Where Has All My Spam Gone?

An anonymous reader writes "I have my own domain, which has its own email server, where I receive all my personal email. I've been getting about 800 emails a day, of which perhaps 20 are real. Suddenly, Sunday or Monday evening, the spam pretty much stopped. My volume of mail has plummeted to less than 100 a day, and as far as I can tell, I'm not missing any real mail — I'm still getting the email list subscriptions I'm expecting, and every time I ask someone to send me a test message, it gets through. My domain host insists that it doesn't do any spam filtering before mail gets to my inbox, and that they've changed nothing about their configuration. I run SpamAssassin on my server to mark, but not delete, spam, and download the whole mess to my home client, and I'm still seeing the occasional message tagged by SpamAssassin. But it's virtually all gone. And I haven't changed anything about my own mail configuration, or the harvestability of my site (my personal email has been harvestable for almost a decade). So what's going on? I can't believe that several major botnets would have vanished overnight. Any ideas?"

Hmm

[geminidomino]

*Checks mail logs*

Yeh, you need to ask the ISP again. No sign of slowing here.

Re:Hmm

[urbanriot]

Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

One down

[canderley]

Per Ars, a 100,000 machine bot net was shut down recently. http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html [arstechnica.com]

Shadow botnet was killed recently

[Nimey]

http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html [arstechnica.com]

That may account for some of it.

A "Shadow" of their former selves?

[DCheesi]

Were the missing spam-mails mostly in Dutch?

http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html

"Shadow appears to have been mostly confined to the Netherlands, as the messages and phishing hooks were all sent in Dutch, but had apparently infected some US systems as well, as the FBI is credited for assisting on the case."

...

"Once Shadow was secured, the police contacted Kaspersky Labs about providing a means to neutralize the malware."

Reality...

[Capt James McCarthy]

Without seeing your logs, most folks would be guessing. They symptoms you provide are not enough to make an educated guess. I would say to bump up the verbosity of your email server, SpamAssassin, and the system itself and then go from there.

Fake News Alerts

[pipingguy]

Fake news alerts seem to be the new thing for my inbox.

not on this end

[JohnCub]

our spam seems to be climbing.
# of spams / date (m/d)
16,037 8/15
17,385 8/14
17,287 8/13
16,352 8/12
15,171 8/11
16,505 8/10
14,344 8/9
12,157 8/8
12,465 8/7
11,942 8/6
12,265 8/5
10,124 8/4
11,437 8/3
13,417 8/2
12,858 8/1

Re:One down

[Anonymous Coward]

Did you read that article?
"Shadow appears to have been mostly confined to the Netherlands, as the messages and phishing hooks were all sent in Dutch, but had apparently infected some US systems as well, as the FBI is credited for assisting on the case."

Re:Hmm

[Southpaw018]

Thirded over here. Solid 7000/day for months (small business).

I just checked one of our Ironport Servers

[Phil_at_EvilNET]

In a 24 hour period we've gone from a peak of about 75,000 messages at 9pm CST last night to a low of 40,000 messages incoming today, 97.3% of which are spam. Total for the last 24 hours on that single Ironport (we have 4 in production and one in the lab) is 1.4 Million attempted messages, of which 36.1 thousand were clean.

So all things taken into consideration, consider yourself fortunate. We're still seeing a trend that indicates that over 97% of all incoming mail is garbage.

-Phil

Re:headless botnets

[drachenstern]

lemme guess, most common infection name is Antivirus XP 2008?

I've started having those pop up left and right, and you are correct, once you think you have the virus gone, you think you're clean. EEEEEEE wrong. There's actually a botnet hiding behind that virus load, and if you don't pull it off, it does it's own direct port 25 push. I've three computers in my near vicinity that all have that loaded on their systems, and at first I was ready to wipe the frigging machine.

Don't forget to clear system restore too!!!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Hmm

[y86]

Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

You should REALLY consider trying postgrey.

http://postgrey.schweikert.ch/ [schweikert.ch]

Postgrey on non whitelisted servers rejects the first mail attempt with a fail. The sending email server will retry X times, but the 2nd time it accepts it and adds the server to the whitelist.

Postgrey will add a 5 minute lag to an email that's sending server has never sent an email to you. It's worth it to screw the spammers zombies over IMHO.

Also, I would check your postfix/whatever you are using for a mail servers policy. I get 0 spam emails now and my address is posted all over the web.

I do have spamassassin running as well with sieve filtering to put what is marked as spam in a junk folder but the junk folder is empty, every now and then I'll see something -- but very rarely. Like once every 2 months.

Here's my spam prevention system :-)

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_destination,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    check_policy_service inet:127.0.0.1:60000

Infected PC are offline during summer ^_^

[Kirys]

Most spam is sent by bot-nets, mostly composed by infected pc of workplaces, school and private homes. In many countries during the second and third week of August many schools and workplaces are closed so their pc are just turned off, this mean that the bot-nets have less active nodes and so are less effective. I do receive less spam too but I think that it will be back to the sad old amount at the end of the summer :(

Re:I'm getting it

[growse]

Simple. Configure your mailserver to block all bounce messages unless they originate from a server that you've sent a mail to in the past 12 hours. Then you'll only get legit bounces.

Re:Hmm

[j-cloth]

A huge second to PostGrey. It kills 90% of my incoming spam before it even touches spamassassin. However, I have noticed a few people who receive failure messages from their mail systems telling them that they've been greylisted before the mail goes through. Then uppy-ups whine to me.

Re:Hmm

[petermgreen]

I use greylisting, it reduced spam to almost zero for a while but then it gradually climbed back to previous levels and more.

Re:I have it

[Hal_Porter]

Memez are in ur brainz, eating ur intelligence.

Already going on.

[Medievalist]

Seriously though ... if spammers started turning up dead where would the police even begin their investigation? There's only a pool of what, half a billion suspects?

Spammers and virus writers employed by spammers to create their zombie pools have been turning up dead [google.com] for almost two years now.

Re:I'm getting it

[petermgreen]

and you will block quite a few legit bounces too for two reasons

1: 12 hours is nowhere near long enough
2: the message may be routed through multiple servers before finally getting bounced.

Re:Hmm

[Anonymous Coward]

it's YOUR not YOU'RE *shoots you*

Re:Hmm

[Anonymous Coward]

Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

You should REALLY consider trying postgrey.

There are lots of good greylisting systems out there.

And how do you know he isn't getting hundreds of spams a day even with greylisting? Many spammers are aware of greylisting and will retry.

Re:Hmm

[wmbetts]

I use to read a lot of not so nice forums when I was really into Info Sec and I always heard them referred to as "The Russian Business Network"

Re:Hmm

[stevey]

My mail filtering service [mail-scanning.com] is currently hovering around 2.3 million mails - which is a little down from its peak.

Still these things tend to even out over time; a few days/weeks of lower-than-average SPAM totals then a few more of higher than average.

With only a couple of domains, anecdotally at that, I'd be inclined to assume nothing has changed significantly.

Re:Hmm

[jdmetz]

A good way to complement spam source filtering thru greylisting is to block home/dynamic IPs, ranges where mail servers arent supposed to be, but where are the majority of personal pcs (that gets owned by botnets). Spamhaus PBL i.e. have this particular target (or zen that combines this one with other known sources of spam)

Please don't. There is no reason that mail servers shouldn't exist on home/dynamic IP addresses. This is one area where I'm actually happy with my AT&T DSL service - they block outbound port 25 connections by default, but allow you to opt out of the blocking if you want to run your own mail server.

Re:headless botnets

[Lord Ender]

Cite my source? I am the primary source. I have a forensic image of such a machine sitting right next to me.

Not everything on the internet originates at some other place on the internet. Somewhere, original sources actually exist, and they have nothing else to cite.

I have seen four such infections, all came through hotmail (we think).

Re:Hmm

[jonbryce]

That's a nice theory, but in practice, I have seen a huge increase in spam recently. Mostly CNN and MSNBC News Alerts that require me to download an updated version of Adobe Flash Player.

Re:Already going on.

[swilde23]

That doesn't really tell you much though (except for the fact that a prominent spammer died recently).
I would try looking at something more like this for information about spammers dying in the past few years: http://news.google.com/archivesearch?q=spammer+found+dead&sa=N&lnav=m&scoring=t [google.com]

Re:Totally OT: Chinese youth in Olympics

[LearnToSpell]

What are you talking about?

Beam scores:
Liukin - 16.125
Johnson - 16.050
Yang - 15.750

I swear, I've never heard anybody but Americans complain about judging in an event that they WON.

Re:Hmm

[Anonymous Coward]

Very few spammers actually retry for a few reasons:

1. It's expensive. This is one of the strengths of greylisting. It is more expensive for the sender than the recipient.

2. Greylisting indicates an administrator with a reasonable level of spam awareness. Chances are fair that your spam will never be seen by anyone on that server anyway.

3. Relatively few places greylist.

Yes, I can confirm this too

[Nitromaroder]

Here, in Germany, I've noticed this also: On my private mail server, the SPAM is almost gone (only 1-3 messages per day, instead of 20-30), at work I have similar experience: the amount of continuous SPAM per day is down to 1/10, but, every Thursday or Friday (since three weeks now), we get a huge wave of SMTP connections at ca. 4 pm CEST (from bot nets), which almost breaks down our internet connection. Both systems are using postfix+postgrey+amavis(spamassassin, dcc, razor, etc.). My suspicion: I am assuming my brothers are busy now with Georgia servers, so as long as the conflict in Caucasus is not over... :-P Kind regards, Denis

Re:Hmm

[orclevegam]

Russian Business Network, or RBN, just happens to be one of the largest mafia run botnets/spam organizations. Seeing as the mafia more or less runs the government over there, it's a semi-legal (as in, no one's going to realistically prosecute them) business that operates a massive for-hire botnet. It's not the only one over there, but it is the biggest and most visible one, so a lot of russian botnet activity just gets labeled as RBN.

Re:Hmm

[Capt.DrumkenBum]

Just download it already. Then they will stop bothering you. :)

Here's where your spam went

[buss_error]

1. If you've made no configuration changes or patches in the past week, that pretty much lets out program error.

2. If your ISP is saying they don't do spam filtering, then that pretty much lets that out too, unless your ISP is given to lying to you.

3. Others point to the cyber war between Georga and Russia. I'd think that those folks would have their own bots not associated with spamming, but I can't prove that.

4. It surpasses hope that all the sudden people cleaned up their pwon3d systems.

5. My spam levels have not dropped appreciably, and I not only have my own domain, but allocations as well.

6. I have noticed at times in the past that my spam levels do drop by 60, 70, even 80%. They always pick back up before too long. Enjoy a breif respite.

Re:Hmm

[KillerBob]

Unfair moderation much? I hope you get metamodded back into positive, because that post is definitely not a troll. :(