A Welcome Shift: Spam Now Constitutes Less Than Half of All Email

An anonymous reader writes: According to Symantec's latest Intelligence Report, spam has fallen to less than 50% of all email in June – a number we haven't seen in over a decade. Of all emails received by Symantec clients in June, junk emails only accounts for 49.7% down from 52.1% in April which shows a huge drop. Year over year, spam has decreased as well due to internet providers doing a better job at filtering and shutting down spam bots.

Now only if we could do that with real mail!

[Irate+Engineer]

Is there such a thing as a spam filter for regular (paper) junk mail?

It's like some perverse life cycle - my paper recycling gets picked up, made into paper, which is then made into junk mail, which is then delivered, and unceremoniously dumped into my paper recycling without being read.

Re:Now only if we could do that with real mail!

Eg. in the Netherlands you can find stickers on mailboxes saying "NO to unaddressed advert print -- NO to local circulars". The latter are "local news" rags dropped in every mailbox, paid for by advertising. Typically the local municipality publishes notices in them, so it's not unusual to see "NO -- YES" stickers. There also do exist YES -- NO and YES -- YES variants of the stickers but those are understandably rare. These are not backed by any law, but since people tend to get irate if the stickers aren't respected, they usually are. Someone came up with them and the design stuck.

One example and another example (including NO -- YES variant).

An image search for "nee nee sticker" gets lots of examples, including the inevitable jokes. In eg. Germany you can see different designs, search for "bitte keine werbung".

Re:Still too much

[dknj]

Your post advocates a

( ) technical ( ) legislative (X) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
(X) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
(X) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(X) Asshats
( ) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(X) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
(X) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

SPF, DKIM, and DMARC

[Demonoid-Penguin]

The Symantec report quotes numbers - not reasons. The referenced "story" just quotes a summary of figures from the Report.

The biggest changes to email in the last year have not been arrests or deaths of spammers - but the implementation of SPF, DKIM and DMARC by email providers.

Especially in my experience, has greatly increased the amount of email rejected for delivery (so sorry, the claimed source is clearly spoofed, now filed in the big round grey folder). The "direct"/email marketing forums are full of "entrepreneurs" complaining about it (boo-fucking-hoo).

Primarily it stops forged From headers with providers that reject failures or missing authentication (e.g. Yahoo), Secondly it (DMARC) increases spam reports by providers that use the data, resulting in faster and more accurate spam filters from the suppliers.

Next year will be hell on spammers as many email providers follow Yahoo's lead and change their DMARC policy to "p=reject". Maybe then we'll see mailing list providers stop whining about the policy and work-around it (instead of continuing to do things the way they've always done things in a changing world), and they'll see a reduction in the amount of spam they are resending. Anecdotal evidence is that they've all seen an increase in spam as spammers target mail providers that don't enforce SPF, DKIM and DMARC.

Sure the full implementation will piss off some that aren't actually spammers (*cough*MailChimp*cough) but it'll also make phishing a lot harder. Eventually it may even shut up those who don't understand it, well, maybe. It isn't perfect, though it's not a bad as clueless Seltzer claims. In a perfect world people would deploy DNSSEC on their email servers so better sender authentication methods could be used - and all email senders and recipients would use and understand PGP (fat chance of that happening).

Spam stems from lack of negative feedback

[Morgaine]

Control Theory is applied mainly to electronic systems, but it's equally applicable to all systems everywhere, with no exception. That includes networking, and it even governs human systems.

It's a truism in Control Theory that a system without negative feedback is a system that is out of control. All non-trivial systems without negative feedback head towards an uncontrolled state on the slightest perturbation of initial conditions.

Email is one such system. It was designed without negative feedback back in the early days of the academic Internet before malicious actors appeared on the scene. Because there is no "cost" associated with sending an email, the system went out of control --- the primary effect of that is spam. (This "cost" has nothing to do with money.)

In Control Theory terms, "cost" is any control metric that tracks an undesired effect and reduces that effect when applied to its cause. One of the most universal undesired effects is resource consumption, and that's directly applicable to the email problem because many kinds of resources are used up by spam when it arrives at MTAs and at end-user mailboxes --- examples are CPU time, storage space, network bandwidth, end-user time, and many other things. They're all resources, and spam is the direct result of the spammer feeling no "cost" when he consumes other people's resources. There is no negative feedback being applied to his posting of spam.

"Cost" in the control theoretical sense could be many things when applied to email, for example a slowdown in the spammer's ability to post his next email proportional to the rate of sending and to the number of recipients. There are dozens of possible ways to make a spammer feel a "cost" as negative feedback for his actions, many of them leaving normal mail users entirely undisturbed by the negative feedback. Unfortunately email has none of these control methods available, and it probably never will because it's too late in the day.

One day however, a new asynchronous communication protocol will be designed to replace SMTP. It must be designed with a mechanism for negative feedback integral to the protocol and non-optional, or else the spam problem will appear again, sure as night follows day.

Note that we have many other systems out of control in computer networking, it's not just email. For example, there is no negative feedback applied to rampant abuse of user-side scripting by web pages. Web developers feel no cost regardless of how much end-user CPU, storage, or network bandwidth they employ, and since there is no negative feedback applied to their over-use, browsers typically have their CPUs pegged at 100% and the Web has turned to molasses. As techies we try to control the Web excesses with NoScript (for example) just as we try to control spam with SpamAssassin, but these are just fighting symptoms. You can't cure a disease by fighting symptoms.

This is a universal truth. No negative feedback spells trouble ahead.

Re:Still too much

[Opportunist]

If you consider for a moment that quite a bit of spam comes from hacked accounts (because it's trivial to filter out spam sources that have broken MX records or are untrustworthy for other reasons), you might get an idea why it's NOT a good idea and who'd eventually foot that bill.

But hey, it may finally make people consider protecting against trojans relevant when it hits their wallet with four-five digits.

Re:Flawed statistics are flawed

[Demonoid-Penguin]

The other difference is that Yahoo and Google [sic and every other BP email provider] have locked down email so that legitimate email isn't getting delivered. Now other providers are following the same rules. When you block a lot of email, it never gets delivered.

There are certain people I just can't mail anymore.

Then implement SPF, DKIM and DMARC - it's not hard compared to correctly configuring a mail server. As a bonus halfwits with a spare 10 minutes won't be able to spoof your email address.

But until you do something other than complain you remain part of the problem instead of part of the solution.

Re:XP

[Demonoid-Penguin]

There are still a couple of hundred million XP machines running. As that number declines so does the amount of spam, but there's a long way to go.

The number of XP boxes on the internet has little to do with spam. It did when cheap VPS, cloud and broadband was uncommon. Blame their owners for a lot of things - but blame for spam is misplaced (the main exception being Michael Lindsay's "customers"). It's far cheaper, and easier to either rent a host or pay a mailing service than it is to rent (or build) a bot-net of sufficient size to produce a measurable amount of the worlds spam. SPF, DKIM and DMARC has also considerably reduced the viability of bot-nets for spamming as the major email providers reject their unauthenticated headers, or quickly identify them as spam.

The majority of those services provided by a small number of companies (in order of volume):- softbank.co.jp, unicom-bj, unicom-sc, drpeng.com.cn, webexxpurts.com, gmo.jp, kddi.ne.jp, kyivstar.net, uplus.co.kr, softcom.com.

The majority of spam is commissioned by a small number of arseholes (a significant number of them are bases in North America since China cleaned up it's act). In order of volume:-

• Canadian Pharmacy - Ukraine. A long time running pharmacy spam operation. They send tens of millions of spams per day using botnet techniques. Probably based in Eastern Europe, Ukraine/Russia. Host spammed web sites on botnets and on bulletproof Chinese web hosting.
• Dante Jimenez / Aiming Invest - United States. Spamwarez, lists, "bulletproof" hosting in the finest South Florida tradition. Working with worst cybercriminal botnet spammers. Now mostly involved in massive botnet spamming with hosting on hacked servers and Eastern European hosters.
• Yair Shalev / Kobeni Solutions - United States. High volume snowshoe spammer from Florida, (former?) partner-in-spam of ROKSO spammer Darrin Wohl. Son-in-law of ROKSO listed spammer Dan Abramovich. Sued by FTC in 2014 due to fraud.
• Yambo Financials - Ukraine. Huge spamhaus tied into distribution and billing for child, animal, and incest-porn, pirated software, and pharmaceuticals. Run their own merchant services (credit-card "collection" sites) set up as a fake "bank."
• Mike Boehm and Associates - United States. Snowshoe spam organization that uses large numbers of inexpensive, automated VPS hosting IPs and domains in whatever TLD is currently cheapest to send high volumes of spam to extremely dirty, scraped lists. Operates under many business and individual names.
• Michael Persaud - United States. Long time snowshoe type spammer.
• Michael Lindsay - United States. Lindsay's iMedia Networks is a full-fledged spam-hosting operation serving bulletproof hosting at high premiums to well known ROKSO-listed spammers. His customers spam via botnet zombies with spam payloads hosted offshore, tunneled back to his servers. He and the gang have been hijacking (stealing) IP address space from companies for years to spam from. Illegal in the USA.
• Jagger Babuin / BHSI - Canada. Romanian spammer now living in Vancouver BC. Also known as the "Dr Oz" spammer.
• First Place SEO & financial fraud spam gang - United States. Seem to be either Northern New Jersey or San Diego, California based scammers. They rent endless numbers of servers and buy endless domains to then pump out "SEO", search-engine-rankings and financial fraud scam spams.
• Josh Henderson or Nicholson - bulletproofvps.com - Canada. Offshore Bulletproof Hosting is his thing.

Top 10 countries that produce and export spam, in order of significance:- United States, China, Russian Federation, Ukraine, Japan, United Kingdom, India, Germany, Brazil, Turkey

Sources

Lawsuits

[www.sorehands.com]

Lawsuits against companies for illegal spam also reduces spam.

in 2003, I filed a spam lawsuit against a drug spammer in Florida. Shortly after I settled, the amount of spam I received went down by about 50%.

I filed several spam lawsuits between 2013 and 2014. The e-mail load on my mail server went down by 75%.

Between May 27 2013 and Sat Jul 18 2015 (782 days) my server processed 4,801,196 e-mails (6,1397/day).

In 2012, my server typically processed between 20k-22k e-mails per day.

Between Aug 11 2008 and Nov 29 2008 (110 days) my served processed 1,419,128 e-mails. (12,901/day) But In 2011 I more than doubled the number of e-mail users.

When you sue the advertisers, they may terminate some of the spammer and the advertisers get some of the money from the spam networks that they use. At the very least, spam lawsuits get you on the spammer's suppression lists.