[LINK] 80% of all spam from zompie PCs

Craig Sanders cas at taz.net.au
Wed Jun 9 13:36:02 EST 2004 

On Wed, Jun 09, 2004 at 11:54:52AM +1000, Howard Lowndes wrote:
> > My own mail server (protected by a firewall and with an aggressive
> > Spamassassin installation) isolates me pretty well from spam. In one day
> > last weekend I received approx 10 emails - but had over 300 spam messages!
> 
> As I posted the other day, my own figures more than support the claim of over
> 80%.

i have no idea what percentage of blocked spam comes on my systems comes from
dialup, as my DUL RBL checks are one of the last anti-spam checks so most spam
gets rejected for other reasons before the RBL check (reason for this is that a
DNS check is a more "expensive" check in terms of time and bandwidth than a
quick lookup in up a local hash.  if the local lookup results in a hit then
there's no need to do the DNS check).

i do know (from the output of my spam-stats program) that about 92% of all smtp
connections to my home mail server are spam, and that i manage to block 99.5%
of it at the SMTP level (last week's figures, which are fairly average).
almost all of the rest gets detected and tagged by spamassassin.  with about
40,000 spam attempts per week, all but about 180 are rejected during the smtp
session.  about 180 are detected and tagged (and go into my spamtrap folder to
become fodder for new anti-spam rules).  maybe 2 or 3 per month get through
without being tagged....these also become fodder for new anti-spam rules.  all
this spam, btw, is for a small home mail server with about half a dozen users.

my mail servers at work get significantly more mail, but proportianately less
spam (because there are many more valid users receiving legit mail)...currently
about 80% of all smtp connections are spam.


> There is one good thing about greylisting - it does reduce the traffic to
> your servers as the zombie is choked after the RCPT TO: level and not after
> the DATA: level as is the case with most anti-spam agents, so you do not
> receive the email in the first instance.

yes, greylisting is useful.  you could also use a dynamic/dialup DNSRBL and
block all smtp connections that come direct from dialup and dynamic addresses.



on a more general note:

there is no one anti-spam solution and there never will be.  there will never
be a black-box product that blocks spam, either.  to be effective, you have to
use several different anti-spam techniques together - RBLs, spamassassin, local
blacklists, bayesian filtering, custom body and header check regexps, and more.
maintaining and updating all this takes time and experience and the ability to
adapt to new spammer tricks as they come up with them.  those who have
experience doing this (or have a tech with experience looking after their mail
server) won't get much spam.  those who don't will get lots, no matter how much
they spend on anti-spam products.

welcome to the net.  spam is what it's all about these days.

craig

-- 
craig sanders <cas at taz.net.au>

The next time you vote, remember that "Regime change begins at home"

More information about the Link mailing list