Report: Feeble spam filters catch less junk mail Enterprise spam filters are blocking less junk mail, according to independent tests from Virus Bulletin. During a comparative of 20 corporate email filtering products, several missed more than twice as much spam as in previous editions of the VBSpam tests. Virus Bulletin reckons the drop in performance might be down to …
I find it laughable that McAfee are said to have a good capture rate. I've had to use two of their systems in the past few years and both of them were horrid, especially GroupShield (with spam addon). After going round in circles with their support their solution to blatant spam emails was to individually blacklist the emails! Needless to say it was only installed for a few months.
So now we will get new improved spam filters that miss-classify even more legitimate emails.
Leaked spam is a minor annoyance which takes a couple of seconds to get rid of. Miss-classified spam can cost real money, like when a project looses 3 days because that's how long I wait for before chasing up an unanswered email and the recipient tells me he didn't get it then, "oh there it is in my junk folder, I don't know why".
I wonder how much business is lost due to misclassified emails which don't get chased up, if a potential supplier apparently can't be arsed to answer I'm not going to chase them up.
gmail seems particularly bad, I have one guy who swears all the spam filters are turned off but he doesn't get email from the real email address I have had for 15 years, and I don't get bounces. I have to use a false throwaway gmail account to mail him.
> Leaked spam is a minor annoyance which takes a couple of seconds to get rid of.
Generally true, though there are issues with users who don't understand the security risks and are poor at identifying spam and other malicious email, and with automated systems that take email input.
> Miss-classified spam can cost real money
Agreed. Ratings for spam (and other email) filters should be weighted strongly against false positives. In F-score terminology, we want to weight precision much higher than recall; so an appropriate measure might be something like F_0.001, treating a false positive as 1000 times more expensive than a false negative.
I haven't looked at the study, so I don't know how they rank the products they test.
I've subscribed to these guys for five years, and their "Skeptic" is becoming less skeptical.
They seem to let a lot of hired gun spammers send through, with the reason:
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: (...)
...where some identifier follows.
I don't know what their sa_preprocessor does to let these jokers through, but it seems inconsistent. I've had to resort to listing the offending hired guns' networks, domain names and e-mail addresses in their Blocked Senders lists, turning this into a new Whack-A-Mole game. Whatever it is doesn't matter; I didn't subscribe to those mailings.
Is Alex Shipp still roaming these forums? Any insights?
On the plus side, they still haven't let a piece of malware in over five years. Spam is one thing, but at least they're holding up to the virus detection guarantee.
The amount rejected by my server has dropped about 90% in the last 2 years. About the same amount is caught after acceptance by my homebrew filters. I guess spammers are realising that if their client or hired bot gets 10,000 rejects messages referring them to the Spamhaus DNSBL, there's no point wasting time trying to send further spam using a bot whose IP is blacklisted to email servers which are not going to stop using a particular blacklist, when the bot could be put to work mining Bitcoins or providing an anonymity VPN relay to some phisher or other crook.
The spam I continue getting is coming increasingly from legitimate hosts, e.g. burning through accounts created for them by people working at a dollar a day.
I think it's widely known that anti-spam products perform rather better in tests than they do in the field. The testers have to choose a "standard" sample of spam messages to test with. If these don't exactly match the mix of spam arriving at your company, then the performance is going to differ. The relative performance of different products may also differ in the field.
Generally, the producers of anti-spam products can more easily guess what spam the testers will be using than they can guess what spam a typical customer will be getting. So they can tune their products accordingly. This is especially true when you consider that spammers' tactics are changing all the time. The "standard" test set will be spam collected in the past, which the products will be adapted to cope with. In the field, they also have to cope with new stuff that no-one has ever seen before.
So take the test figures with a pinch of salt. It could just be that Virus Bulletin has changed the way it collects spam or made some other change that makes it a little harder for the producers to tune their products for the test.
My own sampling indicates that Yahoo is the leading cause of the increase in spam, especially in the increased amount of spam originating on their servers and the increasing preference of spammers to use Yahoo drop-boxes for spam originating on other networks, both supported by Yahoo's recent changes that make it harder to report spam to Yahoo. I'm at a loss to see how providing better infrastructure to the spammers can possibly help Yahoo edge away from bankruptcy--but if it will hurt the spammers, then I have to be in favor of it (as Twain was supposed to have said about a funeral he couldn't attend).
Why don't ANY of the major email providers support effective anti-spam tools? Let US help go after ALL of the spammers' infrastructure and ALL of the spammers accomplices. Basically something like SpamCop on steroids, with multiple passes and confirmations and more "other'" options to trap new spammer wrinkles.
Remember two important characteristics of the spam problem:
1. The spammers can't obfuscate beyond human capacity when they need to reach human suckers.
2. The number of people who hate spam is much larger than the supply of suckers.
In other words, a relatively small tilt in favor of the spam haters could completely cut the spammers off from reaching the suckers.
Email providers (ISPs?) don't do this because being lazy has no downside.
If there was an *easy* way for end-users to identify the "source ISP" and add it to their personal blacklist, then things might be different. Customers of lazy ISPs would start receiving messages to the effect that "The recipient has received too much spam from your ISP and is not satisfied that your ISP takes the problem seriously. Therefore, all mail from this ISP is now *automatically* rejected. You may be completely innocent, but your ISP is not. Your options are to change ISP or give up on the idea of being able to email this person."
It would be interesting to see how people used that facility and what effect it had on ISPs. Obviously one could unfairly blacklist an ISP because of one bad experience, but you'd be cutting yourself off from legitimate senders every time you did so. In the long-term, the incentive would be for recipients to blacklist only as a last resort and for ISPs to help their own customers avoid being spam senders.
But it does rely on having a *reliable* way to identify sender *ISPs*.
Anecdotally... I've noticed on my Yahoo account in the last 7 days, that one mail *from Yahoo customer services* (confirmation of a change that I'd made) was sifted into my Spam box. While one with 'Viagra' (not even 'vigara' or 'viagara') in both header and body happily passed straight into my Inbox. Go figure.
It may be time for these filters to start using better language-processing approaches. I suspect many are still just using Bayesian filters / Hidden Markov Models; I'd be curious to know if any have tried some of the techniques that have shown better performance for identifying features in low-quality text, such as Maximum-Entropy Markov Models, Support Vector Machines, or voting Perceptron networks. (The last is actually a new-ish revival of a rather old technique; Perceptrons are one of the oldest types of neural network algorithm families. But I've seen some papers where they've done very well against SVMs and the like.)
The *real* solution would be to get most people to use digitally-signed email. That'd eliminate trivial sender forgeries and most of the problems with open relays, greatly simplify whitelisting, and make it easy to do an initial partitioning into "probably good" and "suspect". It'd make it easier to positively identify compromised systems and accounts. It'd make it a lot easier to block blog spam, Yahoo groups spam, etc. But of course we have the classic problems of usability and key infrastructure.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
