Forty Percent of All Email is Spam

PCOL writes "There's an interesting article on spam in today's Washington Post which includes an inside look at AOL's spam control center in Northern Virginia. The story reports that roughly 40 percent of all e-mail traffic in the US is now spam, up from 8 percent in late 2001 and nearly doubling in the past six months; that AOL's spam filters now block 1 billion messages a day; and that spam will cost U.S. organizations more than $10 billion this year from lost productivity and the equipment, software and manpower needed to combat the problem."

sure, sure.

[irc.goatse.cx+troll]

And 90% of all statistics are made up on the spot.

Another stat

[techstar25]

Ironic. Forty percent of spam is pork.

40% ...?

[DaneelGiskard]

So who gets the 60% of the regular email I'm supposed to get?

Re:40% ...?

[scott1853]

It's deleted by the spam filters.

Optimistic

[Rosonowski]

I think this is a bit optimistic. I get 300 peices of email a day, and I'm lucky if more then 50 are legitimate mail.

Re:Optimistic

[grylnsmn]

Oh yeah? Well I send over a million emails a day, and I'm lucky if 10 of them are legitimate!

Re:Optimistic

[kring]

I run a small site (~100 users) and our spam filter, which is designed to be relatively forgiving, catches about 35% of the total messages that are handled by our mail server. 40% seems pretty low to me.

Sounds about right to me

[utmslave]

I administer a Spam filter for a state University in Tennessee. Since I began filtering, I have trapped about 42% of all email bound for faculty and staff. Some spam still gets through, but the impact on our pop and imap servers has been greatly reduced.

550 Spammer Go Away!

Re:Sounds about right to me

[Chanc_Gorkon]

With one exception......viruses. Filter these suckers out at the server. This will cut your opps I clicked on something I should not have syndrome.

Re:Sounds about right to me

[Mr+Guy]

Sysadmin for the comp sci department my college set up scripts to change any .vbs file sent as an attachment to, .vbs.ifyouclickonthisanditsreallyavirusIwillholdyo upersonallyresponsiblefordamagetotheschoolscompute rs The IT department for the school, running exchange servers, had to wait for microsoft to issue a patch. While the IT department got pounded with help requests, the comp sci had 0 virus reports. Wonder why...

Spam Control

[cheezus_es_lard]

So, we all agree that Spam is a problem. We all agree that legislating Spam out of existance isn't going to work, due to the international design of the Internet. So what needs to be developed is a backwards-compatible mail transfer protocol that authenticates the user to the sending server and forwards the message to the recieving server, who contacts the sending server back and verifies the user's identity.

I'm no software designer, but surely we could find some concept for migrating off of SMTP and POP and to a better, more secure protocol.

Other thoughts?

-cheezus_es_lard

Re:Spam Control

[JimDabell]

I'm no software designer, but surely we could find some concept for migrating off of SMTP and POP and to a better, more secure protocol.

It's not a technical issue (ignoring open relays, which can already be fixed without changing any protocols).

The fundamental issue is that one of the most important uses of email is to let anybody, anywhere email you, with no hassle. Of course, spammers take advantage of that.

What's needed is accountability. Give someone internet or smtp access? Make sure you have a way of billing them for any spam they send, and put it in big letters when they sign up.

Re:Spam Control

[Ravensign]

I agree with this principle.

At what % do we look around and say, its time for a new protocol with spam avoidance built in?

50, 60, 75?

Take this with a grain of salt

[mrhandstand]

The srticle states that 40% of Internet traffic is Spam. And where does this statistic comec from? From Brightmail...a vendor of anti-spam software. Remember...liars, damn liars, and statisticians

Re:Take this with a grain of salt

[Zathrus]

The srticle states that 40% of Internet traffic is Spam

No, the article states that 40% of email is spam.

Which, frankly, seems low. But perhaps they're including corporate email, which often sees a much lower spam level.

I'm still trying to find estimates on how much of all Internet traffic is from SMTP -- I've seen estimates of anything from 5% to 30%.

Losing a figurative war on spam

[Nonac]

Aside from the AOL spam control center, most of the spam prevention discussed in this email is aimed at trying to stop the sender through legislation and black lists. Legislation will never work, and black lists are marginal.

The answer to this shortcoming in the current email infrastructure is redesigning email protocols to allow spam to be stopped as it is sent.

I don't have the answer, but something that forces the sender to verify that the recipient will accept the message before it is relayed will be a start. I also like the idea that came from Microsoft recently of forcing the sender to pay the recipient a small amount of money.

The problem with bayesian filters is that they filter too much spam. The more people that use bayesian filters, the more messages the spammers will have to send to get through. Because it is almost free to send messages, they will continue to increase the number of messages they send until it gets to a point that email infrastructure can't handle it anymore.

Re:Accuracy

[bheerssen]

A follow up question: how much spam gets past their filters and do they use a standard deviation accordingly to arrive at those numbers? It is conceivable that the actual figure is higher.

Re:Only 40%?

[scott1853]

Maybe you have lots of friends and they're all filling out those "notify my friends" forms?

What say you "just hit delete" crowd?

[walt-sjc]

Citing "Freedom of speach", the first ammendment, etc, there still seems to be an ignorant crowd that thinks that we shouldn't have any legal means to curb spam. They still think technology can solve a social problem. As ISPs put increasingly invasive filters on email servers, legit email gets lost. When 99% of all email is spam, will you STILL think it's ok? When ISP's raise your internet fees due to spam, will you still defend its legality? When you are on the road paying $.50 / minute downloading spam for half an hour, even though your local filter blocks it from your view will you still be happy?

There are people who want to re-invent the email protocol to solve the problem. Yeah, doing something technological can help the FUTURE, but what are we going to do for the 5 years it takes to develop, implement, and deploy this new technology?

Think about it.

Re:What say you "just hit delete" crowd?

[Ed+Avis]

'Using email intelligently' consists of having multiple email addresses and trying to keep them secret? WTF?

Technological solutions will be easiest

[Ed+Avis]

The real problem with spam is the economics: it costs next to nothing to send a message, the only real cost (time) is borne by the recipient. Fix that problem and spam will go away. It doesn't need legislation, which in any case could apply in just one jurisdiction.

A system like Hash Cash could solve the problem. The most popular free mail clients could start including hash-cash postage with each sent message, and then in a couple of years' time start to drop incoming messages that don't have postage paid. AOL could include hash cash in their mail client easily. *Easily*. That spam-detection centre they run is not cheap. Even Microsoft would add hash cash to Outlook, Outlook Express and Hotmail, since it's another encouragement to upgrade to a new Outlook release (which of course requires a new Windows version).

Getting the whole world to upgrade its mail clients is a hard task, but getting every government in the world to pass anti-spam laws and enforce them is much harder. Goodness knows it's bad enough trying to get _one_ legislature to take a sane view on anything technology-related.

isn't it ironic???

[Botchka]

that the biggest purveyor of filling my postal mail box with crap that I haven't signed up for or asked for (ie: cd's and cd holders that are worthless), is now fighting spam. Give me a break! How about they stop mailing those stupid #@%@$%^& cd's and filling the landfills with garbage that doesn't degrade. They are hypocrites!

Spammunition

[BlackjackGuy]

My spam problems have almost entirely gone away since installing Spammunition. It's a bayesian filter for MS Outlook. Wish I didn't have to use MS Outlook but it's a requirement at work.

Bayesian filters are definitely the way to go. They flat-out *work*. Other programs I've used just didn't perform, like Cloudmark Spamnet.

Go after the businesses who pay spammers

[kalislashdot]

You know it's a funny thing because businesses like and hate spam. They like it because it brings in money and they hate it because they have to spend money on spam filters and lost work time.

Here is a possible solution. Spammers cover their tracks. Well instead of trying to go after spammers go after the business that use them. Those businesses MUST be traceable because they include ways to buy their product. If we must make a law, which would only work in the US, it should say "You can't hire a spammer to send your mail". Then when www.pacificmeds.com sends me a spam for "save money on prescription drugs" they can be fined.

Go after the source, not the person who fills the need. Once the need is squashed by the law spam will reduce greatly.

Re:Go after the businesses who pay spammers

[clifyt]

And then what do we do what a company hires an untraceable spammer to send out a million messages with its competitors names?

I know as a youth, one of my hometowns stores fliered the city with a competitors name and fake coupons for a rediclous amount off to give them a bad name when their competition was at its worst.

It finally came out the other guys had done this, but the other store decided to make a promo out of it and honor the coupons anyways...backfiring on the others.

In a smaller town, this sort of thing can be traced back to the source rather easily. On the internet, how are you going to police the fact that PacificMed's greatest competitor (would that be AtlanticMeds) by doing the same sort of thing? Find a spammer in Asia (or one that works for your local college that will simply use Asian relays) and pay them $1000 to send out a million spams either to get them in legal action or simply to give them a black eye in the public's mind.

clif

in other news ...

[borgdows]

after renaming "french fries" Congress has just decided to rename "spam" as "french email" !

40 percent by number or by size ?

[LMCBoy]

According to POPFile only 18% of my email messages are spam, but it's 46% when you take the file sizes into account. The total memory fraction would seem to be a more relevant measurement if you're an ISP concerned about spam's costs.

So, when they say 40%, is that by number of messages or total size?

Sturgeon's Law

[handy_vandal]

Forty percent? That's nothing. Sturgeon's Law states that ninety percent of everything is crap.

White list with pass code

[Continental+Drift]

My Eudora filters allow me to auto-reply to mail coming from someone not already in my address book. The auto-reply tells the writer to try again and put a code word in the subject line, which the filters will then bypass. This is very effective, and since I implemented it, I don't see spam. It is a bit of a pain for people writing to me the first time.

Now, a white list like this can be bypassed by a spammer claiming to be a friend of mine. It can't claim to be me, because my filters automatically delete anything sent to my address claiming to come from me. I'm wondering if anyone else who has implemented a white list for themselves has seen any problems with it.

more like 60-70%

[Cheeze]

i run a small isp's mail server system (~30k accounts) and just our dnsbl blocks about 60% of all incoming e-mail. spamassassin and various other techniques pick out about 5-10% more of the overall.

Blocking spam before it gets to our main mail server has extended the life of our mail server indefinately. The less we have to spend on hardware, the more time and energy we can spend on building quality of service for our customers. That keeps the customers happy, and keeps the business people doubly happy, since they don't lose customers and don't have to buy new hardware every year for a mail system.

yep, we're all doomed

[gse]

One billion spam email a day, just through AOL. Gosh.

I figure I get about 425,000 a day myself at this point (er, give or take). It's at the point where it's getting painful to go through my SpamAssassin "caughtspam" folder. But there are still enough false positives (really, one is enough) that I can't send the whole thing to /dev/null.

Meanwhile, I'm accruing a great collection of classic spam subject lines. Some examples (all real):

• "I don't need your social security number yet"
• "this mom loves to stick hot dogs up her cooch"
• "Pill to Increase Your Ejaculation by 581%"
• "i am not perfect but i suck c0ck"
• "I got revenge by fucking! Here's proof :)"
• "Mission: To fuck as many mothers as I can!"
• "Fucking Machines! 13IN, .5HP, 350RPM"
• "Your slut wife boss need some action!"
• "#1 COLON CLEANSER! SEE PROOF"
• "Maybe your pets dream of intercourse with you"

Mmmm, society at its finest.

What the article didn't say

[jj_johny]

AOL does no filtering on the content only on the header information. It does nothing with the content of the email messages. It forwards every mail that is accepted by its mail servers to the users. Thats why AOL only blocks about 50% of the stuff. Even if they accepted the mail, they should be deleting or giving me the option of deleting without seeing every mail that wants to increase my unit's size or my wife's boobs and the pharmacy come ons and the Norton junk. But AOL continues to act like a single lost email is the end of the world. Well give the users some tools and let them decide. No wonder they are losing subcribers, they don't know how to deal with the number one annoyance on the internet today.

Sliding scale

[phorm]

I think this could almost be measured on a sliding scale based on lifetime of an account. Once a user opens a new account - unless the email address is easily guessable or his email provided sells it off - spam volume per real email will be low.
Then, you get a few friends your email. General email volume increases. You sign up for some server or other and forget to use a protect email... spam starts to drip in.
A little while later, the drip becomes a trickle as your email gets sold again, and again, and spreads like splitting amoebas.
Then... a few friends send you e-cards around Christmas, or invite you to some joke sites etc. Not your really gonna get it (I strongly b*tch-out any who e-card me at my work address).

To top it off, a LUG or whatever you are posting to puts their history on a public website... you start getting picked up by spam-spiders.

So over time, one will go from maybe 0-5% spam, to 50+% spam. As more people get you in their address books, the more likely it is that somebody will let your email slip to a spam-source. And spam-sources sell your email to other spam-sources... it spreads like wildfire.

The best way to protect yourself is to use a difficult-to-guess, 9+ character email, for which you never sign up for anything with, and only give to people you trust not to e-card you or have "sniffers" installed on their system which gives away the address book. Using bounce addresses might help also, as you could then switch bounces but still pull from the main email, and then filter the ones that get messy or drop them.

Terrorism!

[fredrikj]

$10 billion, that's a lot of money, and therefore an argument that George W. Bush might listen to. So, how about lobbying the US government into declaring spam "terrorist activity"? Just imagine the concept of special troops hunting down spammers, then locking them up without without a trial and throwing away the keys. Unless you bombed them off the face of the earth directly... In either case, we could even laugh our asses off while watching it live on TV!

The spam is hidden, not gone

[phorm]

The problem is, you are still getting spam. The filter may block you from seeing most of it, and it may stop you from getting tags with linked images, etc... but it's still coming in.
You, and your ISP, are paying for the bandwidth it uses. And if you ever had to travel and get email by dialup/cellphone... you can expect that you'll notice spam simply by the large delays it takes you to download email.

Client-side filters only mask the problem... it's like having an air-freshener and big fan in a public washroom.... the stink is still lingering in the background.

Re:My tests shows

[Zaknafein500]

On the server I administer, I have a nightly cronjob set to parse the spamassassin logs, and email me the stats.

Since the logs were cycled on Sunday morning, there have been 8332 messages, 5824 of which were spam, for a percentage of 69.89%.

This number has increased substantially over the last 3 weeks. This time last month we were below 50%.

Re:How much "real" mail is lost?

[dubl-u]

The problem with filters at the ISP/Mail Server is that one persons spam is anothers desired mail. How do correct for this?

Those few people can type "enlarge my penis" into Google and click on a link that comes up.

Only for AOL?

[www.sorehands.com]

The article stated the figure came from Brightmail not AOL.

If it was AOL or Verizon, then I would think that the numbers would be skewed as they have sued spammers and those spammers have agreed not to send spam on those networks.

Grasshopper, remember the two rules of spammers.

1. Spammers lie.

2. If a spammer says anything, see rule 1.

Re:Spam is like TV advertising

[magarity]

Umm, televison advertisements subsidize television programming. Junk mail subsidizes postage. Newspaper ads, radios ads, magazine ads, etc, etc do the same for their respective mediums. How does spam help pay for my internet connection? ABSOLUTELY NOT AT ALL. All it does is increase my ISP's costs on behalf of a freeloading spammer.

40% is an understatement

[Burdell]

I just installed an upgraded spam filter server at the ISP I work for, and we are now filtering out almost 70% of inbound mail as spam (with basically zero false positive complaints). We combine Brightmail with the three main MAPS lists (RBL, DUL, and RSS), as well as the basic DNS based checks (for valid domains, etc.) built into the mail server, with Brightmail catching the most by far.

You can see our mail stats here.

Re:now i get spam

[You're+All+Wrong]

Nice innit?

However did you notice in the article it said:
"nearly doubling in the past six months, according to Brightmail Inc., a major vendor of anti-spam software."

So I'm not 100% sure the stats can be believed - it's in their interest to tell you it's all doom and gloom. It's even in their interest to have you spammed, but that of course would be conspiracy theory central...

YAW.

100%-ish effective spam-prevention technique

[UberQwerty]

I have a real, useable e-mail account that never recieves any spam at all, and I never delete/filter legitimate mail! How is this possible?

I have two e-mail addresses. One gets nothing but spam, and the other gets no spam at all.

I have a free account at hotmail.com and a private one on a server that isn't owned by a big business. When I'm giving my address to someone I know personally, I give the private one. When I have to give an e-mail address to sign up for some service or to get some account, or basically whenever I'm giving my e-mail address but I don't know who is getting it, I give my hotmail account.

Result:
-My hotmail account occasionally gets confirmation e-mails when I've just created one of those free accounts for some website, but I always know when they're coming. Otherwise, it just collects spam, which I periodically delete (and block the addresses it came from).
-My personal account never gets spam.

(I have a university account that forwards to my private account, so occasionally it gets what could be called "spam" that's aimed at univ. students, but if I stop the forwarding it stops the spam, so I don't really have a problem.)

Re:100%-ish effective spam-prevention technique

[gdr]

This works until one of your friends enters your email address into a form on the web (say to send you a electronic birthday card) and it gets added to a spammers list.

It's also possible that a spammer could harvest email addresses using a Outlook virus that infected one of your friends or anyone who has been sent an email that has your email address in the header (or body for that matter).

I don't know if these sort of viruses are common but if they're not now they could be in the future.

Having multiple email addresses is a good idea but, unfortunately, not a perfect solution. Once your "safe" email address is in the hands of a spammer they can pass it on to other spammers and it can become unusable quite quickly.

Re:Accuracy

[corbettw]

Umm, what AOL is doing is right and proper. Is your host the MX record for a domain? No? Then noone should be accepting mail from it. Can your host be authenticated with reverse IP look-ups, crosschecked with MX? No? Then, again, noone should be getting your mail. (All except your own ISP, that is.)

This might be inconvient for you, but this system exists as a deterent to spammers. Don't like it? Get your own IP addresses for home use or host your own domain somewhere (that's what I do).

Disposable Email Addresses -- Effective?

[angle_slam]

Does anyone here use a Disposable email address service? Examples of such services include the following:

• Spam Gourmet
• Spamex
• Sneakemail
• Mailsehll
• Emailias

General information about disposable email addresses can be found in this PC Magazine article and this about.com article.

Briefly, I'll explain how they work in theory. After signing up with a disposable email service, they give you a disposable email address that you can, for example, enter into forms. Mail sent to that disposable email address gets automatically forwarded to your email account of choice. But here's where they supposedly come in handy. You can sign up for a different disposable email address everytime you fill in a web form. If you start getting spam, you can look at the disposable email address the spam was sent to and you can do 2 things: (1) cancel the disposable email address so you no longer get spam sent to that address; and (2) you know who gave out your disposable address and you can take whatever action you deem appropriate.

This seems like a cool product, in theory, but I haven't seen anyone with real world experience with these services. If anyone here can describe their experiences, it would be greatly appreciated.

Charge Spammers For Spell Checking

[kotku]

I just created a web site whose terms of service are that if you send an email to the email address listed then you will be charged for spell checking the email at £10 a character. Anybody want to advise on what my chances of collecting are ?