sudden low spam levels?

Ken1 · January 3, 2011, 6:04pm

I have two independent mailservers, and two other customers that run their own
servers, all largely unrelated infrastructures and target domains, suddenly
experiencing low levels of spam.

Total emails/day dropping from some 175,000-250,000ish to 50-75,000ish (legit
mail in the 2-5,000 per day, yes I have some high spam:legit customers...). 3
days in a row now at least, at quick glance.

Did someone set up them the bomb?

/kc

Randy_McAnally · January 3, 2011, 6:09pm

We filter spam for over 2000 domains and I don't see any noticeable drop in
payload. I have noticed that over the past few months greylisting has become
MUCH more effective than it used to be... looks like spam delivery is moving
more from snowshoe infrastructure towards botnets.

Scott_Howard · January 3, 2011, 7:04pm

There's definitely been a drop-off in spam levels over the past week, which
comes on top of a general drop over the past few months.

Although far from a great indicator of global levels, the following two
graphs give a good idea on what's happening on a relative basis :
Past Month - http://www.spamcop.net/spamgraph.shtml?spammonth
Past Year - http://www.spamcop.net/spamgraph.shtml?spamyear

The numbers for December are especially unusual, as with Christmas coming
it's normally one of the higher months for spam.

The drop-off since September is mainly due to the closure of
spamit.com(Pharma spam referal company), although I haven't seen any
reports of what's
caused the drop-off in the past week or so.

Scott.

Marshall_Eubanks2 · January 3, 2011, 7:39pm

I have two independent mailservers, and two other customers that run their
own
servers, all largely unrelated infrastructures and target domains, suddenly
experiencing low levels of spam.

There's definitely been a drop-off in spam levels over the past week, which
comes on top of a general drop over the past few months.

According the to Symantec "December 2010 State of Spam & Phishing Report", spam is reducing

http://www.spamfighter.com/News-15570-Spam-Volume-Continues-to-Decrease-Symantec.htm

I have seen various reports relating this to the taking down of
this or that botnet (see, e.g.,

http://www.eweek.com/c/a/Security/Botnet-Holiday-Spam-Levels-Drop-for-Christmas-566115/ )

but I would take that with a big grain of salt.

Regards
Marshall

Matt_Sergeant · January 3, 2011, 7:50pm

Ken Chase wrote:

I have two independent mailservers, and two other customers that run their own
servers, all largely unrelated infrastructures and target domains, suddenly
experiencing low levels of spam.

Total emails/day dropping from some 175,000-250,000ish to 50-75,000ish (legit
mail in the 2-5,000 per day, yes I have some high spam:legit customers...). 3
days in a row now at least, at quick glance.

Did someone set up them the bomb?

Something killed off RuStock at Xmas.

Matt.

Ted_Cooper · January 3, 2011, 11:35pm

Connection and rejection counts have been going bonkers of late for me.
I run filters for a number of small businesses so I don't see huge
amounts of traffic, but it's usually fairly regular in volume of mail
and rejected attempts.

Leading up to the 21nd of December, it was fairly level but low at
60-90% normal volume of rejections per day, then the 22nd went to 200%
followed by a low of 30-50% normal for 23-29th. On the 30th through the
1st of Jan, the Storm? bot went nuts and rejections went to at least
500% normal (entirely on cheap checks - HELO, rDNS).

After that, I had to go double check the mail servers were actually
running all the time as rejection counts hit 2-10% normal. I
haven't seen an obvious Storm bot type connection since.

Did someone kill the botnet? Or have the the virus writers finally
decided to chance tack? Or have they hunted out all the servers that
reject every single attempt and no longer send to them?

The only thing I can be certain of, is that they'll be back and my spam
levels will be back to normal sometime soon.

Jay_Farrell · January 3, 2011, 11:42pm

I noticed a substantial drop in spam in my gmail account in recent days,
from several hundred a day to maybe a hundred. Ironically, gmail filtered
this thread to my spam folder.

Cheers,
Jayfar

William_Allen_Simps3 · January 4, 2011, 3:10pm

Yes, I found these messages my gmail spam today, too. Lately, gmail has
been regularly flagging NANOG as spam, particularly the end of week
CIDR and BGP reports.

Seth_Mattinen · January 4, 2011, 5:10pm

Not being a gmail user this may be a stupid question: can't you
whitelist things in gmail? The ratio of spam/ham on NANOG is pretty good.

~Seth

Danijel · January 4, 2011, 5:21pm

Yes, you can, done it a while ago as some messages were going to spam for me
also, even few from this thread would go to spam if not for filtering.

Philip_Dorr · January 4, 2011, 10:31pm

And When it does that it at the top of the message it says "Due to a
filter you created, this message was not sent to Spam. Edit Filters"

Steven_Bellovin · January 5, 2011, 8:01pm

See http://krebsonsecurity.com/2011/01/taking-stock-of-rustock/ for a discussion of recent spam level trends.

--Steve Bellovin, http://www.cs.columbia.edu/~smb