Spammers are winning--and it's not even close

If you spend an inordinate amount of time deleting the spam messages from your in-box, you are not alone.

According to the Web site trustedsource.org, there were a total of 154.3 billion mail messages sent around the world Sunday and 117.4 billion of them were spam. For those of you without a calculator, this means that 76 percent of those e-mail messages were spam. That's slightly below Symantec's recent monthly spam report, which claimed that on average 78.5 percent of e-mail messages are spam. Maybe Sunday was a slow day.

Remember a few years ago when industry and political leaders were trying to find a way to eliminate spam at its source? Congress passed the "Can-Spam Act," while Microsoft filed suit against 15 global spammers. Meanwhile, the security industry was actively trying to address spam at the technology level by establishing reputation services and tweaking domain name system services. Worthy efforts that haven't paid off.

At this point, there is only one thing for us common folk to do--purchase the best antispam protection that money can buy. You'd think this would be good news for the abundant number of me-too antispam vendors out there, but this is not so. Many second-tier vendors can't keep up under the growing deluge of spam so their products are becoming less effective over time. As a result, I see a lot of companies giving up on generic vendors and moving to market-leading products from Cisco Systems/IronPort and Symantec/BrightMail.

In the ultimate irony, more spam is actually bad for business for many in the antispam business. Go figure.

The big winners in the antispam war will likely be the service providers. Small organizations want to rid user mailboxes of spam but have no desire to buy and operative expensive antispam boxes. That's good news for Frontbridge (aka Microsoft) and Postini (Google), while other players like IBM and Trend Micro are also offering creative alternative solutions. Cisco/IronPort and Symantec/BrightMail must supplement products with managed services. Yes, each is dabbling in this area already. But managed services will soon dominate antispam solutions, so timing is essential.

As for the rest of us, it may be time to throw in the proverbial towel--unfortunately, spam has achieved a "certainty" status along with death and taxes. Fighting seems hopeless at this point. The best bet is to buy the best protection you can afford and move on.

[rosehill107]

Reporting Spam

I have used "Spam Cop" to report spam and I think I get less spam than before but I don't know. I wish something could be done to make spammers very, very afraid and constantly looking over their sholders. This will take cooperation from various governments including Nigeria but I'm afraid this won't happen.

[Andronicus]

Acctive anti spam

Remember that screen saver that 'zapped' spammers with counter spam. We need to revive something like that. Spammers must pay! The problem is everyone is pussyfooting around the issue, and not punishing the culprits. I have reported un-known large numbers of spammers, with no results. ISP's just don't care enough to do anything about it.

[Phillep_H]

Sources

IIRC, and if it's still current, spam is sent from compromised computers. Linux computers are hackable (from what I've been reading), but the installations vary so much (from reading and my own efforts to install) that viruses/trojans do not reach serious proportions, so they are a lesser problem. Older Windows installations and the MS programs that go with them are both hackable and subject to viruses/trojans.

There is an enormous pool of older MS machines around, and upgrading them is a pain, but that's where the spam originates, and that's where the effort needs to lie. Perhaps a router/modem on a PCI card would help?

Along with tracking down the spammers and breaking their knee caps.

[Seaspray0]

That's because

The worst spammers actually own the ISP. Spam won't be solved with today's email system. There is no "cost" associated to sending a spam.

We need a new email system.

[m_drunk]

BUY?

Why buy? How about you donate instead? The best spam proxy I've ever used is free (http://assp.sourceforge.net). It's not for everyday end users, but it works on a provider level very well.

[CleanDen]

I second the vote for ASSP

ASSP allowed me to drop all of my paid-for perimeter anti-spam products.
It's donation-ware and I have to admit to being a slacker when it comes to donating normally but with ASSP I had no qualms donating to the project.
It just works.

[lvwolfman--2008]

Easy and Free Anti-Spam Solution

I used to use Spam Assassin but even tightened WAY up it out of say 100 msgs, it'd find TWO that it thought was spam. Yet 80 or more that it passed would be spam.

Filters and message rules in my email clients worked but really slowed my email checking in the morning.

I now use Gmail's ability to check other accounts via pop. ZERO spam! Out of the hundreds and hundreds of messages it's marked as spam in the past week only one I didn't consider spam as I've done business with them before.

I'm seriously thinking of moving my domain's email to Gmail and perhaps even let Gmail handle my work email needs.

[lynxss]

Try using greylisting

At work we were getting slammed by spam, several hundred a day in some accounts. I tried Spam Assassin then adding in some RBLs for blocking bad hosts and that helped enormously but spam still got through and in an increasing amount.

I put up a greylisting service before the spam assassin check and viola 0 spam. I still occasionally get one that gets through, but at 2 spam messages a month I dont mind.

I dont get any on my gmail account, whatever they are doing must be good too.

[MrCT]

Spam? No Spam here!

Since signing up with LastSpam last summer my five partners and I have gone from hundreds of spam per day down to maybe one (yes 1) every two to three weeks.

False positives? Yeah, we had one two months ago.

Our combined "white list" has 16 entries...which we haven't touched in months. There is zero administration on our side...all we do is happily pay a very reasonable bill every month.

All our incoming mail is directed to LastSpam's servers which check for spam and viruses and then forward the messages on to our mail server. The lag is hardly noticeable.

If you've got your own mail servers or outsource but have your own URL there is no reason to complain about spam.

[Lee in San Diego]

Filters do not stop it

Filters do not stop spam, they help keep it from appearing in the
inbox, but it still takes up bandwidth the cost if which is passed
on to us.

Stopping spam means stopping it at the source. Maybe this will
work; convince our politicians that spamming is a form of
terrorism and that their reelection is contingent in stopping
spam.

At this point it is time for someone to pipe up with the spam is
free speech and that we should just roll over and take it.

[spainma]

RE: Filters do not stop it

I disagree.

Spam is so common because it is able to work past the filters and into our inboxs. If spam were to be (very) effectively filtered, than the benefit of producing the messages in the first place would be negated.

Take away the benefit of spam and maybe the advertisers will look elsewhere for places to spend their dollars.

[spainma]

An Effective (and time consuming) Anti-Spam Method

I got his idea from Yahoo! Mail where it allows the creation of disposable email addresses. I have been completely addicted and create a different email for everyone, literally hundreds of email address, which are all delivered to the same inbox. When I see spam, I delete the email address and decide whether to issue the holder a replacement address.

Spam free for two years...

If someone could design an efficient process for this method of Spam prevention, I think the spam war would be won.

[sjkx]

yep

I also use unique addresses to help counteract/identify spam and
agree with you that's it's both effective and time-consuming.
Actually, most of it's blocked by servers before it ever reaches my
client client so I've considered significantly reducing the number of
addresses.

[davehb0909]

Best spam protection I've found

I've used SpamArrest (www.spamarrest.com) for the past three years and my life has been a whole lot more enjoyable ever since. Some people say they don't like the way these services work but I have found it to be a lifesaver. 81.24% of the messages I have received since signing up have been spam. Over 360,000 messages that never hit my inbox! It's amazing!

[t8]

Gmail is the best protection

I think the time has come that using utility services is the way. Trying to do it all yourself is possible but too cumbersome.

I use "bring your own domain" to Gmail and it works great. I get to use apps, Picasa, and anything else they bring out too. It is taken care of.

[AndrewRich]

Agreed, Gmail

I pipe all of my accounts through Gmail and then retrieve via secure POP3. I see perhaps one or two spam messages a month over all six accounts.

me@mydomain -> Gmail -> secure POP3.
secure SMTP -> Gmail -> recipient.

[Gabey8]

My two best spam-protected email accounts are on AOL and Gmail

AOL and Gmail do a great job of filtering out garbage.

All I have to do is remember to take a peek at the spam folder on a regular basis, just to make sure that a false-positive didn't occur and a note I actually want didn't get filtered. But in both cases, there aren't a lot of false positives to speak of.

Now and then, a small burst of spam will sneak in -- an occasional note asking me to be the agent who transfers foreign funds into my bank account, a note that I've won a lottery I never entered, offers for meds for body parts I haven't got, that sort of thing. But before long, AOL/Gmail tweak their filters and the junk mail stops arriving again.

My $0.02 -- both of those email services do a great job at keeping the vast majority of spam out of my inboxes. And I don't have to do a darn thing except check the spam folders now and then.

[The_Decider]

Is it worth it?

Give up your privacy to a company that constantly abuses it?

No thanks.

[Penguinisto]

Replace SMTP.

Until you ditch SMTP and replace it with something usable, Spam will always be a pain in the arse.

Sorry, but that's kinda what happens when everyone relies on an inherently vulnerable and too-trusting protocol.

/P

[ynotbecreative]

Finally, someone with some sense here.

smtp was great in its day, but desperately needs a replacement.
THe only problem with this is that the big boys (Symantec, MS, etc.)
will unfortunately end up making the decisions on what we will use
globally, as it would need to be a strong standard, or it would
never be used. The next problem is that none of these get along
with each other, further aggravating the situation. The solution is
consumers and service providers need to stand up and actually do
something, not just talk about it.

[sjkx]

SMTP deemed dysfunctional

Any ideas what that "something usable" replacement for SMTP
might be? How is it possible to preserve the 'S' (Simple) in SMTP
that makes the protocol such a double-edged sword?

[joebuff75]

tried everything, settled for an appliance

We've been running our family ISP business for 13 years now
and I'm in charge of the mail servers. During the last years,
spam got really bad and I needed to do something about it to
protect the 5000 users we've got on our servers.

At first, I started using SpamAssassin with lots of rules from SA
Rules Emporium. I've written some custom ones to accommodate our clients. Activating the Bayesian database
helped, but needed constant monitoring. I wrote my own custom
solutions and tried other filter systems out there. Spam-fighting
was taking over my life.

The combination of SpamAssassin, MailScanner, greylisting and
Vispan helped to cut down on the spam, but then the image
spams, PDF spams etc started appearing.

I decided that I wanted to outsource some parts of the spam
fighting and we bought a Barracuda Spam Firewall 600. This
device updates the anti-spam definitions once per hour and
employs lots of different tricks to keep the mailboxes spam and
virus free.

Since January 4th 2007, that Barracuda box received 71,273,586
messages of which 2,771,036 were non spam messages. 66,524,670 messages were blocked outright (using RBL,
Barracuda energizer updates and custom filters).

One of my cousins wants to buy a Barracuda for his employer as
well after I told him that I cut down my time managing our mail
servers and my own e-mail messages from approx. 700
hours/year to 270 hours/year. That's a lot of time that can be
used for nicer things in life.

Although the Barracuda is not yet perfect, it's getting there with
the latest firmware releases. I still wish there was a solution to
designate a domain administrator to manage all users under a
given domain instead of one central admin account. We've got
1500 domains on our Barracuda and I'm still in charge of
managing them all.

We thought, that most of our users would appreciate to manage
their own filters and spam score, but so far only 10% have
created their quarantine mailbox to hold suspicious mails. Users
don't want to deal with spam themselves and let their ISP's
handle the work -- they will complain on false positives
though... however out of those 70 million messages, we only had
a few false positives in the beginning.

Overall, I can recommend the Barracuda Spam Firewall but it
comes at a price...

[frnkblk]

Re: tried everything, settled for an appliance

How is it that 5000 users have 1500 domains? We have the same number of subscribers, but one-tenth the domains.

I second you on the domain administration -- this feature desperately needs to be added.

Frank

[JCPayne]

WORDS I FOUND WORK GREAT FOR AUTO-DELETING SPAM.

"Loans"
"pills"
"bigger"
"degrees"
"free"
"deals"
"satisfy her"

[Radish555]

Boxtrapper - solved our problem

We only host our family domain at a host that offers Boxtrapper. It's an automated white list system that has been nearly 100% effective (3 spam e-mails total across all accounts in 2+ years).

Look for it at hosts that use CPanel.

Radish

[Phillep_H]

False positives

Two companies I deal with that keep getting hit with false positives absolutely refuse to change their email from HTML to plain text.

Alaska Airlines has to be the worst offender, and the stupidest.

[consultant_msp]

MX redirection

We refer our clients to a service called SecureTide by AppRiver they have great filter and their support is remarkable. We have had clients that were looking to walk away from email altogether and have tried the free 30 day trial and will not give it up. Everyone from sales staff to hosting support always have been knowledgeable, helpful, friendly and proactive. These are qualities that seem to be sorely lacking these days with other companies. Very reasonably priced also. My 2 cents worth for what it is worth.

[SeizeCTRL]

Blue Frong :(

I really liked the idea behind Blue Frog. Wish someone would get around to another way to get even. Attacking the spammers and the sites they bombard you with seems only fair.

If we DDoS every site that pops up in spam, eventually some of them would just give up.

[SeizeCTRL]

oopsie on the typo... BLUE FROG!!!

man, can't believe I didn't catch that! FRONG? ***! :)

[CurtMonash]

Ferris Research says go with GoogleMail

David Ferris and Richi Jennings of Ferris Research both told me to go with GoogleMail. (Free; just move your MX record.) Ferris Research itself is doing the same thing. And they're pretty much the top experts in the email field.

So of course I did the same thing, as per http://www.monashreport.com/2008/01/04/early-thoughts-on-outsourcing-to-google-mail/ Antispam is MUCH better than SpamAssassin and so on. Other problems are also less than before. (Before I went through my hosting company.)

For a small business, I have no doubt this is the best solution. How small is the cutoff? That I couldn't say.

CAM

[sjkx]

workable, at least for me

Which addresses I choose to give different people depends on the context. If necessary I
can make one up on the fly, though often it's fine giving someone a pre-existing generic
one and if we continue correspondence I may create a more permanent one. And I've got
plenty of addresses that are recipient-only; I'll never send from them.

It's not a spam/phishing countermeasure for common addresses that businesses might
typically publish/use, e.g. info@, sales@, etc. Those are targeted by spammers even if
they're *not* published just by the merge existence of a domain.

Most people are satisfied with the simplicity of using a single email address, though even
many of my technically disinclined family and friends have registered domains they use at
least for that purpose. If they're committed to using their own domain I might suggest
they add a few additional addresses for specific purposes, e.g. financial institution
correspondence, depending on how (in)effective the anti-spam/phishing is, the volume
of email, and other factors.

Anyway, none of these kind of methods are genuine long-term solutions for an
underlying spam problem preying on vulnerabilities of a formerly trustable SMTP-based
email infrastructure that now seems insanely dysfunctional in comparison.

[swaneys]

It's silly to still get spam

There is no reason for a business to get any more than a few pieces
of spam a day even though we calculate that over 90% of all
internet email traffic is spam. Open source solutions like
MailScanner are very effective and available at no cost. Check out
www.Mailscanner.info. A low cost propriety solution based on Mailscanner is available at www.fsl.com. This solution guarantees
+99% spam detection.

[My-Self]

THE SOLUTION TO SPAM (and why nothing is done)

http://www.spamhaus.org/Rokso/

Here is the ROKSO list of the 110 most active spammers/spam gangs responsible for 80% of all spam. Beyond spam, the vast majority are engaging in various frauds, deception, misrepresentation, illegal traffics, extorsion, trademark & copyright infringement, etc ... They could be arrested anytime, on any of those charges (no need for new spam specific laws, even if properly written laws could do no harm).

To understand why nothing is done about them, the key is to find where is the real money in the spam business. Is it the guy selling fake viagra ? the shady host taking money from him ? Russians reselling botnets ? all those respectable corporations making huge money with their expensive antispam solutions ?
Who can successfully lobby politicians one way or the other ?

On the (medium size) mail servers I manage, I filter with zen.spamhaus.org http://www.spamhaus.org/zen/ (catch all known pure spam sources, and most botnet spam). That removes between 75 & 85% of all incoming messages. Those getting through are handled by spamassassin with RBLs and a few additional rules. since spamassassin runs on a small portion of the mail intake, the load is manageable. Spamassassin is configured for ham / spam / spam+ / spam++ / quarantine. Most mail end up either in ham or quarantine. very few are marked and left for the user to see. FPs for quarantine are exceptional, and all those I've seen were people exchanging copies of spams for various reasons. That sure needs some regular maintenance, but the spam level seen by the users is very low and it avoids feeding those with a vested interest in the perpetuation of spam.

[dwhodge]

RBLs & Greylisting

I also use a number of RBL's (Realtime Black Lists, see http://spamlinks.net/filter-dnsbl-lists.htm) which dramatically reduced the amount of spam my system has to process by rejecting spam at the point of entry. As a second tier, I also use greylisting (http://greylisting.org/) which initially rejects unknown incoming mail with a 'try again later' message that relies on the fact that most bulk junk mailers won't attempt a resend.

While I have used spamassassin in the past, I found while it did a reasonably good job it used up too much processor time. Once the mail has entered the system it has proven to be more processor efficient to just filter the few remaining junk emails at the client level.