ietf-asrg
[Top] [All Lists]

Re: [Asrg] spam down?

2013-01-30 08:27:20
I'm late to the party but as opinionated as ever....

On Sat, Jan 26, 2013 at 11:03 AM, Chris Lewis 
<clewis+ietf(_at_)mustelids(_dot_)ca> wrote:
On 13-01-26 08:38 AM, Michael Thomas wrote:
There was a little side box in the current Economist that spam was
down from 80+% to 67% and credited it to, among other things
"sophisticated authentication" which I assume means DKIM and SPF.

First is there actual evidence that spam is on the wane? And if so,
does it actually have to due in part with authentication? I'd be
ecstatic to hear that the latter was true, but correlation is not
causation.

In the wane ... how?  Is the real question.

Absolute volumes have indeed changed, as this graph (and many others) show:

http://cbl.abuseat.org/totalflow.html

but that doesn't tell the whole story.


Agreed

The reality is that authentication (we're talking DKIM/SPF/DMARC) has
relatively little effect.  They're pretty easy to make irrelevant.


I think it depends on what you mean by "relatively little effect".
From my perspective - given the current statof adoption - it may not
have an effect on the overall ecosystem but it is certainly pushing
the bad guys from abusing (sending) domains that are implementing
strong email auth efforts to ones that are not. My comment is a
generalization but I see it with the domains I work with and I think
those who watch abuse against financials see similar behavior. The bad
guys still test but at the end of the day it is about ROI for them as
much as it is for a legitimate business.

It would be interesting to see (I don't have the data) if there is any
kind of shift from sending spam targeting accounts at mailbox
providers that validate to targeting (preferentially) accounts at
mailbox providers that don't.

There are fewer bot families than there used to be.  Bot takedowns have
made major inroads.   Still, there are a couple left that can dwarf what
we've seen before _if_ it was attractive to fire them off.  Kelihos and
Festi are bigger than Rustock or Srizbi ever were.  The defenses we have
for bots are well-developed and widely-deployed.  The ROI has declined
markedly, so the bot armies are often left idle.


True. It may also be true that the bot armies are being put to other uses.

What we're seeing instead, is an evolution from the massive
scatter-gunning of a Rustock infecting a home computer, to that of
compromised servers, compromised user accounts etc.  These are harder to
deal with, harder to stop, harder to filter.


"We" should certainly be blocking on malicious URLs even if they are
at otherwise legitimate sites. And if legitimate sites show a pattern
of not addressing their problems then they should be blocked as well.
This is no different than the open relay problem. I've had my share of
issues over the years but I think most folks would say that I pay
attention and deal with problems expeditiously.

So, while there are fewer spams in the Internet, I strongly suspect that
more of them are getting through.


I think it varies by mailbox provider.

Spammers may not be spamming as much but they are spamming "better".


Darwin was right.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>