Low spam detection

Denis Beauchemin Denis.Beauchemin at USherbrooke.ca
Wed Apr 1 21:13:27 IST 2009


Julian Field a écrit :
>
> On 1/4/09 19:53, Denis Beauchemin wrote:
>> Hello all,
>>
>> I am seeing a significant decrease in spam detection over the last 
>> months and I was wondering if anyone else was seeing the same trend 
>> on their servers.
>>
>> Here are my stats from the start of 2008:
>> month       emails        spam       virus      spam%    virus%
>> 2008-01    7 337 089    6 348 633     59 386    86,5%    0,8%
>> 2008-02    6 203 500    5 152 249    123 029    83,1%    2,0%
>> 2008-03    8 118 670    7 010 463    140 891    86,3%    1,7%
>> 2008-04    7 693 698    6 569 030     98 957    85,4%    1,3%
>> 2008-05    7 956 170    6 927 306     81 625    87,1%    1,0%
>> 2008-06    6 342 232    5 380 464     86 449    84,8%    1,4%
>> 2008-07    6 779 005    5 866 915    102 319    86,5%    1,5%
>> 2008-08    7 592 171    6 687 128    123 659    88,1%    1,6%
>> 2008-09    8 947 295    7 779 344    125 637    86,9%    1,4%
>> 2008-10    7 092 938    5 873 751     66 896    82,8%    0,9%
>> 2008-11    5 093 559    3 917 609     73 225    76,9%    1,4%
>> 2008-12    4 602 584    3 519 119     44 382    76,5%    1,0%
>> 2009-01    3 568 832    2 430 698     36 931    68,1%    1,0%
>> 2009-02    3 253 018    2 089 179     52 037    64,2%    1,6%
>> 2009-03    3 341 614    2 050 365     66 486    61,4%    2,0%
>>
>> My servers are quite current: RHEL 5.3, SA 3.2.5-1 with many SARE 
>> rules and KAM, DCC, Pyzor and Razor, Clam 0.95 with Sanesecurity and 
>> some others, and many RBLs in sendmail.
>>
>> Every email blocked by a RBL is counted as spam (because it probably 
>> is). Emails detected by Sanesecurity et al are counted as viruses.
>>
>> Do you have any ideas what could account for such abysmal spam rate 
>> detection? I can see the total number of emails received dropping 
>> significantly in the last 6 months.  Have others seen the same?
>>
>> Would DefenderMX help stop more spam?
> BarricadeMX probably would. However...
>
> Are you actually letting through much more spam than you were?
> We have seen overall incoming spam rates drop a lot too, but we aren't 
> letting through any more spam than we used to (I see no more spam than 
> I used to, and no-one has commented to me that they are getting much 
> more spam than they were).
> The graph here:
>     http://users.ecs.soton.ac.uk/jkf/goodtcp-year.png
> shows the percentage of incoming SMTP connections which turn into mail 
> delivered to someone's inbox, multiplied by 100.
>
> So if the number on the vertical axis reached 3600 (the limit of the 
> graph), then that would mean that 36% of SMTP connections resulted in 
> a message arriving in someone's inbox, and hence 64% of connections 
> resulted in the connection being dropped at SMTP time or the message 
> being refused/dropped by MailScanner.
>
> As you can see over the past year, the amount of spam reaching us has 
> dropped a lot. Remember that back last November the McColo spamming 
> colo centre was shut down, this resulted in a marked drop in global 
> spam quantities.
>
> This is from a sample of about 800,000 incoming SMTP connections per day.
>
> Jules
>

Julian,

I've seen more phishing/Nigerian scams slipping through lately and it is 
starting to annoy other people as well. I don't have the real picture 
for the progression of undetected spam but my gut feeling tells me it 
has worsened lately.

I've read recent reports (such as 
http://www.theregister.co.uk/2009/04/01/spam_trends/) that spammers have 
recovered from the McColo shutdown and spam is now flowing even more 
than it used to. But my numbers don't agree...

I guess I should ask for a trial for BarricadeMX. That would be the best 
way to see if it would improve that perception.

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x62252 F: 819.821.8045




More information about the MailScanner mailing list