The recent increase in spam

[fanf]

A lot of our users have been asking us about the current spam problem, so I sent the following to our computing support staff mailing list and the ucam.comp.mail newsgroup. I thought it would be worth posting here too.

The volume of spam we are seeing has more than doubled since the summer, from about 15 messages blocked per second to over 35, and the amount of spam that gets past the blocks has increased accordingly. This is really unprecedented: in the preceding two years, the volume of blocked spam increased gradually from about 10 to about 15 per second. For comparison, we're handling about 7 messages per second, which includes internal email (3 per second) as well as non-blocked spam and legitimate email from outside the University.

That is, at least 90% of the 3.5 million messages offered to us each day from outside the University are spam.

It is a coincidence that this increase kicked off at about the start of term: this is a global problem that has been widely noted in the IT press. Unfortunately the current flavours of spam are difficult for our second-level filters (SpamAssassin) to handle because it doesn't have many recognizable features, such as URLs for criminal web sites, etc. We are updating SpamAssassin when new releases come out, which is roughly monthly at the moment.

Comments

[nameandnature]

Of the increasing amount of spam which escapes my filters (SBL+XBL+DCC), most of is the new wave of pump'n'dump stuff, which puts the spam message itself in an image with a randomised background, as well as putting random English text in the message body. I imagine that's what you're referring to?

I've also seen the same program used to send other messages instructing people to type a URL into their browser, although I don't think that's much of a winner for the spammers, because I doubt the people who respond to spam are clever enough to follow the instructions rather than just clicking on a link. Pump'n'dump is ideal for this scheme, though.

I'm struggling to see what Spam Assassin can do about this, but I don't use it myself, so maybe the authors have some cunning plans. I'll probably switch to using the Spamhaus Zen DNSBL when it's ready, as blocking consumer broadband addresses will kill of a lot of the escapees. I might also start insisting that people who want to talk to me at least have some form of rDNS, even if forward and reverse don't match. I suppose these two things are fine for a vanity domain like mine, but might cause complaints if applied to cam.ac.uk :-)