SPAM Report Update
Sent 7/31/2006
———————
Hopefully you will have noticed a significant decline in the amount of SPAM making it through to your mailboxes over the last month or so.
The first 30 days (2/28/06 – 3/28/06) of the new mail server had us stopping 159,814 messages from being delivered to your mailboxes out of a total of 266,549 that were sent which represented 59.96 percent. On weekends the rate was hovering around 80-85% stopped.
By the time we got to 6/20/06 – 7/18/06 period we were stopping 218,728 out of 320,104 or 68.33% with most of the improvement occurring during the weekday since the weekend rate was still in the +80% range.
The overlapping time frame that we are looking at right now of 7/4/06 – 8/1/06 shows that the rate is still climbing. If trends for the next two days continue to hold true we will see the mail servers having stopped 220,771 messages identified as SPAM while allowing a total 40,175 to be delivered for a percentage of 84.60% out of 260,946 pieces of total mail! Of the total the server allowed to be delivered 14,920 pieces of mail that it thought “might” be SPAM and tagged with the designation of either SPAM-LOW or SPAM-MED.
In addition to every piece of email that is received by the server running through a gauntlet of 18 separate tests (Bayesian Filters, SPF Records, Reverse DNS tests and Public Blacklists) we have also implemented our own local Blacklists (both manual and automatic).
When a piece of email arrives it is compared to our local Manual and Automatic Blacklists. If it is found to have originated from a Blacklisted site our Mail server refuses the delivery.
If the message is accepted for delivery it is then put through a battery of tests. Each tests results in a score being assigned. For example if the mail arrives from a server without what is called a “Reverse DNS” or PTR Record the message gets assigned a score or 30. AOL, for example, will refuse out of hand any mail sent to their users that comes from a server without a Reverse DNS record.
Each tests that is passed or failed assigns results that range in scores from a “credit” of 5 points to a high of 30 points. The more we “trust” the test the higher score we let it assign. The possible test scores are -5, +5, +10, +15, +20, +25 and +30. If an email obtains a score of +15 it is tagged with SPAM-LOW in it’s subject line. If it has a score of +25 it gets tagged with SPAM-MED and a score of +35 will result in the server deleting the message.
If the score gets up to +45 the sending server will be placed automatically on the local Blacklist for a period of one hour.
In addition to SPAMMERS buying email address lists they will try to “harvest” them from a mail server. They do this by sending thousands of emails at a server. The emails that bounce back they know do not exists and they delete them from their lists. The emails that don’t bounce back as undeliverable get recorded on their lists as valid. If our servers see 3 bad email address delivery attempts from a single source with-in a 5 minute time window we will block that sending server for 1 hour.
Any mail that makes if through to our own email addresses (valid and addresses setup as SPAM traps) get looked at. If the message came from some poor dumb schmo who’s computer got hacked we don’t do anything about that since the use by SPAMMERS of those type of systems is very short-lived. However, if it originated from a Commercial SPAM enterprise (companies with names like Giant Rewards and AccelerateBiz to name a couple) we add all of their addresses
(normally in blocks of 255 addresses) to our Blacklist, contact the “Abuse” email address of the company that sold the SPAMMER the address space or bandwidth that they are spamming our users and that we have blocked their customers server addresses from sending to us.
It is a never ending battle.