Where Has All My Spam Gone? 597
An anonymous reader writes "I have my own domain, which has its own email server, where I receive all my personal email. I've been getting about 800 emails a day, of which perhaps 20 are real. Suddenly, Sunday or Monday evening, the spam pretty much stopped. My volume of mail has plummeted to less than 100 a day, and as far as I can tell, I'm not missing any real mail — I'm still getting the email list subscriptions I'm expecting, and every time I ask someone to send me a test message, it gets through. My domain host insists that it doesn't do any spam filtering before mail gets to my inbox, and that they've changed nothing about their configuration. I run SpamAssassin on my server to mark, but not delete, spam, and download the whole mess to my home client, and I'm still seeing the occasional message tagged by SpamAssassin. But it's virtually all gone. And I haven't changed anything about my own mail configuration, or the harvestability of my site (my personal email has been harvestable for almost a decade). So what's going on? I can't believe that several major botnets would have vanished overnight. Any ideas?"
Hmm (Score:5, Informative)
*Checks mail logs*
Yeh, you need to ask the ISP again. No sign of slowing here.
Re:Hmm (Score:5, Informative)
One down (Score:5, Informative)
Shadow botnet was killed recently (Score:4, Informative)
http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html [arstechnica.com]
That may account for some of it.
A "Shadow" of their former selves? (Score:4, Informative)
Were the missing spam-mails mostly in Dutch?
http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html
"Shadow appears to have been mostly confined to the Netherlands, as the messages and phishing hooks were all sent in Dutch, but had apparently infected some US systems as well, as the FBI is credited for assisting on the case."
...
"Once Shadow was secured, the police contacted Kaspersky Labs about providing a means to neutralize the malware."
Reality... (Score:4, Informative)
Without seeing your logs, most folks would be guessing. They symptoms you provide are not enough to make an educated guess. I would say to bump up the verbosity of your email server, SpamAssassin, and the system itself and then go from there.
Fake News Alerts (Score:3, Informative)
not on this end (Score:3, Informative)
our spam seems to be climbing.
# of spams / date (m/d)
16,037 8/15
17,385 8/14
17,287 8/13
16,352 8/12
15,171 8/11
16,505 8/10
14,344 8/9
12,157 8/8
12,465 8/7
11,942 8/6
12,265 8/5
10,124 8/4
11,437 8/3
13,417 8/2
12,858 8/1
Re:One down (Score:3, Informative)
Did you read that article?
"Shadow appears to have been mostly confined to the Netherlands, as the messages and phishing hooks were all sent in Dutch, but had apparently infected some US systems as well, as the FBI is credited for assisting on the case."
Re:Hmm (Score:5, Informative)
I just checked one of our Ironport Servers (Score:3, Informative)
In a 24 hour period we've gone from a peak of about 75,000 messages at 9pm CST last night to a low of 40,000 messages incoming today, 97.3% of which are spam. Total for the last 24 hours on that single Ironport (we have 4 in production and one in the lab) is 1.4 Million attempted messages, of which 36.1 thousand were clean.
So all things taken into consideration, consider yourself fortunate. We're still seeing a trend that indicates that over 97% of all incoming mail is garbage.
-Phil
Re:headless botnets (Score:3, Informative)
lemme guess, most common infection name is Antivirus XP 2008?
I've started having those pop up left and right, and you are correct, once you think you have the virus gone, you think you're clean. EEEEEEE wrong. There's actually a botnet hiding behind that virus load, and if you don't pull it off, it does it's own direct port 25 push. I've three computers in my near vicinity that all have that loaded on their systems, and at first I was ready to wipe the frigging machine.
Don't forget to clear system restore too!!!
Comment removed (Score:3, Informative)
Re:Hmm (Score:5, Informative)
Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.
You should REALLY consider trying postgrey.
http://postgrey.schweikert.ch/ [schweikert.ch]
Postgrey on non whitelisted servers rejects the first mail attempt with a fail. The sending email server will retry X times, but the 2nd time it accepts it and adds the server to the whitelist.
Postgrey will add a 5 minute lag to an email that's sending server has never sent an email to you. It's worth it to screw the spammers zombies over IMHO.
Also, I would check your postfix/whatever you are using for a mail servers policy. I get 0 spam emails now and my address is posted all over the web.
I do have spamassassin running as well with sieve filtering to put what is marked as spam in a junk folder but the junk folder is empty, every now and then I'll see something -- but very rarely. Like once every 2 months.
Here's my spam prevention system :-)
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
check_policy_service inet:127.0.0.1:60000
Infected PC are offline during summer ^_^ (Score:5, Informative)
Re:I'm getting it (Score:4, Informative)
Re:Hmm (Score:5, Informative)
Re:Hmm (Score:4, Informative)
I use greylisting, it reduced spam to almost zero for a while but then it gradually climbed back to previous levels and more.
Re:I have it (Score:1, Informative)
Memez are in ur brainz, eating ur intelligence.
Already going on. (Score:4, Informative)
Seriously though ... if spammers started turning up dead where would the police even begin their investigation? There's only a pool of what, half a billion suspects?
Spammers and virus writers employed by spammers to create their zombie pools have been turning up dead [google.com] for almost two years now.
Re:I'm getting it (Score:5, Informative)
and you will block quite a few legit bounces too for two reasons
1: 12 hours is nowhere near long enough
2: the message may be routed through multiple servers before finally getting bounced.
Re:Hmm (Score:2, Informative)
Re:Hmm (Score:1, Informative)
Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.
You should REALLY consider trying postgrey.
There are lots of good greylisting systems out there.
And how do you know he isn't getting hundreds of spams a day even with greylisting? Many spammers are aware of greylisting and will retry.
Re:Hmm (Score:5, Informative)
Re:Hmm (Score:2, Informative)
My mail filtering service [mail-scanning.com] is currently hovering around 2.3 million mails - which is a little down from its peak.
Still these things tend to even out over time; a few days/weeks of lower-than-average SPAM totals then a few more of higher than average.
With only a couple of domains, anecdotally at that, I'd be inclined to assume nothing has changed significantly.
Re:Hmm (Score:2, Informative)
A good way to complement spam source filtering thru greylisting is to block home/dynamic IPs, ranges where mail servers arent supposed to be, but where are the majority of personal pcs (that gets owned by botnets). Spamhaus PBL i.e. have this particular target (or zen that combines this one with other known sources of spam)
Please don't. There is no reason that mail servers shouldn't exist on home/dynamic IP addresses. This is one area where I'm actually happy with my AT&T DSL service - they block outbound port 25 connections by default, but allow you to opt out of the blocking if you want to run your own mail server.
Re:headless botnets (Score:3, Informative)
Cite my source? I am the primary source. I have a forensic image of such a machine sitting right next to me.
Not everything on the internet originates at some other place on the internet. Somewhere, original sources actually exist, and they have nothing else to cite.
I have seen four such infections, all came through hotmail (we think).
Re:Hmm (Score:3, Informative)
That's a nice theory, but in practice, I have seen a huge increase in spam recently. Mostly CNN and MSNBC News Alerts that require me to download an updated version of Adobe Flash Player.
Re:Already going on. (Score:3, Informative)
I would try looking at something more like this for information about spammers dying in the past few years: http://news.google.com/archivesearch?q=spammer+found+dead&sa=N&lnav=m&scoring=t [google.com]
Re:Totally OT: Chinese youth in Olympics (Score:3, Informative)
What are you talking about?
Beam scores:
Liukin - 16.125
Johnson - 16.050
Yang - 15.750
I swear, I've never heard anybody but Americans complain about judging in an event that they WON.
Re:Hmm (Score:1, Informative)
Very few spammers actually retry for a few reasons:
1. It's expensive. This is one of the strengths of greylisting. It is more expensive for the sender than the recipient.
2. Greylisting indicates an administrator with a reasonable level of spam awareness. Chances are fair that your spam will never be seen by anyone on that server anyway.
3. Relatively few places greylist.
Yes, I can confirm this too (Score:2, Informative)
Re:Hmm (Score:3, Informative)
Re:Hmm (Score:3, Informative)
Here's where your spam went (Score:4, Informative)
1. If you've made no configuration changes or patches in the past week, that pretty much lets out program error.
2. If your ISP is saying they don't do spam filtering, then that pretty much lets that out too, unless your ISP is given to lying to you.
3. Others point to the cyber war between Georga and Russia. I'd think that those folks would have their own bots not associated with spamming, but I can't prove that.
4. It surpasses hope that all the sudden people cleaned up their pwon3d systems.
5. My spam levels have not dropped appreciably, and I not only have my own domain, but allocations as well.
6. I have noticed at times in the past that my spam levels do drop by 60, 70, even 80%. They always pick back up before too long. Enjoy a breif respite.
Re:Hmm (Score:4, Informative)
Unfair moderation much? I hope you get metamodded back into positive, because that post is definitely not a troll. :(