Re: Spam Percentages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Hepworth wrote: > > Hamie wrote: > >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> Martin Hepworth wrote: >> >> >>> >>> >>> Fred wrote: >>> >>> Ben Hanson wrote: > Shortly after the first of the year, I noticed the > percentage of spam messages for our organization dropped > consistently by 10-15%. Ben I see between 83-85% spam. We use SARE rules + my own home-brew rules + the new BLACK uribl lists + unreleased SARE rules. In the past 24 hours the numbers are: spam-reject 55,967 mail-in 11,089 total-mail 67,056 Viruses not included in this count, it would skew things due to the recent increase in new viruses lately. http://www.rulesemporium.com might have some helpful rules for you to add to your setup. On another topic, I see just as many user-unknowns as I reject spam. That's cause we are an ISP and customers like to switch stuff around often ;) Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400 >>> >>> Fred >>> >>> 70% of my inbound traffic is for unknown users, 20% >>> spam/malware and 10% real mail. >>> >> >> >> How do you count 'unknown users'? Accurately I mean... >> > I can examine the reject log in exim to get counts. > >> Assuming you don't accept email in the first place if the user is >> unknown (Or you might I guess, but it seems like un-necessary >> processing to me) most spammers that I can see in our logs just >> keep re-trying again & again & again... >> > > yes, but given 70% of my inbound traffic is a pretty constant > figure I'm not seeing this. > > also rejecting 70% of my traffic on MTA connection the small amount > of proocessing to lookup valid email address is way way less than > having to SA scann all these emails. > Ah yeah... That's what I meant. I re-read my sentence. I may have been ambiguous & made it look like I considered validating the addresses to be un-necessary. >> For example on our mail server I reject far more than I accept. >> Yet the rejects are in most cases repeated. As spammers appear to >> be a thick bunch & don't take a 5xx very well. >> >> Currenty I have 'discussions' with various people round here over >> the fact that we 'only' catch about 5-10% of our total accepted >> email in SA as spam, yet MessageLabs et al always like to quote >> the (To me) alarmist figures of 80% email is spam etc. But then >> we reject email from un-verified addresses and don't accept email >> for unknown users at the border MTA, not at SA. (And so don't >> have an accurate count of them). >> >> H >> > > lucky you, even taking out the uknown users I'm running 75% spam on > my inbound. > The only thing I can think of (Since I can't see 70% of delivered mail being spam) is that I have a user population that doesn't get spammed very much. Probably because most of them only have an internet presence for business emails & nothing else. Thus their mail addresses don't get harvested. Plus the sender validation of course. That seems to block a lot of inbound spam. H -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCjF6p/3QXwQQkZYwRAlStAKCsTq1XF8E0ZAukcoz+wtW5ysqFLQCeLuQt Fk5vJNeKyrG+Ndo+mSczw+4= =gv57 -END PGP SIGNATURE-
Re: Spam Percentages
Hamie wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Hepworth wrote: Fred wrote: Ben Hanson wrote: Shortly after the first of the year, I noticed the percentage of spam messages for our organization dropped consistently by 10-15%. Ben I see between 83-85% spam. We use SARE rules + my own home-brew rules + the new BLACK uribl lists + unreleased SARE rules. In the past 24 hours the numbers are: spam-reject 55,967 mail-in 11,089 total-mail 67,056 Viruses not included in this count, it would skew things due to the recent increase in new viruses lately. http://www.rulesemporium.com might have some helpful rules for you to add to your setup. On another topic, I see just as many user-unknowns as I reject spam. That's cause we are an ISP and customers like to switch stuff around often ;) Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400 Fred 70% of my inbound traffic is for unknown users, 20% spam/malware and 10% real mail. How do you count 'unknown users'? Accurately I mean... I can examine the reject log in exim to get counts. Assuming you don't accept email in the first place if the user is unknown (Or you might I guess, but it seems like un-necessary processing to me) most spammers that I can see in our logs just keep re-trying again & again & again... yes, but given 70% of my inbound traffic is a pretty constant figure I'm not seeing this. also rejecting 70% of my traffic on MTA connection the small amount of proocessing to lookup valid email address is way way less than having to SA scann all these emails. For example on our mail server I reject far more than I accept. Yet the rejects are in most cases repeated. As spammers appear to be a thick bunch & don't take a 5xx very well. Currenty I have 'discussions' with various people round here over the fact that we 'only' catch about 5-10% of our total accepted email in SA as spam, yet MessageLabs et al always like to quote the (To me) alarmist figures of 80% email is spam etc. But then we reject email from un-verified addresses and don't accept email for unknown users at the border MTA, not at SA. (And so don't have an accurate count of them). H lucky you, even taking out the uknown users I'm running 75% spam on my inbound. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Spam Percentages
Hamie wrote: > How do you count 'unknown users'? Accurately I mean... > > Assuming you don't accept email in the first place if the user is > unknown (Or you might I guess, but it seems like un-necessary > processing to me) most spammers that I can see in our logs just keep > re-trying again & again & again... We block unknown users at our MXes (sendmail using mailer-table?), then with MIMEDefang and GraphDefang, I just added a directive (in GraphDefang) to have it process the logs and produce a graph based on the text produced by sendmail when we have an unknown user attempt. It's elementary ;) hehehe couldn't resist. Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400
Re: Spam Percentages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Hepworth wrote: > > > > Fred wrote: > >> Ben Hanson wrote: >> >>> Shortly after the first of the year, I noticed the percentage >>> of spam messages for our organization dropped consistently by >>> 10-15%. Ben >> >> >> >> I see between 83-85% spam. We use SARE rules + my own home-brew >> rules + the new BLACK uribl lists + unreleased SARE rules. In the >> past 24 hours the numbers are: spam-reject 55,967 mail-in 11,089 >> total-mail 67,056 >> >> Viruses not included in this count, it would skew things due to >> the recent increase in new viruses lately. >> >> http://www.rulesemporium.com might have some helpful rules for >> you to add to your setup. >> >> On another topic, I see just as many user-unknowns as I reject >> spam. That's cause we are an ISP and customers like to switch >> stuff around often ;) >> >> Frederic Tarasevicius Internet Information Services, Inc. >> http://www.i-is.com/ 810-794-4400 >> > > Fred > > 70% of my inbound traffic is for unknown users, 20% spam/malware > and 10% real mail. > How do you count 'unknown users'? Accurately I mean... Assuming you don't accept email in the first place if the user is unknown (Or you might I guess, but it seems like un-necessary processing to me) most spammers that I can see in our logs just keep re-trying again & again & again... For example on our mail server I reject far more than I accept. Yet the rejects are in most cases repeated. As spammers appear to be a thick bunch & don't take a 5xx very well. Currenty I have 'discussions' with various people round here over the fact that we 'only' catch about 5-10% of our total accepted email in SA as spam, yet MessageLabs et al always like to quote the (To me) alarmist figures of 80% email is spam etc. But then we reject email from un-verified addresses and don't accept email for unknown users at the border MTA, not at SA. (And so don't have an accurate count of them). H -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCi1E9/3QXwQQkZYwRAikAAKC+vNzq1jqEkM7vr8AvevKUI/UWfACgmi3g p72EJoSvuIKc862PAJFbf8c= =OZV3 -END PGP SIGNATURE-
Re: Spam Percentages
Fred wrote: Ben Hanson wrote: Shortly after the first of the year, I noticed the percentage of spam messages for our organization dropped consistently by 10-15%. Ben I see between 83-85% spam. We use SARE rules + my own home-brew rules + the new BLACK uribl lists + unreleased SARE rules. In the past 24 hours the numbers are: spam-reject 55,967 mail-in 11,089 total-mail 67,056 Viruses not included in this count, it would skew things due to the recent increase in new viruses lately. http://www.rulesemporium.com might have some helpful rules for you to add to your setup. On another topic, I see just as many user-unknowns as I reject spam. That's cause we are an ISP and customers like to switch stuff around often ;) Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400 Fred 70% of my inbound traffic is for unknown users, 20% spam/malware and 10% real mail. The figures are even worse if I remove the various the email lists I'm on like this one :-) -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Spam Percentages
Ben Hanson wrote: > Shortly after the first of the year, I noticed the percentage of spam > messages for our organization dropped consistently by 10-15%. > Ben I see between 83-85% spam. We use SARE rules + my own home-brew rules + the new BLACK uribl lists + unreleased SARE rules. In the past 24 hours the numbers are: spam-reject 55,967 mail-in 11,089 total-mail 67,056 Viruses not included in this count, it would skew things due to the recent increase in new viruses lately. http://www.rulesemporium.com might have some helpful rules for you to add to your setup. On another topic, I see just as many user-unknowns as I reject spam. That's cause we are an ISP and customers like to switch stuff around often ;) Frederic Tarasevicius Internet Information Services, Inc. http://www.i-is.com/ 810-794-4400
Spam Percentages
Shortly after the first of the year, I noticed the percentage of spam messages for our organization dropped consistently by 10-15%. We had been averaging 60 to 65% for the last year or so, ever since I began with SA, right up until then, when it dropped consistently to just over 50%. I didn't really question it, as I saw no effective change in user mail. Just before 3.0.3 was released, I suddenly noticed an increase in these numbers, and now we are averaging 70 to 72% spam incoming on weekdays. At the same time, I've seen more Nigerian type and medication type spams hitting my inbox. Since SA tagging percentages are up, and I have made no configuration changes, I'm not seeing any failure or errors necessarily, but I'm very curious if others saw a similar patern in these time frames at all, and if it's possible some network tests are returning fewer hits or something that would cause threshholds not to be hit, despite spam tagging, that would otherwise have caused my delete rules to kick in? I have pretty much everything enabled with no errors, and all the usual services (Razor, DCC, Pyzor, etc) all seem happy and responsive. This is truly more a curiosity than a need for assistance, so nobody break anything thinking too hard on this one! Ben