A Welcome Shift: Spam Now Constitutes Less Than Half of All Email

An anonymous reader writes: According to Symantec's latest Intelligence Report, spam has fallen to less than 50% of all email in June – a number we haven't seen in over a decade. Of all emails received by Symantec clients in June, junk emails only accounts for 49.7% down from 52.1% in April which shows a huge drop. Year over year, spam has decreased as well due to internet providers doing a better job at filtering and shutting down spam bots.

Still too much

[Z00L00K]

It's still too much, it has to be stopped, and the penalties for junk mail and online fraud are way too mild.

Re:Still too much

[TheRealQuestor]

Agreed but to be honest I get maybe 1 or 2 junk mails in my Outlook inbox every couple of months or so. I have pretty much forgotten the days where I'd get 100's a day. I've forgotten that it was even an issue to be honest. I just don't see them anymore as I send all my email through my primary email to my gmail and finally to my outlook and they just aren't there anymore. Primary filters, gmail filters, and outlook just doesn't see them, I'm pretty much shocked when one does get through lol.

Re:Still too much

[Tablizer]

The real fix is to charge for email. To send an email, have a 2 cent charge. 1 cent goes to the ISP, and the other to a governing and enforcement body -- the ePost Office.

Spammers right now send for almost free. If they had to pay two cents for each recipient, it would put most out of business.

And they'd have to leave a money trail, making it easier to find and bust them.

Re:Still too much

[dknj]

Your post advocates a

( ) technical ( ) legislative (X) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
(X) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

Re:Still too much

[ArmoredDragon]

I think it would be considerably easier if SMTP was updated to require not only a reverse DNS arpa pointer record of the sending server, but the reverse DNS record must also have a matching MX record. Almost all legitimate mail servers already do this, and the ones that don't easily can.

Right now, most SMTP implementations don't require DNS at all, and unless spammers can hack every DNS server that most POP servers use, then their botnets aren't going to be able to send spam.

Re:Still too much

[Opportunist]

If you consider for a moment that quite a bit of spam comes from hacked accounts (because it's trivial to filter out spam sources that have broken MX records or are untrustworthy for other reasons), you might get an idea why it's NOT a good idea and who'd eventually foot that bill.

But hey, it may finally make people consider protecting against trojans relevant when it hits their wallet with four-five digits.

Re:Still too much

[SgtAaron]

Agreed but to be honest I get maybe 1 or 2 junk mails in my Outlook inbox every couple of months or so.

Sysadmins who happen to administer email servers have not forgotten. It's still an issue, big time.

Re:Still too much

[Ark42]

Hotmail/MSN/Outlook mail is well known for just not delivering lots of legitimate mail now. You may not see spam there, but you may not get mail from a friend who doesn't use common webmail like gmail or Yahoo. The mail does not even go to your junk/spam folders, and it does not get bounced to the sender. They just silently accept and delete incoming mail, without any notification.

I'd, personally, rather see spam getting through than email become a useless technology that fades away because people can't rely on it anymore.

Re:Still too much

[wvmarle]

You see how well that works for traditional paper junk mail, where the cost of sending out mailings, even delivered door to door, is easily an order of magnitude higher than the number you suggest.

It's totally non-existent thanks to this cost, right?

Re:Still too much

[JustAnotherOldGuy]

^^^^ This times 1000.

Email has become fairly unreliable because many of the larger providers simply drop any suspect email, and they do it silently. No bounceback, no indication that it was rejected, nothing. They just drop it without any indication whatsoever. You send an email and it never arrives, never comes back as undeliverable, it just disappears.

In the last few years I've seen this happening more and more and more, to the point that I sometimes have to call the recipient to see if they got what I sent.

Now only if we could do that with real mail!

[Irate+Engineer]

Is there such a thing as a spam filter for regular (paper) junk mail?

It's like some perverse life cycle - my paper recycling gets picked up, made into paper, which is then made into junk mail, which is then delivered, and unceremoniously dumped into my paper recycling without being read.

Re:Now only if we could do that with real mail!

Eg. in the Netherlands you can find stickers on mailboxes saying "NO to unaddressed advert print -- NO to local circulars". The latter are "local news" rags dropped in every mailbox, paid for by advertising. Typically the local municipality publishes notices in them, so it's not unusual to see "NO -- YES" stickers. There also do exist YES -- NO and YES -- YES variants of the stickers but those are understandably rare. These are not backed by any law, but since people tend to get irate if the stickers aren't respected, they usually are. Someone came up with them and the design stuck.

One example and another example (including NO -- YES variant).

An image search for "nee nee sticker" gets lots of examples, including the inevitable jokes. In eg. Germany you can see different designs, search for "bitte keine werbung".

Celebrate!

[Tablizer]

That news makes me so happy, I'm gonna send a check to that Nigerian Prince needing help getting his money out of a foreign bank.

Nobody emails them

[darkain]

Maybe nobody emails them specifically? I still get ~7,000 junk emails per month (caught by spam filters), compared to maybe 200-500 legit messages.

49% wooo hooo

[Tablizer]

One half? High standards! That's like saying a car "only bursts into flames on Tuesdays now". It's a fucked up system; it just went from being mega-fucked down to hyper-fucked. I guess if you are used to being mega-fucked, then hyper-fucked seems better.

Re:Why are yo not drunk?

[ladislavb]

Living in the era of the borderless world wide web, I really hate to remind some Slashdot readers that there are many many places on earth where it is NOT feiday night right now.

Re:What a load of BS

[Tablizer]

This sounds like Bill Gates a few years ago when he claimed spam wasn't a problem.

"640 spams a day oughta be enough for anybody."

Re:Why are yo not drunk?

You need to just get a lief

I'm not gay and I'm not into Vikings.

SPF, DKIM, and DMARC

[Demonoid-Penguin]

The Symantec report quotes numbers - not reasons. The referenced "story" just quotes a summary of figures from the Report.

The biggest changes to email in the last year have not been arrests or deaths of spammers - but the implementation of SPF, DKIM and DMARC by email providers.

Especially in my experience, has greatly increased the amount of email rejected for delivery (so sorry, the claimed source is clearly spoofed, now filed in the big round grey folder). The "direct"/email marketing forums are full of "entrepreneurs" complaining about it (boo-fucking-hoo).

Primarily it stops forged From headers with providers that reject failures or missing authentication (e.g. Yahoo), Secondly it (DMARC) increases spam reports by providers that use the data, resulting in faster and more accurate spam filters from the suppliers.

Next year will be hell on spammers as many email providers follow Yahoo's lead and change their DMARC policy to "p=reject". Maybe then we'll see mailing list providers stop whining about the policy and work-around it (instead of continuing to do things the way they've always done things in a changing world), and they'll see a reduction in the amount of spam they are resending. Anecdotal evidence is that they've all seen an increase in spam as spammers target mail providers that don't enforce SPF, DKIM and DMARC.

Sure the full implementation will piss off some that aren't actually spammers (*cough*MailChimp*cough) but it'll also make phishing a lot harder. Eventually it may even shut up those who don't understand it, well, maybe. It isn't perfect, though it's not a bad as clueless Seltzer claims. In a perfect world people would deploy DNSSEC on their email servers so better sender authentication methods could be used - and all email senders and recipients would use and understand PGP (fat chance of that happening).

Spam stems from lack of negative feedback

[Morgaine]

Control Theory is applied mainly to electronic systems, but it's equally applicable to all systems everywhere, with no exception. That includes networking, and it even governs human systems.

It's a truism in Control Theory that a system without negative feedback is a system that is out of control. All non-trivial systems without negative feedback head towards an uncontrolled state on the slightest perturbation of initial conditions.

Email is one such system. It was designed without negative feedback back in the early days of the academic Internet before malicious actors appeared on the scene. Because there is no "cost" associated with sending an email, the system went out of control --- the primary effect of that is spam. (This "cost" has nothing to do with money.)

In Control Theory terms, "cost" is any control metric that tracks an undesired effect and reduces that effect when applied to its cause. One of the most universal undesired effects is resource consumption, and that's directly applicable to the email problem because many kinds of resources are used up by spam when it arrives at MTAs and at end-user mailboxes --- examples are CPU time, storage space, network bandwidth, end-user time, and many other things. They're all resources, and spam is the direct result of the spammer feeling no "cost" when he consumes other people's resources. There is no negative feedback being applied to his posting of spam.

"Cost" in the control theoretical sense could be many things when applied to email, for example a slowdown in the spammer's ability to post his next email proportional to the rate of sending and to the number of recipients. There are dozens of possible ways to make a spammer feel a "cost" as negative feedback for his actions, many of them leaving normal mail users entirely undisturbed by the negative feedback. Unfortunately email has none of these control methods available, and it probably never will because it's too late in the day.

One day however, a new asynchronous communication protocol will be designed to replace SMTP. It must be designed with a mechanism for negative feedback integral to the protocol and non-optional, or else the spam problem will appear again, sure as night follows day.

Note that we have many other systems out of control in computer networking, it's not just email. For example, there is no negative feedback applied to rampant abuse of user-side scripting by web pages. Web developers feel no cost regardless of how much end-user CPU, storage, or network bandwidth they employ, and since there is no negative feedback applied to their over-use, browsers typically have their CPUs pegged at 100% and the Web has turned to molasses. As techies we try to control the Web excesses with NoScript (for example) just as we try to control spam with SpamAssassin, but these are just fighting symptoms. You can't cure a disease by fighting symptoms.

This is a universal truth. No negative feedback spells trouble ahead.

Re:Spam stems from lack of negative feedback

[JaredOfEuropa]

You can charge that cost (in whatever form it comes) to spammers only; if you apply it to everyone equally, you'll run into another phenomenon called "market failure". And identifying spam and spammers is something that many researchers and developers have tried solving already. That's the real problem: it is hard to distinguish spam sources, usage patterns and content from legitimate emailers, especially bulk emailers. How do you propose to "track an undesired effect" in email?

Flawed statistics are flawed

[Opportunist]

Yay, we're down to 50%! that means spam is down, right?

Nope. Sorry. Spam is alive and well as it always was. But more and more companies are switching to mail for sending their bills. What you used to get as a dead tree edition, you now get via bits. Your ISP sends his invoice via email, so do Amazon, EBay, PayPal and pretty much any online trader.

Spam mail isn't down. Legitimate (for varying definitions of legitimate) mail is up. That's all.

Re:Flawed statistics are flawed

[Demonoid-Penguin]

The other difference is that Yahoo and Google [sic and every other BP email provider] have locked down email so that legitimate email isn't getting delivered. Now other providers are following the same rules. When you block a lot of email, it never gets delivered.

There are certain people I just can't mail anymore.

Then implement SPF, DKIM and DMARC - it's not hard compared to correctly configuring a mail server. As a bonus halfwits with a spare 10 minutes won't be able to spoof your email address.

But until you do something other than complain you remain part of the problem instead of part of the solution.

LinkedIn...

[jb_nizet]

Do they count LinkedIn email as spam? Because that would probably make the number climb to 75%.

> Unsubscribe from LinkedIn
> Delete email account
> Sell house, live in woods
> Find bottle in river
> Has note inside
> It's from LinkedIn
Source: https://twitter.com/darylginn/...

Re:XP

[Demonoid-Penguin]

There are still a couple of hundred million XP machines running. As that number declines so does the amount of spam, but there's a long way to go.

The number of XP boxes on the internet has little to do with spam. It did when cheap VPS, cloud and broadband was uncommon. Blame their owners for a lot of things - but blame for spam is misplaced (the main exception being Michael Lindsay's "customers"). It's far cheaper, and easier to either rent a host or pay a mailing service than it is to rent (or build) a bot-net of sufficient size to produce a measurable amount of the worlds spam. SPF, DKIM and DMARC has also considerably reduced the viability of bot-nets for spamming as the major email providers reject their unauthenticated headers, or quickly identify them as spam.

The majority of those services provided by a small number of companies (in order of volume):- softbank.co.jp, unicom-bj, unicom-sc, drpeng.com.cn, webexxpurts.com, gmo.jp, kddi.ne.jp, kyivstar.net, uplus.co.kr, softcom.com.

The majority of spam is commissioned by a small number of arseholes (a significant number of them are bases in North America since China cleaned up it's act). In order of volume:-

• Canadian Pharmacy - Ukraine. A long time running pharmacy spam operation. They send tens of millions of spams per day using botnet techniques. Probably based in Eastern Europe, Ukraine/Russia. Host spammed web sites on botnets and on bulletproof Chinese web hosting.
• Dante Jimenez / Aiming Invest - United States. Spamwarez, lists, "bulletproof" hosting in the finest South Florida tradition. Working with worst cybercriminal botnet spammers. Now mostly involved in massive botnet spamming with hosting on hacked servers and Eastern European hosters.
• Yair Shalev / Kobeni Solutions - United States. High volume snowshoe spammer from Florida, (former?) partner-in-spam of ROKSO spammer Darrin Wohl. Son-in-law of ROKSO listed spammer Dan Abramovich. Sued by FTC in 2014 due to fraud.
• Yambo Financials - Ukraine. Huge spamhaus tied into distribution and billing for child, animal, and incest-porn, pirated software, and pharmaceuticals. Run their own merchant services (credit-card "collection" sites) set up as a fake "bank."
• Mike Boehm and Associates - United States. Snowshoe spam organization that uses large numbers of inexpensive, automated VPS hosting IPs and domains in whatever TLD is currently cheapest to send high volumes of spam to extremely dirty, scraped lists. Operates under many business and individual names.
• Michael Persaud - United States. Long time snowshoe type spammer.
• Michael Lindsay - United States. Lindsay's iMedia Networks is a full-fledged spam-hosting operation serving bulletproof hosting at high premiums to well known ROKSO-listed spammers. His customers spam via botnet zombies with spam payloads hosted offshore, tunneled back to his servers. He and the gang have been hijacking (stealing) IP address space from companies for years to spam from. Illegal in the USA.
• Jagger Babuin / BHSI - Canada. Romanian spammer now living in Vancouver BC. Also known as the "Dr Oz" spammer.
• First Place SEO & financial fraud spam gang - United States. Seem to be either Northern New Jersey or San Diego, California based scammers. They rent endless numbers of servers and buy endless domains to then pump out "SEO", search-engine-rankings and financial fraud scam spams.
• Josh Henderson or Nicholson - bulletproofvps.com - Canada. Offshore Bulletproof Hosting is his thing.

Top 10 countries that produce and export spam, in order of significance:- United States, China, Russian Federation, Ukraine, Japan, United Kingdom, India, Germany, Brazil, Turkey

Sources

Lawsuits

[www.sorehands.com]

Lawsuits against companies for illegal spam also reduces spam.

in 2003, I filed a spam lawsuit against a drug spammer in Florida. Shortly after I settled, the amount of spam I received went down by about 50%.

I filed several spam lawsuits between 2013 and 2014. The e-mail load on my mail server went down by 75%.

Between May 27 2013 and Sat Jul 18 2015 (782 days) my server processed 4,801,196 e-mails (6,1397/day).

In 2012, my server typically processed between 20k-22k e-mails per day.

Between Aug 11 2008 and Nov 29 2008 (110 days) my served processed 1,419,128 e-mails. (12,901/day) But In 2011 I more than doubled the number of e-mail users.

When you sue the advertisers, they may terminate some of the spammer and the advertisers get some of the money from the spam networks that they use. At the very least, spam lawsuits get you on the spammer's suppression lists.