CAN-SPAM One Year Later?

BigPoppaT asks: "Computerworld has an article reviewing the effectiveness of CAN-SPAM one year after it passed. In the article several anti-spam companies cite spam as a huge (and increasing) percentage of the total e-mail load. Most state that it is more than 50%, and some are saying as much as 75%. (This matches what I see in other articles on the subject.) Are these figures reasonable? I do not work for an ISP or maintain a mail server, but speaking as an end-user, I do not have anywhere near this much spam - more like 5 to 10 items a week (out of a few hundred messages). This is in my personal email - I do not recall ever receiving any spam in my work inbox. If the numbers above are reasonable, I wonder why I get so little spam? I am on a number of mailing lists, and have purchased things online, so it is not as if I have gone too far out of the way to hide my email address. I am not complaining, mind you, I just think it would be useful for the Slashdot readers who deal with this in an administrative capacity to explain it to the rest of us. Are the spam numbers being inflated by these anti-spam groups as a marketing tool? (This is not a rhetorical question - I really am not in a position to evaluate this, so those who know, please fill the rest of us in.)"

Users and their Spam

[bfizzle]

No. "Users" like their free crap. So they are willing to give out their e-mail address because it seems inocent enough. Then 2-3 months later they get their "free" spam and still haven't learned their lessons.

75 % accurate

[Red_Winestain]

I'm a faculty member at a large university, and about 75% of my email is spam. (This is based on the number of emails in my spam folder versus the number of emails in my inbox.) My email is on multiple web pages, on every syllabus I hand out, and in various directories.

By playing around with permutations of my email address, I find that a large chunk comes from infected colleagues' and students' computers. Relatively little comes from web crawlers. I also get a burst at around 8:00-8:15 when the staff members turn their machines on, and another burst a little later as faculty drift in. During the holidays, the rate goes way down.

Re:75 % accurate

[Paul d'Aoust]

I'd just like to add my own stats to the discussion: my 'signal-to-noise' ratio is pretty low too, about 1:20. what does that work out to? uhhhhhh... I can't do math right now. 95% -- that sounds about right. Ninety-five percent spam.

I notice that the vast majority of it appears during the night time, so I receive it when I turn my computer on in the morning. Maybe it's because I'm on the west coast, and all the security-unconscious computer users on the eastern seaboard (and the rest of the continent) tur

oop

[Paul d'Aoust]

just an addendum: I should mention that these figures are based on the average day, in which I see about 120 spam messages and six real messages.

Admins and generic addresses get it worst

[eddy the lip]

Have you ever registered a domain? Nearly all the spam I get is to an address I only use for registering domains. I'm careful with my primary addresses, and receive nearly nothing on them.

A lot of spam that hits the system you'll never see as well. A big chunk of spam lists have bad or nonexistent addresses in them. There's usually some poor schmuck (here, that's me) that has to check and see if an Important Business Contact just can't type, or if all those emails to betty1@example.com, betty2@example.com, etc. are aimed at insecure men.

Other popular targets for spam are sales@, info@, support@....etc. so unless you're responsible for one of those, that's more spam you won't see.

Lucky bastard.

Re:Admins and generic addresses get it worst

[BigPoppaT]

I have registered a domain. Just about the only spam I get is actually for two e-mail addresses posted on the main page of my website - webmaster@(domain) and list@(domain) I think that, once or twice, I've received spam at (nonexistent)@(domain), but very rarely.

(Given the volumes everyone is talking about here, I'm not too excited about actually putting those addresses here!)

I have another email address that I use for the various mailing lists, and don't get any spam there. I have a Yahoo account fo

Re:Admins and generic addresses get it worst

[eddy the lip]

Fortunately, I'm not in that league yet, although I've noted a dramatic increase in the last few months. I'm more in the 300 a week category, but at the rate things are going...Thunderbird is doing a pretty good job nailing spam for me. It's catching around 80% currently, and I haven't had a false positive yet.

One thing you might want to consider for posting email addresses on your site is to encode it with javascript. It's not guaranteed (if a browser can decode it, a harvester can), but it significant

Re:Admins and generic addresses get it worst

[wayne606]

Just put a gif with a picture of your email address... People will have to type it by hand if they want to send you email but it makes it pretty hard to harvest.

Spam levels vary widely

[theCoder]

A year ago, I was in the same boat as the poster, with about 5-10 spams a week. Now, I'm getting closer to that many a day. It's annoying, but not unmanageable. For my part, I'm grateful that my spam load is much lower than some people have reported. The key benefit (besides less spam, of course :) is that all the anti-spam tools that have been developed to handle more spam easily take care of the compartatively little spam amount I get. In any case, I don't doubt that the huge numbers given for spam l

PGP signing

[AMystery]

I do PGP sign my mail, at least whenever http://enigmail.mozdev.com/ [mozdev.com]enigmail is updated for the latest version of http://mozilla.org/products/thunderbird/ [mozilla.org]thunderbir d. I have found that it causes problems. AOL has classified some of my mails as spam because of the PGP signiture. Apparently they can't differentiate between a PGP sig and random characters to fool filters. It hasn't been reported that other mails have been lost for the same reason, but it seems like a valid assumption.

Anyone else noticed t

Accurate figures

[crisco]

Accurate figures are difficult to come by. But some of us do get those kinds of volumes of spam. One of my mailboxes averages almost 10 an hour. A few others approach that rate, I'm not really sure as I've got several layers of spam filtering in place now. Other accounts that have not been as well exposed online get much less spam.

You may have successfully protected your email address and have ordered from businesses with some degree of integrity. You may also have a spam filter in place somewhere.

Maybe not inflated, but certainly skewed

[Zocalo]

Let's face it, if spam isn't a big problem for you, then why would you want to pay money to BrightMail or some other spam filtering service in the first place? I think it's a pretty reasonable assumption that a large percentage of spam filtering services' customers have a problem with spam that they feel unable to cope with themselves. By definition then, they will have an above average percentage of spam in their legitimate email.

some get it, other don't

[bonezed]

I must be lucky, or have good filters :)

I rarely get spam, whereas my workmates get an average of 100 spams a week

Alot of spam..

[LaRIC]

I get approx 3000-4000 spam per day.
Training spam filters are taking some time.

anecdotes != data...

[the quick brown fox]

...but I get about 125 spams a day, and about 20 real e-mails. I'm pretty sure my e-mail address has been harvested from at least the following sources:

domain name registrations
online fora and blog comments
usenet

Yeah, I leave my real e-mail address in all of those places. I used to be more careful, but SpamBayes is so good, spam just isn't a problem for me.

Numbers are accurate.

[Bamfarooni]

I work in academia. My email ends up on things like conference abstracts and journal articles, not to mention the University's on-line directory.
I get, on average, 300 emails per day, Over 250 of which are spam. Spam-assassin catches maybe 90% of those.

You probably have filters at the ISP level

[hlh_nospam]

I have several email accounts. The ones that I have through my ISP get a few dozen spams a day, on the order of about 5% of my email. Just for grins, I set up a completely unfiltered account using my own hosting service, and attached it to PopFile (a free Bayesian filtering program for email) to see the relative spam load. It is roughly 98% spam, or roughly 500 spams/day. I use that address for some mailing list subscriptions, and it is posted on my hosting service site, which probably where it got harv

My ratio

[tonkdude]

One of the many duties I hold at my company is managing the email flow.

We receive between 60k-80k messages a day into our company and of that, about 90% is spam.

I have found the people who get most of the spam are those who have their addresses in other people's address books. I think that spammers get lists of emails gathered by viruses that collect address books.

Of course my boss is the worst because his email is set up as the billing email for all of our domains. The benefit of this is I have

Time to amend CAN-SPAM

[BMcWilliams]

The "expert" estimates on spam percentages do vary. But one thing seems pretty clear. CAN-SPAM hasn't perceptibly reduced the flow of junk email since it went into effect 1/1/2004. That's why I have suggested [betanews.com]that Congress seize a simple way to put some teeth into the law. Give U.S. citizens a right to private action. Why save the privilege of suing spammers just for ISPs, attorneys general, and the FTC?

Re:Time to amend CAN-SPAM

[Atrax]

I think there also needs to be an international effort, otherwise spammers will just up sticks and move off to where there's no treaty (OK, perhaps not physically, but you get the idea).

Some concordance between laws internationally, and an ability for prosecutions to cross borders would be a stunning step, IMO.

Re:Time to amend CAN-SPAM

[conureman]

IMHO, legal action is unrealistic for most people. Personally I don't have time for that, like the DOA mainboard I shoulda sent back &c. How about a liability law that makes spam expenses billable? If it was profitable to recieve spam/viruses/pop-up ads then the problem would end like yesterday.

Yup, it's that bad

[Linux_ho]

I'm the mail admin at a company with a little more than 500 active mail accounts. We get about 110,000 Internet messages per week, and about 80% of those are spam. We're using SpamAssassin to detect it, and running a script against syslog to get those numbers.

Our SpamAssassin server correctly detects over 99% of the spam, and rejects about 92% of it outright at our Internet gateway. The 8% least-spammy-looking-spam is tagged and allowed through to allow for false positives, though none have yet been reported.

Public Email Addresses

[TFGeditor]

I am the editor of a mid-size magazine (hard copy, not web). By necessity, my email address and those of the various department editors are published in the magazine and on our website so readers can contact us. Obviously, this is one of the worst possible scenarios, but necessary to address the lowest common demoninator among readership.

Due to this, I and the department editors that work for me (as well as the advertising and circulation departments) receive hundreds of spam messages daily.

I eliminate mo

There are currently...

[Atrax]

... 2795 spams in my GMail, to which I redirect three or four other addresses. Last delete was on Dec 1st (logically).

So I get roughly 100 spams per day, of which gmail will let one, maybe two through every fifth day or so. pretty good. I now use my gmail account pretty much exclusively.

Thinking back, my spam volumes appear to have gone UP since CAN-SPAM went into effect. As for my work address, 3 a day or so, but we run a lot of spam filtering here, and I don't have access to the figures blocked. I've certainly not seen any marked effect of recent legislation on the amount of crap I get in my inbox.

75% Accurate

[MightyTribble]

I'm the Network Administrator of a moderately-sized University, and we have a Barracuda spam appliance as our mail gateway. It tags about 75% +/- 3% of all incoming mail as spam, and has a very, very low false positive.

Yes, spam volume really is that bad.

Re:75% Accurate

[zeitgeist77]

Network admin at a medium credit union here, we also use the barracuda system. Wonderful little box btw. Some statistics for the 8 months the system has been active:

Blocked 267,219
Blocked: Virus 298
Quarantined 20,993
Allowed: Tagged 6,364
Allowed 98,868

Total Received 393,742

Which works out to 74.9% spam. One thing that throws these statistics for a loop is, we use an external traffic filter (IPS unit). That box knocks down most virus laden emails, as well as a lot of types of ph

perspective

[araven]

My Department manages mail servers with ~400 mail accounts. We would say that the spam problem has increased (along with the virus-generated-email problem) because we see the reports generated by the mailserver and filter. Our users, however, seem to have forgotten that spam is a problem at all. They have forgotten that mere months ago they received dozens (or in some cases hundreds) of spam messages per day. Now they receive few or none, and when they do they send them to us as trouble tickets! At the

maybe you just don't see it

[BortQ]

Many ISPs (and the webmail providers) have taken to just blocking the most egregious spam before it even gets to users. So your mailbox could be getting some spam that you don't even see. It still gets sent and clogs up the network though.

Some plots

[menscher]

I think you'll find the percentage depends a lot more on how much ham they receive than how much spam they receive. For example, if I got 100 spams/day, I'd be happy. Given my 300 hams/day, that would put me at 25%. But others, who get only 10 hams/day, would claim seeing 91% spam. Maybe counting raw spams per account would be a more useful metric.

To get a rough idea of trends, I've been plotting stats on a mailserver I manage. In general, we see spam and viruses are increasing, while ham is decreasi [uiuc.edu]

Some Figures

[Pugio]

I recently activated a spam collector on my inbox. Since December 12th (time of activation), I have received about 1200 spam messages. Not counting mailing lists, this is at least %75 (if not more) of my total mail income. So yes, I would say those figures are accurate.

False positives are the new new problem

[ttul]

With the dramatic improvements in spam filtering software, getting rid of spam is no longer the technical problem it once was. In my experience as a consultant to email administrators and as a market research in the messaging industry, other, derivative problems are now taking over. And these problems are the result of filtering.

There are several problems that now plague email administrators: 1) satisfying the vast resource requirements of a modern email filtering system, 2) handling an increased flow of

ASSP stats

[Jjeff1]

I use ASSP for any of my customers who've implimented spam filters. It keeps global stats [sourceforge.net] for anyone who wants to report back to them. My spam hovers around 60%, more on holidays when there is less legitimate mail. Oddly, within the first few weeks after installing the filter, my spam dropped down from 80% to 70%. I guess the spammers realized they weren't getting through.

I used to get 50-100 spams per day; now almost 0.

[Anonymous Coward]

I've had email addresses rendered useless by the sheer volume of spam. 50-100 spams per day, with maybe 10 legitimate emails hidden among the noise.

Thanks to MS-Outlook worms, even internal corporate email lists started receiving some really offensive porno-spam.

Today I get only a few spams per month, but to achieve this I ended up abandoning my old domain and setting up a system of aliases whereby I give a different email address to every person or organization that asks me for one. I now have several

Not an exaggeration

[Kalten]

Admittedly, this is only my particular case. However...

In January 2004, I received roughly 1,020 spams. Last month (December 2004), I received over 3300 spams. And the number has not decreased in any month since March 2004.

Effective law, my a**.

Sources of spam

[gpmgroup]

Culprits?

http://www.spamhaus.org/rokso/ [spamhaus.org]

We have unique WHOIS addresses and a lot of the spam comes from here but also from website scraping.

You can also see the source of SPAM migrate around the world, as new lists are produced and the old ones sold on. Our oldest unique addresses now receive almost all their SPAM from Asia in non English Languages.

75% seems a little low to me

[paulevans]

I work for a corporation, our email scanner recieved 120,000 emails within the past 12 days. It only sent 10,000 that it determined wasn't spam to our email server.