Slashdot Mirror
By Latest Count, 95% of Email Is Spam
An anonymous reader writes "The European Network and Information Security Agency released its new spam report, which looks at spam budgets, the impact of spam and spam management. Less than 5% of all email traffic is delivered to mailboxes. This means the main bulk of mails, 95%, is spam. This is a very minor change, from 6%, in earlier ENISA reports. Over 25% of respondents had spam accounting for more than 10% of help desk calls. The survey targeted email service providers of different types and sizes, and received replies from 100 respondents from 30 different countries."
I don't doubt that it's around 95%, but the logic of the above-quoted statement is certainly flawed.
Caveat Utilitor
If volume is increasing then this might mean returns are getting scarce for these parasites. and perhaps it will come to a point where no matter how much spam they deliver they still don't make enough. but then maybe i am dreaming.
I also get about 10 times as much spam as actual email. Fortunately, Google is pretty good at filtering that - the number of false negatives in my inbox has been less than ten this month, while I got over a thousand to my spam folder.
It's hard to comprehend how people deal without that level of spam filtering - I have relatives who regularly register new accounts in order to escape their spam.
Now I am not a corporate email guru, but why would spam be the reason to call for help? In this day and age it boggles the mind. Even my grandmother can deal with spam without needing tech support.
I was seeing more like 97% (once you excluded system generated internal emails - CVS and Bugzilla between them can generate a fair bit of mail).
The killer for running our own mail system in its entirety was when I did the arithmetic and our co-hosted secondary mail server was costing more than buying Google for Domains. That's before you even consider the document management Google for domains offers, which was just icing on the cake.
Micropayments. Yes I know it's been mentioned before, but one rarely hears of paying *each other* (rather than the host or government). It would be a good idea anyway even if spam didn't exist.
If we paid each other (say a penny or 1/10th of a penny), obviously the spam problem would be solved. (though some can charge nothing if they want) It also means that someone who gets a ton of email and hasn't got the time to read all of them will receive only the 'cream' of email. Only those who are willing to sacrifice say, a pound (or £10/£100 for super busy/famous people) would be able to email them.
As we know, Youtube has/is developing methods of payment to watch videos, and online papers are experimenting, so micropayments may be common sooner than we think.
Why OpalCalc is the best Windows calc
Is that 5% sent is spam, or 5% that is delivered is spam? There are layers of spam blockers before any mail even gets remotely near anyones inbox.
95% of slashdoters don't RTFA.
Have the pharamcutical companies pay each user $1 for every spam they got for Cialis or other Dick enhancing drug they are pushing. If they can find a way to to do that I would welcome my Dick Enhancing SPAM overlords.
One thing to keep in mind is that even though it looks bad (and for email it certainly is..), most other mediums aren't quite as affected by it. I do get quite a bit of Spam on ICQ these days, but the ratio between spam messages and real messages is waaaaaaaay better than 20:1. I would expect the same to hold true for most other mediums as well, so that it might in fact be a good idea to use those as a separate alternative communication channel should your inbox become overwhelmed. Something i have noticed over the years is the reduction in Trojans and worms being sent (at least to my inbox). There was a time when i received around 50 trojan-emails a day, whereas now it has been quite a while that a spam mail did actually contain any attachment whatsoever. To summarize, yeah.. email looks bad, but there's a whole set of alternative or additional channels that can be used which aren't quite as saturated.
I have no idea why, but my spam count has gone down. I have my own domain name and I used to receive about 100 spam per day. Lately that's gone down to 2 or 3.
I'm not doing anything different so I assume I fell off a list or someone upstream is fixing things.
Sometimes I run a filter that let's all plaintext through but whitelists mime and messages with http or www in the message. They get rejected at the server level.
I just turn it off when I register for new web sites.
http://www.cbsnews.com/stories/2004/01/24/tech/main595595.shtml
Bill Gates promised in 2004 that spam would be completely solved within 2 years.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Spam is driving the evolution of email.
Look at my mail server's spam status.
the RBL has blocked 95% of the spam out there.
57.5% had no SPF records. Looks like SPF has gained a lot of ground now... almost half of the Internet is now using it.
Using Surgemail, I do not need to use 3rd party anti-spam systems as the anti-spam is handled by the mail server itself. It handled 4 million messages in a month and does not break a sweat. I love this mail server and no other system can persuade me to switch... Support is incredible, service top notch... can not praise it enough.
Spam status:
RBL Denied 95.3% (1882484), Stamped 4.7% (93193), Checked 1975678
Total score 3 or above 75.5% 123278/163348
Aspam Score 1 or above 15.4%, ngood=987 nbad=2965 ncatcher=2521
URL Database 13.6%, In database bad=12997 neutral=2168 fromnet=15138
SPF hits (msgs) 68.8% 2753806/4002538, (no spf=2302652 57.5% pass=361145 of 4002493)
SPF rcpts blocked 0.0% (0/698887) allow=0 dkf=5393
Badfrom hits 0.0% bad=0 good=384559 mx=0
Spam Bounce (0) 2.5%
Helo failures 235981 5.7%
SURBL 38.0% 94570/248869 0/0
User spam actions Vanished:8 Bounced:21793 Stored:46
Friends Allow:23059 Block:0 Confirmation:14944 (Bounced:2787 Replies:128 Spam-ratio:0.96)
DomainKeys goodsigs=15730, badsigs=458, nosig=0, badformat=408
SPFShare isspam=814 notspam=0 allow=0 web=2630 tell=0 (knowndb=270297)
SpamC 104.09% (db 443774/34284) spam=108206 ok=36709 zero=103954
From Blacklist 0 records, 0 hits
False Pos 128/14944 0.86% (based on friend confirmations)
False Pos 7732/41670 19% (based on msgs from friends)
aspam_content.txt 7788 3.1%
*Headline News* censorship shuts down the Internet! More at 6PM!
I am surprised they conclude the fraction of good mails is as high as 5%.
From the CERN mail server report:
Incoming mails: 1992789
Rejected: 1952787 (98%)
Moved to Spam Folder: 14520 (1%)
Good mails: 25482 (1%)
Spam in Total 99%
And this is a good day. Often good mails are less than 1%.
617B3B7F7E7C7D7F00EOF
Since I've moved all my paper bills to email delivery, the crap in my USPS mailbox is 100% spam. Oh, and companies DO pay to have that trash shoved in there so clearly attaching a value to delivery doesn't deter.
Your post advocates a
( ) technical ( ) legislative (X) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won’t work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
(X) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we’ll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don’t care about invalid addresses in their lists
(X) Anyone could anonymously destroy anyone else’s career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
(X) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
(X) Joe jobs and/or identity theft
(X) Technically illiterate politicians
(X) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(X) Outlook
and the following philosophical objections may also apply:
(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
(X) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(X) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don’t want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(X) Sorry dude, but I don’t think it would work.
( ) This is a stupid idea, and you’re a stupid person for suggesting it.
( ) Nice try, assh0le! I’m going to find out where you live and burn your house down!
Bill Gates called it, way back in 2004. And Bill Gates is never wrong about ANYTHING. So it's pretty obvious that whatever we've all been receiving in our inboxes since 2006 that looks like spam isn't. Probably, we're all just overwhelmed by all of the legitimate emails we're getting from our many, many friends nowadays, who really are just trying to tell us about some aweS0me dea1z on r0lexxes, and we just can't decide which of the incredible bargains to choose from. And it's actually Google and Yahoo's fault for not having deprecated their spam filters, even though spam now is a thing of the past (trying to make MS look bad, of course). So they keep catching your friends' emails as spam. But it can't be spam, because it's 2010 already. And Bill Gates said.
I've introduced a number of people to a multitiered system which, for me, has almost completely solved my spam problem.
1) Do the unthinkable, actually pay for email service at a place, ideally, like www.fastmail.fm which uses spamassassin unlike the simpler less forgiving systems at yahoo/gmail/etc.
2) Use a handful of aliases (yielding unlimited email addresses) in order to sort mail to its relevant level of "attention"
e.g.
2a) john.smith@fastmail.fm would go to friends to use
2b) wellsFargo@level01.fastmail.fm would go to a site you trust like your bank and be filed in you level01 folder
2c) chineseCommerceSite@level05.fastmail.fm would go to your level05 folder and so on...
3) Beauty of the above systems is that when an address gets spammed (or the site sends too much garbage), you can easily disable it via a filter since each site should have its own email address
4) Further, you are less likely to receive obvious spam via setting a high spamassassin threshold and the fact that a site like fastmail subscribes to various RTBL's
Using this system, I've received barely anything more than 1 spam per month to any "un-aliased" address. The overwhelming majority of the time, said spams are properly flagged by spamassassin.
I hope this helps
ISPs don't need to specifically disallow something that is already against the law. So, you find it dismaying that over 25% of ISPs allow you to use the bandwith you pay for in any way you wish as long as you don't do anything illegal. I assume that the alternative is that ISPs begin regulating Internet traffic based on their arbitary interpretations of what you are ethically allowed to do. (See: Peer-to-Peer netlimiting)
The thing is, if I send many thousands of emails in one day, I might be sending e-mails to some online community I manage, it might be related to some service I offer, or any number of other legal and ethical uses of the bandwith I paid for. The ISP can't know what those are unless they actually read my e-mails or closely monitor them (something I really don't want my ISP to do!). Even if they call me "What are you doing?" they still have to take my word for it or violate my (and others') privacy. Even if they knew exactly what I was doing and personally thought it was unethical but knew it was legal, I would argue against it being their right to interfere.
Unfortunately, 95% delivery failure does not mean 95% spam. Some spam gets delivered to my inbox, and I'm certain that some legitimate email gets blocked. Unfortunately, the businesmen who like to use "email marketing" have no idea how much of a problem it is, and the technical people doing the filtering refuse to bounce (instead of black hole) suspected spam as doing so would work as a DoS amplifier.
There's no single solution to spam, obviously at times I want people that have never sent me an email before to be able to reach me. Trying to derive whether it's spam from the content will always be an approximate process. But what is not so great is that currently, all the eggs are in one basket. If you get your hands on my email address, then it's valid for years and years, and I have no practical means of switching.
What would help a great deal, is if there was a standard way to generate and revoke an email address for a specific purpose, auto-alias any reply and in the reply include a forward to a different alias. Yes, occasionally I spell it out over the phone or someone has to type it in from paper and shortness and readability is important, but many times it is not. For example, I don't publish my email address here but if I could easily generate an alias ad453785cd76786da76b7678654aa@gmail.com and have it delivered to my real address with the possibility of nuking it I'd consider it.
The rest are really continuations of the same idea, because you'd get a lot of "harmless" mail saying like "Hello, I saw your post at [slashdot comment you made] and think your posts show just the kind of employees we are looking for. We at [bullshit company w/fake web page] would like to increase our technical staff and if you are interested, please send us your resume." which serve no other purpose than to reveal your unaliased address. For that reason, all mail sent to an alias should be replied to using the same alias.
The other issue is that for revocation to practically work, I can't have people who did get in contact with me over the slashdot alias that I'd like to stay in contact with keep using that alias. I have to either give them my real address or point them to a new alias. There's "Reply-To:" and just telling them in the email, but it's a bit weak. Finally a revoked address should optionally give a customer-chosen rejection reason, so that it could be things like "Switched alias, try [new address]" "This alias is expired, find my current address on slashdot.org", "If important, you can still reach me on phone 555-1234" instead of the default "No account with that name".
The best part of someone actually doing is, is that the whole system doesn't need to change. One web mail provider could create this exact setup with the controls to generate and revoke addresses, make sure your replies to an alias are aliased, update and control the Reply-To so you can't redirect it anywhere else and create the custom rejection messages. The only thing it can't do is make sure the recipient updates their address book or whatever, but if the ball gets rolling that will be fixed.
Live today, because you never know what tomorrow brings
I don't filter my email in any way, and I don't think I've received a single spam in the past 10 years. Very few people *have* to receive spam. I know there are a few who do, and somebody will gleefully point that out, but my point remains: most people do not.
What on earth are people doing if 95 of their mail is spam? Seriously: receiving spam is optional, not required. Pick a non-guessable email address, don't publish it online, use a scratch gmail or yahoo address if you absolutely must sign up for some web forum that requires an email to sign up, and that's all you need. I've been doing that and, as I said, never - and I mean never - get spam at my real email. They don't have and cannot reasonably guess (no dictionary or short words) my address. I first got email spam in the 80's, took the obvious steps, and haven't had a problem since.
I fail to understand why, in 2010, people are still getting viruses, still running malware, still getting spam emails... it isn't like we haven't had *25 years* of spam and malware to learn how to avoid these problems. Is this like some form of abused wife syndrome, where people keep letting spammers get their email addresses because "he promised to change!!"? "Maybe *next* time that dancing monkey will be safe!!" "Billy Bob told me it's safe to give my real email to *this* site!!"
Somehow these things give me a very dim view of humanity. It's a totally solvable problem, yet we will carefully ignore the obvious solutions and then complain about the problem. But spam and malware are problems because we are allowing them to be problems.
one-sixth less legit mail means that you get, compared to it, 18% more spam (20% if you compare it to the 5% thats left). And that *is* a quite large number.
Who are the morons responding to the spam and thus making it worthwhile for spammers to send?
How about this take on e-mail postage. We know spammers/phishers send lots of e-mail, but receive very little or none. We use that to our advantage
Before sending e-mail, a sender buys postage, and it goes into their account. Maybe a penny a stamp give or take. When an e-mail is send, a stamp is taken out of the sender account and put into an escrow for each recipient. The e-mail is digitally signed for the escrow id, and sent like normal, but all spam filtering services then check the signature along the way.
When a recipient opens an e-mail, The escrow stamp set assigned for them is transfered to their account (e-mail client, or service provides this). Note: it can only be collected once for each person per e-mail, and it only goes to the account associated with the e-mail.
So after an initial stamp purchase, postage will transfer back and forth, and a normal user should never have to purchase postage again. A person, or company that sends lots of e-mail will have to keep buying postage to send. PHishing and spamming becomes economically difficult.
More reputable spammers/companies will have to buy postage to stay in business.
One last thing, users will be able to sell back stamps when there account starts to fill up, but at less of a price, to pay for the service and keep the validation servers running. So stamps are purchased at retail prices, and sold back at whole sale prices. Spammers/Hammers that stay in business end up paying for the service.
There is much more details, and ideas that can go along with this, but for the sake of brevity, I'll keep int at that.
Maybe ISPs should stop fixating on P2P traffic and try harder to stop spam. Then they'd free up a ton of bandwidth AND make their customers happier.
So.. it has come to this
I use DNS blocklists, greylisting, and a bayes filter. I rarely see spam, maybe 1 or 2 stupid marketing mails from companies I have dealt with a week. My work has more or less the same setup and doesn't get much spam either.
This report must be counting mail blocked at the SMTP level as spam. That seems the only way to get upto 95%.
Bill Gates appears to know little about technology. Why else would be make such a stupid statement?
He reminds me of the support guy that just makes stuff up because most users will believe anything.
Please put the answer in the title of your response. Note that gmail deletes spam that is older than one month so if you answer for another spam system, count for the last 31 days or specify the length of time.
I have 396, much lower than the peak that has been around 900 for years then abruptly got to around 400 each month and remarkably stable.
Men are born ignorant, not stupid; they are made stupid by education. Bertrand Russel
i get over a thousand a day, and 99% is from US based spammers eg. wheelquit.com
and IPs assigned or peered by MZIMA (us based again)
it seems Texas is very friendly to spammers
I've had the same main email address since the mid 90s, so as you might expect it's on every spam list going, and on average I'm seeing 100 emails a day hitting my Outlook spam folder. However it's never an issue for me as I pay for the rather wonderful Cloudmark spamfilter which is near as dam it 100% accurate for my use.
So all I have is spam hitting my spam fillter at about one every 15 minutes. Which has on several occasions been a useful 'heartbeat' to diagnose when my there's something wrong with my connectivity - either the internet connection itself or the servers being hit by spam.
It's so reliable a diagnostic that I've even wondered if there's a viable commercial product in there based on the idea :-)
If you take the % at home ( i host my own domain, and I'm the only real user... ) its more like 99.9% due to all the bounce backs and 'dictionary' emails which don't exist anyway..
At the office, its well over 98. ( external email only, not internal )
---- Booth was a patriot ----
Yep. This is why I simply abandoned email. Sure, I have a gmail box so that I can "click on this link to activate my membership", but other than that it just slowly fills up with "newsletters" I never read. Any actual human being wanting to contact me online knows full well by now to send me a PM in some "walled garden" environment such as facebook or one of the music forum/communities I visit. Does this reversion to "walled garden" comms systems suck from a 'back in the day the internet was supposed to be all about...' techno-philosophical angle? Sure. Do I really give a shit? No. My friends can reliably message me over the internet, spam is a non issue, win win.
I know what you're going to say... what about people who aren't already my friends and don't already know I never read my email and they should hit me up on facebook or wherever? Well... yeah... what about them? I don't really feel my life suffers for all the unsolicitied but not spam email I would be getting in a parallel universe where spam doesn't exist. Anyway, the only instances of this I can envisage would be, for example, someone likes my music and wants to message me about it, in which case they'd have found it via a forum post or my myspace page, ergo they can message me via that forum or via myspace, so it's really a non issue.
I feel sympathetic for people whose circumstances are such where putting "My email address is blahblah@example.com" out in the wild is the only realistic choice they have, but personally I just thought, right, the whole email channel is saturated with shit, therefore I give up on that channel.
I have had my own domain since uunet! days. I drop connections when the envelope header is to a non-existent account. There are very few valid accounts on this domain. Here are the last three days stats on dropped and accepted connections (D dropped, N accepted):
D/837,780 N/941
D/935,298 N/884
D/901,749 N/832
This is 1 valid email out of 1000 attempts to a first approximation, 99.9% spam. Even with these, I still get several hundred validly addressed spams a day, most automatically junked altho I still scan the Subjects and Froms in case the odd transient correspondent was not white listed.
The bogus account names are complete nonsense, just tossing out names and seeing which ones stick.
Infuriate left and right
People can brag about their filters, white-lists, black-lists, etc, all they want. But if this count is accurate, it gives a good indication of the true cost of spam. If 95% of email is spam, then that means only 1 email of every 20 sent is legit. Which could be extrapolated to mean that what you "pay" - by ISP charges, etc ... for your email is also paying for 19 spam messages.
Because in the end, servers around the world are using bandwidth, storage, CPU time, etc, to relay spam. And those servers have to be paid for somehow.
So keep that in mind the next time you think of installing a fancy spam filter to solve your problem; you're really just displacing one cost for another by using some of your own resources to deal with spam once it reaches your inbox. If you want to actually help address the spam problem, look to the root cause of the spam instead of continuing to address only the effects of it.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
But I thought Bill Gates was supposed to put a stop to it, or at least cut it below 50%? What happened here, Bill!?!?
If you hardly ever use your "real" email address, or only to very limited number of recipients, then yes, you are less likely to get spam. But if you use email a lot, even to people you otherwise trust, every time you hit send you are handing them your address - as well as transmitting it to any number of relays along the way. And any of your recipients can be malware infested.
What's striking is how few different spams there are. When one of the major spammers is shut down, spam drops noticeably worldwide. Statistics like "the top N spammmers account for NN% of the spam" could be helpful. In terms of cost, the top few spammers probably have more impact than Al-Queda.
Maybe we could get major spammers classified as enemies of the United States, so the CIA could go after them.
I use my "real" address a lot. I probably average 5 to 8 emails per day, but sometimes as many as 30. (On my personal email, not for work, where I get a lot more than that).
Yes, only people I trust have my real address, but as I said, I haven't received a single spam in over a decade. None of my friends would send my address to a spammer (they're friends, after all!) and there's no other way for spammers to get hold of it. It wouldn't seem to be as big a problem as you say.
If that became a problem, I'd give each person and institution a unique address (all forwarding to me) so I could figure out who was giving out my address, and then block that one single address. But I haven't needed to do that yet, and I regularly email with around 25 people and 5 or 6 institutions (banks, etc).
I still claim both spam and malware are *optional*. We have the problem because people allow the problem to happen.
I keep getting those PayPal scams telling me to re-enable my account when I don't even have one. Personally, I think one way to solve this problem would be for thousands of people to send these bastards fake login information. Then, they would waste lots of time trying to get into accounts that don't even exist.
The police could send these guys 100 fake accounts to try, and when the failed attempts show up in the official PayPal logs, go nab the scammers.
Imagine that the volume of non-spam email remains constant.
If spam was previously 94% of email, and is now just over 95% of email, that is not a change of 1% in the amount of spam.
Let's give concrete numbers. Imagine that there are one million non-spam emails per time unit. How much spam needs to be sent for spam to be 94% of email? The total amount of mail would be 16.6~ million emails, so 15.6~ million of them would be spam. Now imagine that the new amount of non-spam email is "less than 5%" -- let's say it's 4.9%. That would mean a total volume of email of about 20.4M, so about 19.4M of them are spam. So. That's a 23% increase in the volume of spam.
Now let's be realistic. Does anyone actually think the volume of non-spam email has *decreased*? I sure don't.
So this "minor" change is on the rough order of a TWENTY FIVE PERCENT INCREASE in the amount of spam.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
I managed to get a little over 50% spam reduction, and many other bad guy type connections by blocking most of Asia, Russia, and many other of the most notorious spam countries at the firewall level. If you have no good reason to every receive legit traffic from those countries, why let them connect?
You have to be careful about getting the ISP blocks right, but if most of your clients and customers come from a few known countries or especially inside just one country you can really crank down the number of potential targets you have to deal with in the logs.
Yea, people can attack through proxies and spam through proxies, but consider if you just eliminate half the computers in the World that do not need to connect to your servers.
Living in Chile
If I add up the flyers, coupons, direct marketing, and other BS that hits my mailbox (including inside the statement envelopes), and compare it to the actual bills or statements I receive, by weight, I am pretty sure 95% of my snail mail is spam too.