Where Has All My Spam Gone?

An anonymous reader writes "I have my own domain, which has its own email server, where I receive all my personal email. I've been getting about 800 emails a day, of which perhaps 20 are real. Suddenly, Sunday or Monday evening, the spam pretty much stopped. My volume of mail has plummeted to less than 100 a day, and as far as I can tell, I'm not missing any real mail — I'm still getting the email list subscriptions I'm expecting, and every time I ask someone to send me a test message, it gets through. My domain host insists that it doesn't do any spam filtering before mail gets to my inbox, and that they've changed nothing about their configuration. I run SpamAssassin on my server to mark, but not delete, spam, and download the whole mess to my home client, and I'm still seeing the occasional message tagged by SpamAssassin. But it's virtually all gone. And I haven't changed anything about my own mail configuration, or the harvestability of my site (my personal email has been harvestable for almost a decade). So what's going on? I can't believe that several major botnets would have vanished overnight. Any ideas?"

Hmm

[geminidomino]

*Checks mail logs*

Yeh, you need to ask the ISP again. No sign of slowing here.

Re:Hmm

[urbanriot]

Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

Re:Hmm

[ElizabethGreene]

A group of the original SpamAssassin developers got together with a group of mercenaries and created SpammerAssassin. It's in alpha, and looks good except it seems to have started a teeny-tiny war in the eastern bloc. Oops. They have an open bug ticket on it.

:D

Re:Hmm

[Southpaw018]

Thirded over here. Solid 7000/day for months (small business).

Re:Hmm

[oldspewey]

Seriously though ... if spammers started turning up dead where would the police even begin their investigation? There's only a pool of what, half a billion suspects?

Re:Hmm

[VenomPhallus]

Yup, and here; still getting 250 a day+ or so.

Maybe they finally clicked that you've already got a huge penis and legendary bedroom performance?

Re:Hmm

[tha_mink]

Perhaps the botnets are busy fighting amongst themselves, vis a vis the Georgia v. Russia conflict.

Re:Hmm

[im+just+cannonfodder]

all the USA spam servers are currently in use targeting Georgia so they can continue their anti-russia propaganda.

Bush and the Georgia-Russia conflict

http://www.indymedia.org.uk/en/2008/08/406684.html

Re:Hmm

[y86]

Agreed. No changes in spam over here, my domain is still receiving the daily average of about 100 per day.

You should REALLY consider trying postgrey.

http://postgrey.schweikert.ch/

Postgrey on non whitelisted servers rejects the first mail attempt with a fail. The sending email server will retry X times, but the 2nd time it accepts it and adds the server to the whitelist.

Postgrey will add a 5 minute lag to an email that's sending server has never sent an email to you. It's worth it to screw the spammers zombies over IMHO.

Also, I would check your postfix/whatever you are using for a mail servers policy. I get 0 spam emails now and my address is posted all over the web.

I do have spamassassin running as well with sieve filtering to put what is marked as spam in a junk folder but the junk folder is empty, every now and then I'll see something -- but very rarely. Like once every 2 months.

Here's my spam prevention system :-)

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unauth_destination,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    check_policy_service inet:127.0.0.1:60000

Re:Hmm

[jdray]

Actually, I just checked one of my e-mail addresses that has historically gotten about a hundred a day, and the Spam bucket only has 26 for yesterday and similar numbers for the last couple of days.

I read recently about some big spam king (czar, whatever) that got arrested. I wonder if taking him out of the equation actually had an effect on the world.

Re:Hmm

[skolima]

+1 Insightful or +1 Funny? Tough call..

Re:Hmm

[Like2Byte]

Perhaps the botnets are busy fighting amongst themselves, vis a vis the Georgia v. Russia conflict.

Ok, Agent Mulder, settle down.

Re:Hmm

[xtinct]

yeah, that guy got arrested & sentenced to minimum security prison.

then he proceeded to escape, kill his wife & baby daughter (a teenager escaped) and then himself.

pretty crazy, no?: http://www.dailycamera.com/news/2008/jul/26/spam-king-murder-suicide-surviving-daughter-in/

Re:Hmm

The Russian spammers can't get bandwidth because the military is busy using it against Georgia.

Re:Hmm

[j-cloth]

A huge second to PostGrey. It kills 90% of my incoming spam before it even touches spamassassin. However, I have noticed a few people who receive failure messages from their mail systems telling them that they've been greylisted before the mail goes through. Then uppy-ups whine to me.

Re:Hmm

[sexconker]

Every single day I get 4 or 5 copies of the "Paypal Dispute Transaction" shit.

Re:Hmm

[Kjella]

Sure... and when a big mafioso is killed, it's the small shop owners that are the suspects. Riiiiight. Find out who's running the botnet now, and you got your prime suspect.

Re:Hmm

[petermgreen]

I use greylisting, it reduced spam to almost zero for a while but then it gradually climbed back to previous levels and more.

Re:Hmm

[swb]

There's something to that, even if the original poster's claim of not having spam anymore is local to him through unknown upstream changes.

Its long been suspected that the Russian government and Russian organized crime have cooperative links, if not outright overlapping "membership" (Putin is FSA/KGB, and its well known that ex-KGB members have been deeply involved in the Russian Mafia).

With this in mind, its not hard to speculate that if botnets controlled by Russian organized crime were put use against pro-Georgian assets, the ensuing defenses, publicity and exposure at the political/military level could possible cause these botnets to be far more vulnerable than they otherwise would be in the course of normal criminal activity.

This higher level exposure might lead to weakening them and reduce their effectiveness at normal tasks like spam.

Its also possible they may also be overutilized and prioritized for cyberwarfare and not for spam.

Re:Hmm

[Random+BedHead+Ed]

Oh ... so you're address is bill@billrocks.org? Interesting ...

Re:Hmm

[Random+BedHead+Ed]

Not sure if we've exchanged comments before, but I have some genuine replica watches of the finest quality.

Re:Hmm

it's YOUR not YOU'RE *shoots you*

Re:Hmm

[Random+BedHead+Ed]

Also, visit my Canadian Pharmacy online drugstore to choose from a great selection of products of high quality produced according to the strict pharmaceutical standards.

Re:Hmm

[Fez]

I wanted to use greylisting here but the idea was shot down, as some people actually expect people to be nearly instantaneous and if it's not, they moan and groan.

Doesn't matter how many times I try to explain that isn't how e-mail is supposed to work, that it's unreliable, etc, they still expect to hit send, then tell someone to check their mail 30 seconds later and it's there waiting.

Spam seems to be fairly steady here, perhaps up a tad. Here's the Monthly graph from our main filter (not from that domain, FYI.)

Re:Hmm

[DriedClexler]

After I read this article yesterday (single page), that's what I thought: given all the spammers that are Russian, there's a chance there might be a slowdown in spam as patriotic Russians "pitch in" by helping DDOS Georgian resources.

It's pretty amazing if you read that article how easy it was for just an average person to find out how to "volunteer" for the Russian army: independent helpers have made it so you can find out which Georgian sites you should ping in order to maximize your effectiveness, and have programs that you can download that do most of the work with minimal hassle.

However:

a) According to most posters, spam hasn't actually abated.
b) Spammers wouldn't do something as selfless as pitching in for their country.

Re:Hmm

[TTURabble]

So Saakashvili is getting 100 emails a minute about pen1s enlargement?

Re:Hmm

[wmbetts]

I use to read a lot of not so nice forums when I was really into Info Sec and I always heard them referred to as "The Russian Business Network"

Re:Hmm

[Teun]

No change at my ISP: http://www.xs4all.nl/en/veiligheid/statistieken.php

Re:Hmm

[christianT]

IIRC SpammerAssassin is built on JBASH (Jason Bourn Again Shell)

Re:Hmm

[gmuslera]

Greylisting have one main vulnerability. What if the software used to send the spam handles that temporary rejections and retries with the same ip, same from, same to? It dont targets spam per se, just targets badly behaved mail senders.

In fact, the srizbi botnet (that used to generate more spam that all the other botnets together few months/weeks ago) handle those rejects, retries and end sending the spam.

Maybe the "missing spam" problem is that greylisting was in use since long ago (but srizbi was making spam going thru) and happened something with this particular botnet, i.e. now it just focus in georgia, or the main controller got sick or arrested, and this particular source of spam dropped (and greylisting kept stopping the "normal" stupid enough spam).

A good way to complement spam source filtering thru greylisting is to block home/dynamic IPs, ranges where mail servers arent supposed to be, but where are the majority of personal pcs (that gets owned by botnets). Spamhaus PBL i.e. have this particular target (or zen that combines this one with other known sources of spam)

Re:Hmm

[protolith]

is also getting far less spam now for a couple weeks

I think that's about to change.

Re:Hmm

[stevey]

My mail filtering service is currently hovering around 2.3 million mails - which is a little down from its peak.

Still these things tend to even out over time; a few days/weeks of lower-than-average SPAM totals then a few more of higher than average.

With only a couple of domains, anecdotally at that, I'd be inclined to assume nothing has changed significantly.

Re:Hmm

[stevey]

It depends on your setup - for directly mailed SPAM you could be correct.

Me? I'm a Debian developer, so I get about 500 mails a day routed from the MX machine handling @debian.org.

If it accepts SPAM then their MX will happily retry - end result is that greylisting on my side will accomplish nothing.

Re:Hmm

[jdmetz]

A good way to complement spam source filtering thru greylisting is to block home/dynamic IPs, ranges where mail servers arent supposed to be, but where are the majority of personal pcs (that gets owned by botnets). Spamhaus PBL i.e. have this particular target (or zen that combines this one with other known sources of spam)

Please don't. There is no reason that mail servers shouldn't exist on home/dynamic IP addresses. This is one area where I'm actually happy with my AT&T DSL service - they block outbound port 25 connections by default, but allow you to opt out of the blocking if you want to run your own mail server.

Re:Hmm

[jcr]

Spammers wouldn't do something as selfless as pitching in for their country.

Who says it's selfless? Maybe they cut a deal with Putin where they attack Georgian computers, and Putin doesn't enforce any laws they might be violating by spamming and phishing.

-jcr

Re:Hmm

[skolima]

I know that - but I had no mod points available, and responding to a post increases it's chances of getting upmoded :-)

Re:Hmm

[Dark_Gravity]

A good way to complement spam source filtering thru greylisting is to block home/dynamic IPs, ranges where mail servers arent supposed to be, but where are the majority of personal pcs (that gets owned by botnets). Spamhaus PBL i.e. have this particular target (or zen that combines this one with other known sources of spam)

Please don't. There is no reason that mail servers shouldn't exist on home/dynamic IP addresses. This is one area where I'm actually happy with my AT&T DSL service - they block outbound port 25 connections by default, but allow you to opt out of the blocking if you want to run your own mail server.

I disagree. If you want to run an outbound MTA, get a static IP and some reverse DNS. While not having those two things doesn't prove you incompetent, having them indicates that you may have a clue as to what you are doing.

With the unfathomable amount of zombie machines on dynamic consumer IP ranges, there is no reason for me to absorb the spam just to allow you to be cheap and lazy. If you can't be bothered to show some signs of being clueful, why should anyone be bothered to accept your email?

If you can't bring yourself to get a static IP with non-generic rDNS, you can always use a smarthost. Barring those two sensible options, I suspect most postmasters would view not delivering your MTA's emails as lossless compression.

Re:Hmm

[cjewel]

Maybe they finally clicked that you've already got a huge penis and legendary bedroom performance?

If so, could I have your number, southpaw? (A Female slashdotter)

Re:Hmm

[raju1kabir]

Unfortunately we live in an age where some sort of accountability is necessary before I'll accept your email. A dynamic IP address means no accountability, and it means your email doesn't get through.

As far as I can tell, the only people still self-delivering email from dynamic IP addresses are hobbyists who collect knives and home-school their kids, and whom neither I nor any of my clients have ever wanted to correspond with. I have never once received a report of email delivery problems that traced back to dynamic-IP blacklisting.

Don't get me wrong - when I first got DSL in 1999 I was thrilled about running my own mail server in the hall closet and did so for years. But times changed and I changed with them.

Re:Hmm

[digitalgiblet]

Perhaps the botnets are busy fighting amongst themselves, vis a vis the Georgia v. Russia conflict.

Ok, Agent Mulder, settle down.

I Want To Believe...

Re:Hmm

[bitspotter]

You mean the Russian military can't get bandwidth because the spammers are busy using it against Georgia?

This is //Soviet Russia//, after all...

Re:Hmm

[HeavyDevelopment]

OMG that was funny....

Re:Hmm

[jonbryce]

That's a nice theory, but in practice, I have seen a huge increase in spam recently. Mostly CNN and MSNBC News Alerts that require me to download an updated version of Adobe Flash Player.

Re:Hmm

[Lazyrust]

I would be happy to purchase those genuine watches but first I would need your assistance in moving a large sum of money out of the country of Nigeria. It seems that a rich uncle of mine has passed away this year and unfortunately his wife is unable to accept the money due to governmental restrictions. Therefore, if you would be willing in assisting me in transferring the sum of $5,000,000,000,000,000.00 I will be happy to give you 10% in return for your time and effort. In addition I will purchase all of your fine genuine replica watches of the highest quality. In addition, I will be in need of a great selection of products of high quality from your canadian pharmacy online drug store. Therefore, if you would be willing to send me your name, address, bank name and account number via email, I will be able to begin processing this information with his bank and will contact you shortly by international certified mail.

Thank you for your time.

Re:Hmm

[mea37]

But in Soviet Russia, bandwidth gets you!

Re:Hmm

[Vlad_the_Inhaler]

Well, I have 3 main addresses and one has dropped from 30 a day to maybe 5, a second blipped down as well but is going back up again and the third (an alias I can't get rid of) gets everything routed to the bin anyway so I don't know.

Still, spam has almost died on my main address. No complaints here.

Re:Hmm

[MadCow42]

>>Every single day I get 4 or 5 copies of the "Paypal Dispute Transaction" shit.

If you'd just ship me those darn pills I ordered, I wouldn't have to dispute the PayPal transactions!!!

If this is all about the $7.29 shipping fee I still owe you, then just send me your bank account details and I'll send you the money by wire transfer instead. :)

Re:Hmm

[orclevegam]

Russian Business Network, or RBN, just happens to be one of the largest mafia run botnets/spam organizations. Seeing as the mafia more or less runs the government over there, it's a semi-legal (as in, no one's going to realistically prosecute them) business that operates a massive for-hire botnet. It's not the only one over there, but it is the biggest and most visible one, so a lot of russian botnet activity just gets labeled as RBN.

Re:Hmm

[Hatta]

Its long been suspected that the Russian government and Russian organized crime have cooperative links, if not outright overlapping "membership"

What is a government anyway but the most successful group of thugs imaginable?

Re:Hmm

[Hugonz]

Are they fake? I got them too.

The subscribe links point to the real CNN sites and they actually gave me no error when I tried to unsubscribe. They kept coming though.

Hugo

Re:Hmm

[operagost]

As far as I can tell, the only people still self-delivering email from dynamic IP addresses are hobbyists who collect knives and home-school their kids

Now there's an intriguing new stereotype!

Re:Hmm

[Capt.DrumkenBum]

Just download it already. Then they will stop bothering you. :)

Re:Hmm

[KillerBob]

Unfair moderation much? I hope you get metamodded back into positive, because that post is definitely not a troll. :(

Re:Hmm

[epee1221]

So, something of a modernized letter of marque?

Re:Hmm

[binaryspiral]

That would be a great movie... old cold war era tanks and soldiers vs. rednecks in pickup trucks with equal firepower...

And a corrupt sheriff in there somewhere...

Re:Hmm

[HeavyDevelopment]

Dude they got you too. Watch this get modded Troll as well :)

Re:Hmm

[Dan541]

what's the difference?

Re:Hmm

[bhiestand]

Maybe they finally clicked that you've already got a huge penis and legendary bedroom performance?

If so, could I have your number, southpaw? (A Female slashdotter)

Don't let yourself be fooled. She's a slashdotter, she wants to know how you stopped the spam.

I'm getting it

[digitrev]

My spam has tripled over the past few days. So I'm not getting all of it, but I'm getting a chunk of it.

Re:I'm getting it

[ShadowBlasko]

Heh, we've got a virus running around the site lately that is titled "CNN Gold Medal tracker".

Sneaky ...

Re:I'm getting it

[SatanicPuppy]

We've been getting a lot of "reverse spam"...The organizational emails are necessarily public, so some enterprising Russian has harvested the entire set and is using them as "REPLY-TO" addresses, so we get all the bounce messages from their damn spamming.

It's all the fun of having an exploited mail server without actually having an exploited mail server. The mail doesn't actually come from us so we're not having any blacklist problems, but the floods of bounce messages zip right through the spam filters and piss off the users.

Re:I'm getting it

[PARENA]

Russian I was getting for a while, as well. Not anymore. /dev/null for anything with charset koi8-r or windows-1251.

CNN I was getting for a few days. Seems to have disappeared again.

Re:I'm getting it

[KillerBob]

I've seen a huge increase in both spam and particularly spam that makes it past my spam filter.

It's an arms race. They come out with a new message that tricks the filters into thinking it's real. The filters update and adapt. They rethink things and come out with a new junk message which sometimes succeeds, sometimes doesn't. When they find one that works, I start getting spam again until the filters adapt. Ad nauseum.

I've got my SpamAssassin filters set to update on a daily cron job, and it's always the same... Every week or two, I get a handful of spam messages getting past the filters. They're all basically the same. And it lasts for about a day before I stop getting spam again. So it comes in bursts for me, every time the spammers rethink the message they send out.

I've had my domain, and the same e-mail address for half a decade. My IP address did recently change when I moved into a new colo, but all of the DNS has updated already, so the spammers still know who I am. It's annoying. But it is manageable.

Re:I'm getting it

[nabsltd]

Don't you hate it that you have to deal with this sort of thing because some other mail server isn't configured correctly?

If all mail servers instituted the policy of "reject...don't accept then bounce", then there wouldn't be any blowback spam. Unfortunately, there is some MTA software that can't do the right thing without non-standard add-ons (qmail, I'm looking at you).

Re:I'm getting it

[growse]

Simple. Configure your mailserver to block all bounce messages unless they originate from a server that you've sent a mail to in the past 12 hours. Then you'll only get legit bounces.

Re:I'm getting it

[petermgreen]

and you will block quite a few legit bounces too for two reasons

1: 12 hours is nowhere near long enough
2: the message may be routed through multiple servers before finally getting bounced.

Re:I'm getting it

[nabsltd]

That's a patch, I think you're talking about. And applying a patch is quite easy.

Today, with the qmail source in the public domain, yes, it's much easier. But, when you couldn't distribute pre-patched versons of qmail, it was a relative bear, since as you meniton, multiple patches became a nightmare. This was the first of many decisions by DJB "in the name of security" that are just unimaginably stupid. Plus, his refusal to incorporate such patches because they weren't his code...we'll, I'll just say it isn't the first time in history that ego has limited product quality.

I mean, is there a point to bashing qmail so?

The "sendmail security holes" were generally issues that, yes, could cause problems, but were highly unlikely. They were discovered and shut down. And, for about a decade, sendmail has been a solid platform that can be extended quite nicely to handle the current requirements of anti-spam, anti-virus, etc., all while still remaining interoperable with pretty much everything else on the net.

qmail got it's bad reputation because it was an open relay out of the box. Any MTA that sends a e-mail to the sender's choice of recipient when that recipient isn't local (or a known alias/forward) is an open relay. And yet, people thought it was "more secure than sendmail".

Not only that, but it became impossible for spammers to verify that any address was real unless they wanted to use a valid and potentially traceable return path.

There is no such thing as "valid and potentially traceable return path" when you use the data supplied by the potential spammer as your source for what is "valid". The only thing truly "valid and tracable" in SMTP is the IP address that connected to your server. That's where the result message (error or not) has to go, and, again, out of the box qmail chose not to do this because DJB couldn't figure out a way to make this "secure". Yet, out of the box, sendmail manages to accomplish this without backscatter spam.

Most of the design decisions made by DJB on qmail were based on a misunderstanding of the real world way that SMTP works across the Internet. As a local-only mail system, it's secure and not too broken. When connected to the Internet, it's only slightly better than Exchange at being a good SMTP server.

Okay

[morgan_greywolf]

And you're complaining because .... ?

Re:Okay

[kinzillah]

Perhaps he'd like to leave it to systems he controls? I, for one, would rather a third party weren't silently dropping mail that could be false positives.

Re:Okay

[qortra]

He isn't complaining. It isn't wrong to ask questions when things unexpectedly go well.

Re:Okay

[camperdave]

And you're complaining because .... ?

Without having the spam to process, the server doesn't run as hot as it's "supposed to". This causes a power imbalance, sending more current to the other servers and tripping breakers. Also, because of the lack of that heat, the server room is too cold. The UPS batteries are not storing enough of a charge as they are less efficient when they're cold. If a power sag, brownout, or blackout happens during one of these spam free moments, well, the results could be catastrophic.

Re:Okay

[rbane3]

I carry mace with me to mark, but not stop, my raper, and I'm still seeing the occasional rapper tagged by mace. But they're virtually all gone.

I see what you did there! Subtle insight of your views concerning the Hip Hop "artist"?

Re:Okay

[Hektor_Troy]

Mace? Screw maze.

Flurescent green spray paint is much better. Not only will you keep your assailant off of you, but you will also make it REALLY easy to pick him out of a line-up later.

Police: "Can you identify the guy who jumped you?"
Victim: "He's the green faced guy, crying on the corner about being blind."

Did you install Skynet 1.0?

[bugeaterr]

Did you install Skynet 1.0?

Hey, what's that siren going off for....

Re:Did you install Skynet 1.0?

[dlaudel]

Are you implying that Skynet was just trying to do us a favor all along by nuking the spammers? This changes everything!

Exactly.

[Lilith's+Heart-shape]

And you're complaining because .... ?

No kidding. I work as a sysadmin, and as far as I'm concerned, a spam-free day is an occasion to praise my patron demon and bring Him an offering of hookers and blow, not an excuse for an "Ask Slashdot" posting.

Re:Exactly.

[Arimus]

Assuming a third party isn't dropping your email... if they are then that's almost as bad the spam deluge - I'd rather be the one to decide what is spam than a third party who may or may not have a clue.

Re:Exactly.

[Minwee]

I, on the other hand, consider sudden, dramatic, and completely unexplained changes to the operation of systems under my control to be a reason to worry.

I'm just funny that way.

Re:Exactly.

[Bandman]

Amen.

It's like we speak the same language.

Change is good. Unexpected change is very, very bad.

Re:Exactly.

[omnichad]

Oh yes...they try really hard to craft the perfect body text. I'd say they produce some of the best unintelligible ramblings around.

Re:Exactly.

[morgan_greywolf]

Oh yes...they try really hard to craft the perfect body text. I'd say they produce some of the best unintelligible ramblings around.

You mean aside from Slashdot readers, right?

Re:Exactly.

[sm62704]

Change is good. Unexpected change is very, very bad.

I can't agree with that AT ALL. When the gasoline prices change, they get higher. It isn't unexpected, but it's BAD.

OTOH if all of a sudden I was for no reason apparent to myself attractive to women to the point that they were fighting over who I would let have sex with me, that would be VERY VERY DOUBLE PLUS GOOD! Worrisome, perhaps, but DAMNED GOOD.

Re:Exactly.

[ari_j]

Unexpected change can be good, too. It's unexplained change that worries me. An object in motion remains in motion until acted on by an external force. It's when Newton starts looking like a fool that I start to get concerned.

Re:Exactly.

[Digital+End]

Methinks your wife may view the situation differently

I can forward you some of mine if that helps...

[mattMad]

... just in case you desperately need to buy some cheap "medicine" :-)

Re:I can forward you some of mine if that helps...

[Noexit]

That might actually be a not bad idea. Sending him something that can be confirmed as having been sent, and as being spammy.

Because...

[Capt+James+McCarthy]

When spammers took over your box, they didn't want to flood it with their own mail.

One down

[canderley]

Per Ars, a 100,000 machine bot net was shut down recently. http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html

Re:One down

Did you read that article?
"Shadow appears to have been mostly confined to the Netherlands, as the messages and phishing hooks were all sent in Dutch, but had apparently infected some US systems as well, as the FBI is credited for assisting on the case."

Re:One down

[montyzooooma]

The bot may have been confined to the Netherlands but that doesn't mean it wasn't used to spam worldwide.

Re:One down

[bearl]

Did you read the article? "...as the messages and phishing hooks were all sent in Dutch,..."

Since the original poster didn't mention what portion of his spam was arriving written in DUTCH, we can't say for sure, but it appears, as the article says (up near the top too!), this botnet, while large, was almost completely confined to the Netherlands.

I'll save you the reply too, should you go back and read the article, the rest of the sentence I quoted above says "...but had apparently infected some US systems as well, as the FBI is credited for assisting on the case." However it does say that ALL the messages were sent in Dutch.

Probably not our boy's spam.

Oops...

[bhamlin]

Sorry, we've been down for maintenance and it's taking a lot longer than we originally planned. You can expect normal service to resume by next monday.

Re:Oops...

[IronChef]

Netflix is down, and this guy's spam stops.

Coincidence?

Shadow botnet was killed recently

[Nimey]

http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html

That may account for some of it.

So it's become real...

[Seakip18]

Spam Assassin is actually assassinating spam.

On another note, has anyone heard from cousin who is a Nigerian prince? He hasn't called in days and we're beginning to get worried.....

those chinese spam factories are shut down ...

... to save the health of the athletes.

The Russians are busy in Georgia...

[NMBob]

...and the Chinese are busy watching 13-year olds win gold metals. Bob

We Can Test

[awitod]

We're happy to help you solve this mystery.
What is your email address?

We got bored of the joke

[Bogtha]

Okay, here's the thing: nobody but you ever got spam. We all just thought it would be funny to fool you into thinking there was some kind of worldwide scamming epidemic. You don't seriously think people would be stupid enough to buy pills off strangers who email them out of the blue, do you? I thought we'd gone a bit too far and stretched the limits of credibility when we came up with the idea for the Nigerian scams, but I was wrong, you even fell for that! Nobody is stupid enough to send all their money to a "Nigerian prince".

Anyway, enough's enough. The joke's stale now, so we decided to stop sending it all to you.

Spam has relatively few sources

[Toe,+The]

A large chunk of spam comes from a very small group of spammers. It may just be that you are only targeted by one of them, and he took a break recently.

Hang in there... he'll come back from vacation soon, and you'll be able to mortgage your penis to Nigeria again.

I Stole It

I'm holding it for ransom. You can have it back for $1,000,000.

A "Shadow" of their former selves?

[DCheesi]

Were the missing spam-mails mostly in Dutch?

http://arstechnica.com/news.ars/post/20080814-police-nab-shadow-creators-force-botnet-to-commit-suicide.html

"Shadow appears to have been mostly confined to the Netherlands, as the messages and phishing hooks were all sent in Dutch, but had apparently infected some US systems as well, as the FBI is credited for assisting on the case."

...

"Once Shadow was secured, the police contacted Kaspersky Labs about providing a means to neutralize the malware."

Obvious

I, for one, welcome our spam-eating overlords.

I can kinda confirm this.

[suso]

I run a web hosting company and over the past couple weeks I've had a few customers report that the amount of spam has dropped. Of course, they thought that this was something wrong, but I couldn't find any evidence of increased failures, it was just that there was slightly less mail coming in.

What's your email address?

[Junior+J.+Junior+III]

I'll forward you some of my spam. Wouldn't want you to feel lonely.

Check

[DoofusOfDeath]

I'm not sure what's causing your lack of spam. What's your email address?

Re:Check

[MPAB]

I find your lack of spam disturbing ...

Still the same old same old

[Punker22]

We provide a spam filtering service, and our volume hasn't really changed much in the past week or two so perhaps whichever botnet was sending you all the trash went offline or just... stopped sending to you.

Botnets current tasked to higher priority jobs

[Wrath0fb0b]

http://it.slashdot.org/article.pl?sid=08/08/12/191255&from=rss
http://bits.blogs.nytimes.com/2008/08/11/georgia-takes-a-beating-in-the-cyberwar-with-russia/

When the crisis abates, I expect the botnets will be returned to their regularly scheduled duties. Quite a versatile tool those botnets -- pimping V!agr4, collapsing government sites, enhancing the male doodad, distributing pr0n, bullying your neighbors (http://news.bbc.co.uk/2/hi/europe/6665145.stm). For the cost of one M1A1 tank tread, Putin bought himself a whole lot of firepower.

Advantage: Putin.

Re:Botnets current tasked to higher priority jobs

[Colonel+Korn]

For the cost of one M1A1 tank tread, Putin bought himself a whole lot of firepower.

This is so obviously the answer that the parent needs to get to +5 Insightful as soon as possible and that can be the end of the story.

I can confirm this

[Simon+(S2)]

This happened to me too about a week ago, and I was as surprised as you. I am from Italy, and I got about 200 mails a day, about 5 of them not spam. Now I get about 80/day. They are not vanished, but the volume of Spam mails dropped significantly the last week or so.

Reality...

[Capt+James+McCarthy]

Without seeing your logs, most folks would be guessing. They symptoms you provide are not enough to make an educated guess. I would say to bump up the verbosity of your email server, SpamAssassin, and the system itself and then go from there.

Fake News Alerts

[pipingguy]

Fake news alerts seem to be the new thing for my inbox.

Oingo Boingo!

[TheMiddleRoad]

When Slashdot has a real slow news day
Tell me where my spam's gone
When Nigeria no longer needs me
Tell me where my spam's gone
When trojan horse avoid my inbox
Tell me where my spam's gone
When penis pumps cease their pumping
Tell me where my spam's gone
When free porn streaming doesn't bug me
Tell me where my spam's gone
When people install virus checkers
Tell me where my spam's gone

headless botnets

[Lord+Ender]

We've been seeing botnets changing desktop background to an image alerting people that they are infected with a virus. Obviously a real spam botnet operator would not alert people like that.

My theory is that some grayhat wrested control of a major botnet, and is shutting it down from the source (and alerting the victims in the process).

Re:headless botnets

[drachenstern]

lemme guess, most common infection name is Antivirus XP 2008?

I've started having those pop up left and right, and you are correct, once you think you have the virus gone, you think you're clean. EEEEEEE wrong. There's actually a botnet hiding behind that virus load, and if you don't pull it off, it does it's own direct port 25 push. I've three computers in my near vicinity that all have that loaded on their systems, and at first I was ready to wipe the frigging machine.

Don't forget to clear system restore too!!!

Re:headless botnets

[Lord+Ender]

Cite my source? I am the primary source. I have a forensic image of such a machine sitting right next to me.

Not everything on the internet originates at some other place on the internet. Somewhere, original sources actually exist, and they have nothing else to cite.

I have seen four such infections, all came through hotmail (we think).

We Apologize

[Sloppy]

Dear Sir,
We humbly apologize for the interruption in service. Please reply with your email address and our technical staff will get back to you.

not on this end

[JohnCub]

our spam seems to be climbing.
# of spams / date (m/d)
16,037 8/15
17,385 8/14
17,287 8/13
16,352 8/12
15,171 8/11
16,505 8/10
14,344 8/9
12,157 8/8
12,465 8/7
11,942 8/6
12,265 8/5
10,124 8/4
11,437 8/3
13,417 8/2
12,858 8/1

Re:we are all doooomed

[Ethanol-fueled]

Naw, just that the Russians have shifted all their botnets' attacks toward Georgia.

Re:the russian business network is busy

[DCheesi]

they need the botnet resources for ddosing georgia

The sad thing is, you might be right...

Spam on newsgroups down too

[Jens+de+Smit]

Some newsgroup I regularly read got a lot of spam over the last month or so, but a couple days ago it just stopped. Possibly related...

Re:I have it

[Jedi+Alec]

No, no, no...

Im in ur mailserverz, eating ur spam!

Try forwarding spam through ISP

[IceCreamGuy]

Maybe you could forward some spam from, say, a gmail account to your address in question. If it doesn't make it through to your server then you have a definitive record to confront your ISP with. Or, if they do get through, maybe you should buy a lottery ticket because your the luckiest admin on slashdot!

I just checked one of our Ironport Servers

[Phil_at_EvilNET]

In a 24 hour period we've gone from a peak of about 75,000 messages at 9pm CST last night to a low of 40,000 messages incoming today, 97.3% of which are spam. Total for the last 24 hours on that single Ironport (we have 4 in production and one in the lab) is 1.4 Million attempted messages, of which 36.1 thousand were clean.

So all things taken into consideration, consider yourself fortunate. We're still seeing a trend that indicates that over 97% of all incoming mail is garbage.

-Phil

Here's a thought...

[swordgeek]

It's not too-well publicized, but the Russian Business Network (AKA spammer filth) have been using (renting?) a large chunk of their botnet space to attack Georgia. Here's a bit of detail.

Maybe they just didn't have enough bandwidth to spam the planet AND take down Georgia's systems through a DOS.

Hard to tell if I lost 200 SPAM emails.

[Zarjazz]

My personal server gets a few more mails than the poster.

# of SPAM Week Ending
  172709 Aug ** (only 5-day stats)
  198878 Aug 10
  217882 Aug 3
  207318 Jul 27
  230533 Jul 20
  265463 Jul 13
  311635 Jul 6
  450349 Jun 29
  311850 Jun 22
  225500 Jun 15
  317484 Jun 8

Make of those stats what you will ...

Post your address

[BarC0d3z]

Post your email address here and I'll make sure things get back to normal for you.

Black Hat

[machine321]

They all just got back from Black Hat / Defcon, and they're still hung over.

Pretty normal

[Henry+V+.009]

Still at 250,000 a day for us. Would you like some of it to make up for your lack?

A communications disruption...

[ClientNine]

... can mean only one thing: INVASION.

Infected PC are offline during summer ^_^

[Kirys]

Most spam is sent by bot-nets, mostly composed by infected pc of workplaces, school and private homes. In many countries during the second and third week of August many schools and workplaces are closed so their pc are just turned off, this mean that the bot-nets have less active nodes and so are less effective. I do receive less spam too but I think that it will be back to the sad old amount at the end of the summer :(

Something did change...

[r_cerq]

I've just checked my work's logs (an ISP). The number of hits in the spam taggers fell from 12/sec to 3/sec earlier this week.

So either we're identifying less spam, or there is in fact less of it.

Obligatory

[T3Tech]

Are you sure your server didn't switch to spam, egg, sausage and spam mode? That's not got much spam in it.

Already going on.

[Medievalist]

Seriously though ... if spammers started turning up dead where would the police even begin their investigation? There's only a pool of what, half a billion suspects?

Spammers and virus writers employed by spammers to create their zombie pools have been turning up dead for almost two years now.

Re:Already going on.

[swilde23]

That doesn't really tell you much though (except for the fact that a prominent spammer died recently).
I would try looking at something more like this for information about spammers dying in the past few years: http://news.google.com/archivesearch?q=spammer+found+dead&sa=N&lnav=m&scoring=t

Re:Totally OT: Chinese youth in Olympics

[LearnToSpell]

What are you talking about?

Beam scores:
Liukin - 16.125
Johnson - 16.050
Yang - 15.750

I swear, I've never heard anybody but Americans complain about judging in an event that they WON.

Yes, I can confirm this too

[Nitromaroder]

Here, in Germany, I've noticed this also: On my private mail server, the SPAM is almost gone (only 1-3 messages per day, instead of 20-30), at work I have similar experience: the amount of continuous SPAM per day is down to 1/10, but, every Thursday or Friday (since three weeks now), we get a huge wave of SMTP connections at ca. 4 pm CEST (from bot nets), which almost breaks down our internet connection. Both systems are using postfix+postgrey+amavis(spamassassin, dcc, razor, etc.). My suspicion: I am assuming my brothers are busy now with Georgia servers, so as long as the conflict in Caucasus is not over... :-P Kind regards, Denis

seriously bit more information ?

[johnjones]

well the first thing that scully would ask is ?

where is the scientific evidence....

so the serious question its nice that your spam level dropped but where/ip was it all coming from in the first place ?

regards

John Jones

http://www.johnjones.me.uk

Here's where your spam went

[buss_error]

1. If you've made no configuration changes or patches in the past week, that pretty much lets out program error.

2. If your ISP is saying they don't do spam filtering, then that pretty much lets that out too, unless your ISP is given to lying to you.

3. Others point to the cyber war between Georga and Russia. I'd think that those folks would have their own bots not associated with spamming, but I can't prove that.

4. It surpasses hope that all the sudden people cleaned up their pwon3d systems.

5. My spam levels have not dropped appreciably, and I not only have my own domain, but allocations as well.

6. I have noticed at times in the past that my spam levels do drop by 60, 70, even 80%. They always pick back up before too long. Enjoy a breif respite.

If it's worth doing, it's worth doing at a profit.

[Ungrounded+Lightning]

... independent helpers ... have programs that you can download that do most of the work with minimal hassle.

Hi. I'm a spammer working for the Patriotic Russian effort to defend South Ossetia from the imperialists of Georgia. If you want to help this patriotic effort I have written for you a tool to let you participate in our DDoS attack on Georgia's network. Just click THIS LINK to download the tool, then enter the decryption password to unpack and install it. The password is "ImASucker"