In April, we started to go through our spamtraps (E-mail addresses designed
to collect spam), to find out which spam tests were most effective at
catching spam. The results this month are based on over 13,000 spams that
were received, all in October, 2002. In October, our spamtraps received
18% more spam than in August (September was 10% more than August, August
was 15% more than July, and July was about 15% higher than June). In
October we received 3.5x the amount of spam that we received in January.
The following is a list of tests that we run against the E-mails arriving
at the spamtrap, and what percentage of the spam they caught (it will be
easier to read if you use a fixed-width font):
WEIGHT10 98.82%
SNIFFER 91.98%
WEIGHT20 91.67%
SPAMCOP 69.68%
XBL 50.67%
MAILDEFLECTOR 46.99%
REVDNS 43.58%
SPAMHEADERS 38.82%
MONKEYPROXIES 31.18%
DORKZTL 29.82%
HELO 28.79%
HEUR10 27.18%
NJABL 26.92%
NOABUSE 26.82%
NOPOSTMASTER 26.60%
BADHEADERS 23.88%
OSSRC 22.56%
DSBLALL 17.69%
OSPROXY 16.22%
SPAMHAUS 16.03%
DSBL 15.86%
HEUR9 15.20%
BLARSBL 14.57%
WIREHUB-DNSBL 13.98%
ROUTING 12.83%
IPWHOIS 12.58%
BLITZEDALL 11.19%
OSRELAY 11.03%
DNSRBL-SPAM 10.92%
ORDB 10.29%
KUNDENSERVER 10.06%
OSSOFT 8.74%
BLITZEDHTTP 8.26%
DORKS 7.74%
RSL 7.56%
BASE64 7.38%
BADWHOIS 7.09%
VOX 4.53%
DEVNULL 4.44%
DNSRBL-DUN 3.78%
BLITZEDSOCKS 3.72%
KITHRUP 2.92%
DSN 2.81%
NJABLDUL 2.64%
DELINK 2.64%
FABELSOURCES 2.22%
DSBLMULTI 2.02%
MAILFROM 1.86%
COMPU 1.27%
PIGS 1.21%
INTERSIL 1.13%
OSDUL 0.80%
DORKRELAYS 0.71%
FIVETENDUL 0.56%
MONKEYFORMMAIL 0.39%
FIVETENIGNORE 0.37%
FIVETENSRC 0.29%
BLITZEDWINGATE 0.16%
FIVETENOPTIN 0.14%
LNGSDUL 0.12%
SPAMBAG 0.11%
WIREHUB-DYNA 0.05%
DNSUCE 0.02%
FIVETENWEBFORM 0.01%
JIPPG-DUL 0.01%
LNGSBLOCK 0.01%
FIVETENOTHER 0.01%
FIVETENMULTI 0.01%
FLOWGO 0.01%
The WEIGHT10 and WEIGHT20 tests are just a weighting system that assigns a
weight to each E-mail, based on the spam tests that fail, so they don't
really count as spam tests by themselves (although they do catch the most
spam). It's also important to note that different tests are more likely to
produce false positives (such as the XBL, REVDNS, and SPAMHEADERS tests,
that all catch a lot of spam); those tests are best used in a weighting
system, so E-mail will only be marked as spam if it fails a combination of
tests.
The two best tests by far are SNIFFER ( http://www.sortmonster.com ) at
91.98% and SPAMCOP ( http://www.spamcop.net ) at 69.68%.
An interesting detail from this list is that over 7% of spam fails the
BASE64 test, which detects text or HTML that is specially encoded just so
that it can bypass filters.
More information on most of the various spam tests shown above can be found
at http://www.declude.com/junkmail/support/ip4r.htm . You can look up an
IP address using the Spam Database Lookup tool at http://www.DNSstuff.com
. The most recent 20 spams in our spamtraps, and the tests they failed,
can be found at http://www.declude.com/spamtrap.htm .
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
