Slashdot Mirror
By Latest Count, 95% of Email Is Spam
An anonymous reader writes "The European Network and Information Security Agency released its new spam report, which looks at spam budgets, the impact of spam and spam management. Less than 5% of all email traffic is delivered to mailboxes. This means the main bulk of mails, 95%, is spam. This is a very minor change, from 6%, in earlier ENISA reports. Over 25% of respondents had spam accounting for more than 10% of help desk calls. The survey targeted email service providers of different types and sizes, and received replies from 100 respondents from 30 different countries."
I don't doubt that it's around 95%, but the logic of the above-quoted statement is certainly flawed.
Caveat Utilitor
If volume is increasing then this might mean returns are getting scarce for these parasites. and perhaps it will come to a point where no matter how much spam they deliver they still don't make enough. but then maybe i am dreaming.
I also get about 10 times as much spam as actual email. Fortunately, Google is pretty good at filtering that - the number of false negatives in my inbox has been less than ten this month, while I got over a thousand to my spam folder.
It's hard to comprehend how people deal without that level of spam filtering - I have relatives who regularly register new accounts in order to escape their spam.
Now I am not a corporate email guru, but why would spam be the reason to call for help? In this day and age it boggles the mind. Even my grandmother can deal with spam without needing tech support.
I was seeing more like 97% (once you excluded system generated internal emails - CVS and Bugzilla between them can generate a fair bit of mail).
The killer for running our own mail system in its entirety was when I did the arithmetic and our co-hosted secondary mail server was costing more than buying Google for Domains. That's before you even consider the document management Google for domains offers, which was just icing on the cake.
Micropayments. Yes I know it's been mentioned before, but one rarely hears of paying *each other* (rather than the host or government). It would be a good idea anyway even if spam didn't exist.
If we paid each other (say a penny or 1/10th of a penny), obviously the spam problem would be solved. (though some can charge nothing if they want) It also means that someone who gets a ton of email and hasn't got the time to read all of them will receive only the 'cream' of email. Only those who are willing to sacrifice say, a pound (or £10/£100 for super busy/famous people) would be able to email them.
As we know, Youtube has/is developing methods of payment to watch videos, and online papers are experimenting, so micropayments may be common sooner than we think.
Why OpalCalc is the best Windows calc
Is that 5% sent is spam, or 5% that is delivered is spam? There are layers of spam blockers before any mail even gets remotely near anyones inbox.
95% of slashdoters don't RTFA.
One thing to keep in mind is that even though it looks bad (and for email it certainly is..), most other mediums aren't quite as affected by it. I do get quite a bit of Spam on ICQ these days, but the ratio between spam messages and real messages is waaaaaaaay better than 20:1. I would expect the same to hold true for most other mediums as well, so that it might in fact be a good idea to use those as a separate alternative communication channel should your inbox become overwhelmed. Something i have noticed over the years is the reduction in Trojans and worms being sent (at least to my inbox). There was a time when i received around 50 trojan-emails a day, whereas now it has been quite a while that a spam mail did actually contain any attachment whatsoever. To summarize, yeah.. email looks bad, but there's a whole set of alternative or additional channels that can be used which aren't quite as saturated.
I have no idea why, but my spam count has gone down. I have my own domain name and I used to receive about 100 spam per day. Lately that's gone down to 2 or 3.
I'm not doing anything different so I assume I fell off a list or someone upstream is fixing things.
Sometimes I run a filter that let's all plaintext through but whitelists mime and messages with http or www in the message. They get rejected at the server level.
I just turn it off when I register for new web sites.
http://www.cbsnews.com/stories/2004/01/24/tech/main595595.shtml
Bill Gates promised in 2004 that spam would be completely solved within 2 years.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Look at my mail server's spam status.
the RBL has blocked 95% of the spam out there.
57.5% had no SPF records. Looks like SPF has gained a lot of ground now... almost half of the Internet is now using it.
Using Surgemail, I do not need to use 3rd party anti-spam systems as the anti-spam is handled by the mail server itself. It handled 4 million messages in a month and does not break a sweat. I love this mail server and no other system can persuade me to switch... Support is incredible, service top notch... can not praise it enough.
Spam status:
RBL Denied 95.3% (1882484), Stamped 4.7% (93193), Checked 1975678
Total score 3 or above 75.5% 123278/163348
Aspam Score 1 or above 15.4%, ngood=987 nbad=2965 ncatcher=2521
URL Database 13.6%, In database bad=12997 neutral=2168 fromnet=15138
SPF hits (msgs) 68.8% 2753806/4002538, (no spf=2302652 57.5% pass=361145 of 4002493)
SPF rcpts blocked 0.0% (0/698887) allow=0 dkf=5393
Badfrom hits 0.0% bad=0 good=384559 mx=0
Spam Bounce (0) 2.5%
Helo failures 235981 5.7%
SURBL 38.0% 94570/248869 0/0
User spam actions Vanished:8 Bounced:21793 Stored:46
Friends Allow:23059 Block:0 Confirmation:14944 (Bounced:2787 Replies:128 Spam-ratio:0.96)
DomainKeys goodsigs=15730, badsigs=458, nosig=0, badformat=408
SPFShare isspam=814 notspam=0 allow=0 web=2630 tell=0 (knowndb=270297)
SpamC 104.09% (db 443774/34284) spam=108206 ok=36709 zero=103954
From Blacklist 0 records, 0 hits
False Pos 128/14944 0.86% (based on friend confirmations)
False Pos 7732/41670 19% (based on msgs from friends)
aspam_content.txt 7788 3.1%
*Headline News* censorship shuts down the Internet! More at 6PM!
I am surprised they conclude the fraction of good mails is as high as 5%.
From the CERN mail server report:
Incoming mails: 1992789
Rejected: 1952787 (98%)
Moved to Spam Folder: 14520 (1%)
Good mails: 25482 (1%)
Spam in Total 99%
And this is a good day. Often good mails are less than 1%.
617B3B7F7E7C7D7F00EOF
Bill Gates called it, way back in 2004. And Bill Gates is never wrong about ANYTHING. So it's pretty obvious that whatever we've all been receiving in our inboxes since 2006 that looks like spam isn't. Probably, we're all just overwhelmed by all of the legitimate emails we're getting from our many, many friends nowadays, who really are just trying to tell us about some aweS0me dea1z on r0lexxes, and we just can't decide which of the incredible bargains to choose from. And it's actually Google and Yahoo's fault for not having deprecated their spam filters, even though spam now is a thing of the past (trying to make MS look bad, of course). So they keep catching your friends' emails as spam. But it can't be spam, because it's 2010 already. And Bill Gates said.
I've introduced a number of people to a multitiered system which, for me, has almost completely solved my spam problem.
1) Do the unthinkable, actually pay for email service at a place, ideally, like www.fastmail.fm which uses spamassassin unlike the simpler less forgiving systems at yahoo/gmail/etc.
2) Use a handful of aliases (yielding unlimited email addresses) in order to sort mail to its relevant level of "attention"
e.g.
2a) john.smith@fastmail.fm would go to friends to use
2b) wellsFargo@level01.fastmail.fm would go to a site you trust like your bank and be filed in you level01 folder
2c) chineseCommerceSite@level05.fastmail.fm would go to your level05 folder and so on...
3) Beauty of the above systems is that when an address gets spammed (or the site sends too much garbage), you can easily disable it via a filter since each site should have its own email address
4) Further, you are less likely to receive obvious spam via setting a high spamassassin threshold and the fact that a site like fastmail subscribes to various RTBL's
Using this system, I've received barely anything more than 1 spam per month to any "un-aliased" address. The overwhelming majority of the time, said spams are properly flagged by spamassassin.
I hope this helps
ISPs don't need to specifically disallow something that is already against the law. So, you find it dismaying that over 25% of ISPs allow you to use the bandwith you pay for in any way you wish as long as you don't do anything illegal. I assume that the alternative is that ISPs begin regulating Internet traffic based on their arbitary interpretations of what you are ethically allowed to do. (See: Peer-to-Peer netlimiting)
The thing is, if I send many thousands of emails in one day, I might be sending e-mails to some online community I manage, it might be related to some service I offer, or any number of other legal and ethical uses of the bandwith I paid for. The ISP can't know what those are unless they actually read my e-mails or closely monitor them (something I really don't want my ISP to do!). Even if they call me "What are you doing?" they still have to take my word for it or violate my (and others') privacy. Even if they knew exactly what I was doing and personally thought it was unethical but knew it was legal, I would argue against it being their right to interfere.
Unfortunately, 95% delivery failure does not mean 95% spam. Some spam gets delivered to my inbox, and I'm certain that some legitimate email gets blocked. Unfortunately, the businesmen who like to use "email marketing" have no idea how much of a problem it is, and the technical people doing the filtering refuse to bounce (instead of black hole) suspected spam as doing so would work as a DoS amplifier.
There's no single solution to spam, obviously at times I want people that have never sent me an email before to be able to reach me. Trying to derive whether it's spam from the content will always be an approximate process. But what is not so great is that currently, all the eggs are in one basket. If you get your hands on my email address, then it's valid for years and years, and I have no practical means of switching.
What would help a great deal, is if there was a standard way to generate and revoke an email address for a specific purpose, auto-alias any reply and in the reply include a forward to a different alias. Yes, occasionally I spell it out over the phone or someone has to type it in from paper and shortness and readability is important, but many times it is not. For example, I don't publish my email address here but if I could easily generate an alias ad453785cd76786da76b7678654aa@gmail.com and have it delivered to my real address with the possibility of nuking it I'd consider it.
The rest are really continuations of the same idea, because you'd get a lot of "harmless" mail saying like "Hello, I saw your post at [slashdot comment you made] and think your posts show just the kind of employees we are looking for. We at [bullshit company w/fake web page] would like to increase our technical staff and if you are interested, please send us your resume." which serve no other purpose than to reveal your unaliased address. For that reason, all mail sent to an alias should be replied to using the same alias.
The other issue is that for revocation to practically work, I can't have people who did get in contact with me over the slashdot alias that I'd like to stay in contact with keep using that alias. I have to either give them my real address or point them to a new alias. There's "Reply-To:" and just telling them in the email, but it's a bit weak. Finally a revoked address should optionally give a customer-chosen rejection reason, so that it could be things like "Switched alias, try [new address]" "This alias is expired, find my current address on slashdot.org", "If important, you can still reach me on phone 555-1234" instead of the default "No account with that name".
The best part of someone actually doing is, is that the whole system doesn't need to change. One web mail provider could create this exact setup with the controls to generate and revoke addresses, make sure your replies to an alias are aliased, update and control the Reply-To so you can't redirect it anywhere else and create the custom rejection messages. The only thing it can't do is make sure the recipient updates their address book or whatever, but if the ball gets rolling that will be fixed.
Live today, because you never know what tomorrow brings
How about this take on e-mail postage. We know spammers/phishers send lots of e-mail, but receive very little or none. We use that to our advantage
Before sending e-mail, a sender buys postage, and it goes into their account. Maybe a penny a stamp give or take. When an e-mail is send, a stamp is taken out of the sender account and put into an escrow for each recipient. The e-mail is digitally signed for the escrow id, and sent like normal, but all spam filtering services then check the signature along the way.
When a recipient opens an e-mail, The escrow stamp set assigned for them is transfered to their account (e-mail client, or service provides this). Note: it can only be collected once for each person per e-mail, and it only goes to the account associated with the e-mail.
So after an initial stamp purchase, postage will transfer back and forth, and a normal user should never have to purchase postage again. A person, or company that sends lots of e-mail will have to keep buying postage to send. PHishing and spamming becomes economically difficult.
More reputable spammers/companies will have to buy postage to stay in business.
One last thing, users will be able to sell back stamps when there account starts to fill up, but at less of a price, to pay for the service and keep the validation servers running. So stamps are purchased at retail prices, and sold back at whole sale prices. Spammers/Hammers that stay in business end up paying for the service.
There is much more details, and ideas that can go along with this, but for the sake of brevity, I'll keep int at that.
Maybe ISPs should stop fixating on P2P traffic and try harder to stop spam. Then they'd free up a ton of bandwidth AND make their customers happier.
So.. it has come to this
I use DNS blocklists, greylisting, and a bayes filter. I rarely see spam, maybe 1 or 2 stupid marketing mails from companies I have dealt with a week. My work has more or less the same setup and doesn't get much spam either.
This report must be counting mail blocked at the SMTP level as spam. That seems the only way to get upto 95%.
Bill Gates appears to know little about technology. Why else would be make such a stupid statement?
He reminds me of the support guy that just makes stuff up because most users will believe anything.
Please put the answer in the title of your response. Note that gmail deletes spam that is older than one month so if you answer for another spam system, count for the last 31 days or specify the length of time.
I have 396, much lower than the peak that has been around 900 for years then abruptly got to around 400 each month and remarkably stable.
Men are born ignorant, not stupid; they are made stupid by education. Bertrand Russel
I've had the same main email address since the mid 90s, so as you might expect it's on every spam list going, and on average I'm seeing 100 emails a day hitting my Outlook spam folder. However it's never an issue for me as I pay for the rather wonderful Cloudmark spamfilter which is near as dam it 100% accurate for my use.
So all I have is spam hitting my spam fillter at about one every 15 minutes. Which has on several occasions been a useful 'heartbeat' to diagnose when my there's something wrong with my connectivity - either the internet connection itself or the servers being hit by spam.
It's so reliable a diagnostic that I've even wondered if there's a viable commercial product in there based on the idea :-)
If you take the % at home ( i host my own domain, and I'm the only real user... ) its more like 99.9% due to all the bounce backs and 'dictionary' emails which don't exist anyway..
At the office, its well over 98. ( external email only, not internal )
---- Booth was a patriot ----
Yep. This is why I simply abandoned email. Sure, I have a gmail box so that I can "click on this link to activate my membership", but other than that it just slowly fills up with "newsletters" I never read. Any actual human being wanting to contact me online knows full well by now to send me a PM in some "walled garden" environment such as facebook or one of the music forum/communities I visit. Does this reversion to "walled garden" comms systems suck from a 'back in the day the internet was supposed to be all about...' techno-philosophical angle? Sure. Do I really give a shit? No. My friends can reliably message me over the internet, spam is a non issue, win win.
I know what you're going to say... what about people who aren't already my friends and don't already know I never read my email and they should hit me up on facebook or wherever? Well... yeah... what about them? I don't really feel my life suffers for all the unsolicitied but not spam email I would be getting in a parallel universe where spam doesn't exist. Anyway, the only instances of this I can envisage would be, for example, someone likes my music and wants to message me about it, in which case they'd have found it via a forum post or my myspace page, ergo they can message me via that forum or via myspace, so it's really a non issue.
I feel sympathetic for people whose circumstances are such where putting "My email address is blahblah@example.com" out in the wild is the only realistic choice they have, but personally I just thought, right, the whole email channel is saturated with shit, therefore I give up on that channel.
I have had my own domain since uunet! days. I drop connections when the envelope header is to a non-existent account. There are very few valid accounts on this domain. Here are the last three days stats on dropped and accepted connections (D dropped, N accepted):
D/837,780 N/941
D/935,298 N/884
D/901,749 N/832
This is 1 valid email out of 1000 attempts to a first approximation, 99.9% spam. Even with these, I still get several hundred validly addressed spams a day, most automatically junked altho I still scan the Subjects and Froms in case the odd transient correspondent was not white listed.
The bogus account names are complete nonsense, just tossing out names and seeing which ones stick.
Infuriate left and right
People can brag about their filters, white-lists, black-lists, etc, all they want. But if this count is accurate, it gives a good indication of the true cost of spam. If 95% of email is spam, then that means only 1 email of every 20 sent is legit. Which could be extrapolated to mean that what you "pay" - by ISP charges, etc ... for your email is also paying for 19 spam messages.
Because in the end, servers around the world are using bandwidth, storage, CPU time, etc, to relay spam. And those servers have to be paid for somehow.
So keep that in mind the next time you think of installing a fancy spam filter to solve your problem; you're really just displacing one cost for another by using some of your own resources to deal with spam once it reaches your inbox. If you want to actually help address the spam problem, look to the root cause of the spam instead of continuing to address only the effects of it.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
If you hardly ever use your "real" email address, or only to very limited number of recipients, then yes, you are less likely to get spam. But if you use email a lot, even to people you otherwise trust, every time you hit send you are handing them your address - as well as transmitting it to any number of relays along the way. And any of your recipients can be malware infested.
What's striking is how few different spams there are. When one of the major spammers is shut down, spam drops noticeably worldwide. Statistics like "the top N spammmers account for NN% of the spam" could be helpful. In terms of cost, the top few spammers probably have more impact than Al-Queda.
Maybe we could get major spammers classified as enemies of the United States, so the CIA could go after them.
Imagine that the volume of non-spam email remains constant.
If spam was previously 94% of email, and is now just over 95% of email, that is not a change of 1% in the amount of spam.
Let's give concrete numbers. Imagine that there are one million non-spam emails per time unit. How much spam needs to be sent for spam to be 94% of email? The total amount of mail would be 16.6~ million emails, so 15.6~ million of them would be spam. Now imagine that the new amount of non-spam email is "less than 5%" -- let's say it's 4.9%. That would mean a total volume of email of about 20.4M, so about 19.4M of them are spam. So. That's a 23% increase in the volume of spam.
Now let's be realistic. Does anyone actually think the volume of non-spam email has *decreased*? I sure don't.
So this "minor" change is on the rough order of a TWENTY FIVE PERCENT INCREASE in the amount of spam.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
I managed to get a little over 50% spam reduction, and many other bad guy type connections by blocking most of Asia, Russia, and many other of the most notorious spam countries at the firewall level. If you have no good reason to every receive legit traffic from those countries, why let them connect?
You have to be careful about getting the ISP blocks right, but if most of your clients and customers come from a few known countries or especially inside just one country you can really crank down the number of potential targets you have to deal with in the logs.
Yea, people can attack through proxies and spam through proxies, but consider if you just eliminate half the computers in the World that do not need to connect to your servers.
Living in Chile
If I add up the flyers, coupons, direct marketing, and other BS that hits my mailbox (including inside the statement envelopes), and compare it to the actual bills or statements I receive, by weight, I am pretty sure 95% of my snail mail is spam too.