.blogs.nytimes.com/2008/08/11/georgia-takes-a-beating-in-the-cyberwar-with-russia/ [nytimes.com]

When the crisis abates, I expect the botnets will be returned to their regularly scheduled duties. Quite a versatile tool those botnets -- pimping V!agr4, collapsing government sites, enhancing the male doodad, distributing pr0n, bullying your neighbors (http://news.bbc.co.uk/2/hi/europe/6665145.stm [bbc.co.uk]). For the cost of one M1A1 tank tread, Putin bought himself a whole lot of firepower.

Advantage: Putin.

headless botnets

[Lord Ender (156273)]

We've been seeing botnets changing desktop background to an image alerting people that they are infected with a virus. Obviously a real spam botnet operator would not alert people like that.

My theory is that some grayhat wrested control of a major botnet, and is shutting it down from the source (and alerting the victims in the process).

We Apologize

[Sloppy (14984)]

Dear Sir,
We humbly apologize for the interruption in service. Please reply with your email address and our technical staff will get back to you.

Try forwarding spam through ISP

[IceCreamGuy (904648)]

Maybe you could forward some spam from, say, a gmail account to your address in question. If it doesn't make it through to your server then you have a definitive record to confront your ISP with. Or, if they do get through, maybe you should buy a lottery ticket because your the luckiest admin on slashdot!

Black Hat

[machine321 (458769)]

They all just got back from Black Hat / Defcon, and they're still hung over.

Infected PC are offline during summer ^_^

[Kirys (662749)]

Most spam is sent by bot-nets, mostly composed by infected pc of workplaces, school and private homes. In many countries during the second and third week of August many schools and workplaces are closed so their pc are just turned off, this mean that the bot-nets have less active nodes and so are less effective. I do receive less spam too but I think that it will be back to the sad old amount at the end of the summer :(

Re:Okay

[kinzillah (662884)]

Perhaps he'd like to leave it to systems he controls? I, for one, would rather a third party weren't silently dropping mail that could be false positives.

Re:Okay

[qortra (591818)]

He isn't complaining. It isn't wrong to ask questions when things unexpectedly go well.

Re:Okay

[Hektor_Troy (262592)]

Mace? Screw maze.

Flurescent green spray paint [choiceful.com] is much better. Not only will you keep your assailant off of you, but you will also make it REALLY easy to pick him out of a line-up later.

Police: "Can you identify the guy who jumped you?"
Victim: "He's the green faced guy, crying on the corner about being blind."

Re:Okay

[camperdave (969942)]

And you're complaining because .... ?

Without having the spam to process, the server doesn't run as hot as it's "supposed to". This causes a power imbalance, sending more current to the other servers and tripping breakers. Also, because of the lack of that heat, the server room is too cold. The UPS batteries are not storing enough of a charge as they are less efficient when they're cold. If a power sag, brownout, or blackout happens during one of these spam free moments, well, the results could be catastrophic.

Re:Exactly.

[Arimus (198136)]

Assuming a third party isn't dropping your email... if they are then that's almost as bad the spam deluge - I'd rather be the one to decide what is spam than a third party who may or may not have a clue.

Re:Exactly.

[Minwee (522556)]

I, on the other hand, consider sudden, dramatic, and completely unexplained changes to the operation of systems under my control to be a reason to worry.

I'm just funny that way.

Re:Exactly.

[Bandman (86149)]

Amen.

It's like we speak the same language.

Change is good. Unexpected change is very, very bad.

Re:I can forward you some of mine if that helps...

[Noexit (107629)]

That might actually be a not bad idea. Sending him something that can be confirmed as having been sent, and as being spammy.

Re:we are all doooomed

[Ethanol-fueled (1125189)]

Naw, just that the Russians have shifted all their botnets' attacks toward Georgia.

Re:Check

[MPAB (1074440)]

I find your lack of spam disturbing ...