Where Has All My Spam Gone? 597
An anonymous reader writes "I have my own domain, which has its own email server, where I receive all my personal email. I've been getting about 800 emails a day, of which perhaps 20 are real. Suddenly, Sunday or Monday evening, the spam pretty much stopped. My volume of mail has plummeted to less than 100 a day, and as far as I can tell, I'm not missing any real mail — I'm still getting the email list subscriptions I'm expecting, and every time I ask someone to send me a test message, it gets through. My domain host insists that it doesn't do any spam filtering before mail gets to my inbox, and that they've changed nothing about their configuration. I run SpamAssassin on my server to mark, but not delete, spam, and download the whole mess to my home client, and I'm still seeing the occasional message tagged by SpamAssassin. But it's virtually all gone. And I haven't changed anything about my own mail configuration, or the harvestability of my site (my personal email has been harvestable for almost a decade). So what's going on? I can't believe that several major botnets would have vanished overnight. Any ideas?"
I can forward you some of mine if that helps... (Score:3, Interesting)
I can kinda confirm this. (Score:5, Interesting)
I run a web hosting company and over the past couple weeks I've had a few customers report that the amount of spam has dropped. Of course, they thought that this was something wrong, but I couldn't find any evidence of increased failures, it was just that there was slightly less mail coming in.
Botnets current tasked to higher priority jobs (Score:5, Interesting)
http://it.slashdot.org/article.pl?sid=08/08/12/191255&from=rss [slashdot.org]
http://bits.blogs.nytimes.com/2008/08/11/georgia-takes-a-beating-in-the-cyberwar-with-russia/ [nytimes.com]
When the crisis abates, I expect the botnets will be returned to their regularly scheduled duties. Quite a versatile tool those botnets -- pimping V!agr4, collapsing government sites, enhancing the male doodad, distributing pr0n, bullying your neighbors (http://news.bbc.co.uk/2/hi/europe/6665145.stm [bbc.co.uk]). For the cost of one M1A1 tank tread, Putin bought himself a whole lot of firepower.
Advantage: Putin.
headless botnets (Score:5, Interesting)
We've been seeing botnets changing desktop background to an image alerting people that they are infected with a virus. Obviously a real spam botnet operator would not alert people like that.
My theory is that some grayhat wrested control of a major botnet, and is shutting it down from the source (and alerting the victims in the process).
Re:I can forward you some of mine if that helps... (Score:5, Interesting)
That might actually be a not bad idea. Sending him something that can be confirmed as having been sent, and as being spammy.
Russian botnets being devoted to other purposes? (Score:1, Interesting)
Re:Botnets current tasked to higher priority jobs (Score:3, Interesting)
For the cost of one M1A1 tank tread, Putin bought himself a whole lot of firepower.
This is so obviously the answer that the parent needs to get to +5 Insightful as soon as possible and that can be the end of the story.
Olympics (Score:0, Interesting)
The Chinese spammers are too busy with the Olympics right now...
Spam on newsgroups down too (Score:2, Interesting)
Re:I'm getting it (Score:5, Interesting)
Sneaky
Try forwarding spam through ISP (Score:5, Interesting)
Here's a thought... (Score:4, Interesting)
It's not too-well publicized, but the Russian Business Network (AKA spammer filth) have been using (renting?) a large chunk of their botnet space to attack Georgia. Here's a bit of detail. [blogspot.com]
Maybe they just didn't have enough bandwidth to spam the planet AND take down Georgia's systems through a DOS.
Re:I'm getting it (Score:5, Interesting)
We've been getting a lot of "reverse spam"...The organizational emails are necessarily public, so some enterprising Russian has harvested the entire set and is using them as "REPLY-TO" addresses, so we get all the bounce messages from their damn spamming.
It's all the fun of having an exploited mail server without actually having an exploited mail server. The mail doesn't actually come from us so we're not having any blacklist problems, but the floods of bounce messages zip right through the spam filters and piss off the users.
Hard to tell if I lost 200 SPAM emails. (Score:2, Interesting)
My personal server gets a few more mails than the poster.
# of SPAM Week Ending
172709 Aug ** (only 5-day stats)
198878 Aug 10
217882 Aug 3
207318 Jul 27
230533 Jul 20
265463 Jul 13
311635 Jul 6
450349 Jun 29
311850 Jun 22
225500 Jun 15
317484 Jun 8
Make of those stats what you will ...
Re:One down (Score:4, Interesting)
Did you read the article? "...as the messages and phishing hooks were all sent in Dutch,..."
Since the original poster didn't mention what portion of his spam was arriving written in DUTCH, we can't say for sure, but it appears, as the article says (up near the top too!), this botnet, while large, was almost completely confined to the Netherlands.
I'll save you the reply too, should you go back and read the article, the rest of the sentence I quoted above says "...but had apparently infected some US systems as well, as the FBI is credited for assisting on the case." However it does say that ALL the messages were sent in Dutch.
Probably not our boy's spam.
Something did change... (Score:5, Interesting)
I've just checked my work's logs (an ISP). The number of hits in the spam taggers fell from 12/sec to 3/sec earlier this week.
So either we're identifying less spam, or there is in fact less of it.
Re:Spammers are busy (Score:2, Interesting)
ahh, so you're one of those that believe it is Bush's fault Russia did this. Watching much Russian state tv lately? Do you believe the Earth is flat, too?
How about we say that what the Russians did was, well, the Russian's fault. And your "quagmire" crap is looking weaker and weaker these days. We're the evil ones, right? Because when we went into Iraq, we were looting and robbing banks? [thesun.co.uk]
Re:Hmm (Score:5, Interesting)
then he proceeded to escape, kill his wife & baby daughter (a teenager escaped) and then himself.
pretty crazy, no?: http://www.dailycamera.com/news/2008/jul/26/spam-king-murder-suicide-surviving-daughter-in/ [dailycamera.com]
Re:Hmm (Score:5, Interesting)
There's something to that, even if the original poster's claim of not having spam anymore is local to him through unknown upstream changes.
Its long been suspected that the Russian government and Russian organized crime have cooperative links, if not outright overlapping "membership" (Putin is FSA/KGB, and its well known that ex-KGB members have been deeply involved in the Russian Mafia).
With this in mind, its not hard to speculate that if botnets controlled by Russian organized crime were put use against pro-Georgian assets, the ensuing defenses, publicity and exposure at the political/military level could possible cause these botnets to be far more vulnerable than they otherwise would be in the course of normal criminal activity.
This higher level exposure might lead to weakening them and reduce their effectiveness at normal tasks like spam.
Its also possible they may also be overutilized and prioritized for cyberwarfare and not for spam.
Re:Hmm (Score:3, Interesting)
I wanted to use greylisting here but the idea was shot down, as some people actually expect people to be nearly instantaneous and if it's not, they moan and groan.
Doesn't matter how many times I try to explain that isn't how e-mail is supposed to work, that it's unreliable, etc, they still expect to hit send, then tell someone to check their mail 30 seconds later and it's there waiting.
Spam seems to be fairly steady here, perhaps up a tad. Here's the Monthly graph from our main filter [the-ori.org] (not from that domain, FYI.)
Re:Hmm (Score:5, Interesting)
After I read this article [slate.com] yesterday (single page [slate.com]), that's what I thought: given all the spammers that are Russian, there's a chance there might be a slowdown in spam as patriotic Russians "pitch in" by helping DDOS Georgian resources.
It's pretty amazing if you read that article how easy it was for just an average person to find out how to "volunteer" for the Russian army: independent helpers have made it so you can find out which Georgian sites you should ping in order to maximize your effectiveness, and have programs that you can download that do most of the work with minimal hassle.
However:
a) According to most posters, spam hasn't actually abated.
b) Spammers wouldn't do something as selfless as pitching in for their country.
Re:Hmm (Score:3, Interesting)
In fact, the srizbi botnet (that used to generate more spam that all the other botnets together few months/weeks ago) handle those rejects, retries and end sending the spam.
Maybe the "missing spam" problem is that greylisting was in use since long ago (but srizbi was making spam going thru) and happened something with this particular botnet, i.e. now it just focus in georgia, or the main controller got sick or arrested, and this particular source of spam dropped (and greylisting kept stopping the "normal" stupid enough spam).
A good way to complement spam source filtering thru greylisting is to block home/dynamic IPs, ranges where mail servers arent supposed to be, but where are the majority of personal pcs (that gets owned by botnets). Spamhaus PBL i.e. have this particular target (or zen that combines this one with other known sources of spam)
Re:Hmm (Score:2, Interesting)
It depends on your setup - for directly mailed SPAM you could be correct.
Me? I'm a Debian developer, so I get about 500 mails a day routed from the MX machine handling @debian.org.
If it accepts SPAM then their MX will happily retry - end result is that greylisting on my side will accomplish nothing.
Comment removed (Score:3, Interesting)
Re:Oops... (Score:3, Interesting)
Netflix is down, and this guy's spam stops.
Coincidence?
Re:I'm getting it (Score:3, Interesting)
That's a patch, I think you're talking about. And applying a patch is quite easy.
Today, with the qmail source in the public domain, yes, it's much easier. But, when you couldn't distribute pre-patched versons of qmail, it was a relative bear, since as you meniton, multiple patches became a nightmare. This was the first of many decisions by DJB "in the name of security" that are just unimaginably stupid. Plus, his refusal to incorporate such patches because they weren't his code...we'll, I'll just say it isn't the first time in history that ego has limited product quality.
I mean, is there a point to bashing qmail so?
The "sendmail security holes" were generally issues that, yes, could cause problems, but were highly unlikely. They were discovered and shut down. And, for about a decade, sendmail has been a solid platform that can be extended quite nicely to handle the current requirements of anti-spam, anti-virus, etc., all while still remaining interoperable with pretty much everything else on the net.
qmail got it's bad reputation because it was an open relay out of the box. Any MTA that sends a e-mail to the sender's choice of recipient when that recipient isn't local (or a known alias/forward) is an open relay. And yet, people thought it was "more secure than sendmail".
Not only that, but it became impossible for spammers to verify that any address was real unless they wanted to use a valid and potentially traceable return path.
There is no such thing as "valid and potentially traceable return path" when you use the data supplied by the potential spammer as your source for what is "valid". The only thing truly "valid and tracable" in SMTP is the IP address that connected to your server. That's where the result message (error or not) has to go, and, again, out of the box qmail chose not to do this because DJB couldn't figure out a way to make this "secure". Yet, out of the box, sendmail manages to accomplish this without backscatter spam.
Most of the design decisions made by DJB on qmail were based on a misunderstanding of the real world way that SMTP works across the Internet. As a local-only mail system, it's secure and not too broken. When connected to the Internet, it's only slightly better than Exchange at being a good SMTP server.
Re:Hmm (Score:3, Interesting)
Well, I have 3 main addresses and one has dropped from 30 a day to maybe 5, a second blipped down as well but is going back up again and the third (an alias I can't get rid of) gets everything routed to the bin anyway so I don't know.
Still, spam has almost died on my main address. No complaints here.
Re:Hmm (Score:5, Interesting)
Re:Hmm (Score:1, Interesting)
Same "problem", different time (Score:1, Interesting)
I had the same "problem" around half a year ago (give or take a year), suddenly the amount of spam dropped significantly to almost zero and I immediately suspected someone had activated a spam filter without my knowledge. Which is something I would not want because I have a pretty good spam filter that still allows me to double-check to avoid false positives.
I checked and double-checked all my e-mail providers, but spam filtering is off everywhere. Which still did not quite put my mind at ease, I was still afraid I was missing real e-mails.
But since you have the same situation, I guess we were both just lucky to be listed on only a few major botnets that were suddenly killed.