Comments on: There aren’t that many serious spammers any more

By: bluepolo

bluepolo — Thu, 02 Aug 2007 16:55:13 +0000

Sorry, should have said ’step between the recipient and the spammer’

By: bluepolo

bluepolo — Thu, 02 Aug 2007 16:30:26 +0000

I got to this page from an old Crypto-Gram I had missed.

As it happens the company I work for is a Postini customer who at ~2Bn emails a day see quite a bit of traffic. Personally I think that you are incorrect with your assessment. Postini’s Connection Manager heuristics suggest that most spam comes from Botnets which are of course available for hire, and this puts a step between the spammer and the source of their spam.

Botnets vary in size, and there is now competition between the Botnets. So my hypothesis is that the are a relativey small number of the large Botnets, and its the large botnets that send most of the spam. Each Botnet has a different spam traffic pattern, and is in essence a wave. So if you get say 5 waves at the same time, wave dynamics apply and large variances are inevitable, as are quiet periods.

Just my 2p worth.

Cheers

By: Clive Robinson

Clive Robinson — Sat, 14 Apr 2007 12:44:16 +0000

Richard,

On the assumption that you are atleast partialy correct in your view (and I see no real false indicators) then going after the few would be a worthwhile investment in resources.

However once one Major Spammer has had their head put on a pole and paraded around what is the chance of catching more?

I am assuming (like you are) that the spammers are not particularly stupid people therefore it will be interesting to see if and when the Major few change their tactics to cover their tracks a little more.

By: Technoshaman

Technoshaman — Fri, 13 Apr 2007 17:20:16 +0000

I dunno, shooting them can be messy both from a legal and physical point of view. On the other hand, a very unofficial Narn Bat Squad subjecting a few of these jokers to a close encounter with a blanket and a Louisville Slugger or five…

After all, we want a few of them to live and tell their tales, for the encouragement of the others….

Oh, and as a calling card? Leave a few dozen FIJA pamphlets, which would make a great poison pen in case Mister Spammer ever decided to track down his assailants…

By: Blinky the Hitman

Blinky the Hitman — Thu, 12 Apr 2007 16:35:02 +0000

Huge expenditures to build a legal case is the primary drawback. Finding them is relatively easy. The only way this crap will stop is when the Spamford Wallaces of the world answer a knock on their front doors and get two in the brainpan.

The “authorities” are too busy sucking on the public tit.

By: MikeD

MikeD — Thu, 12 Apr 2007 00:52:21 +0000

Do you really think castration for email spammers would be a deterrent? I mean, with a ready supply of penis enlargement medications, I’m sure they have remedies for castration too.

By: Richard Clayton

Richard Clayton — Wed, 11 Apr 2007 18:06:13 +0000

The graph might conceivably show that only a small number of groups were targetting Demon, except that other ISPs anecdotally report similar patterns, so it’s a worldwide phenomenon. Also, Demon has quite a lot of customers using their own domans (not just example.demon.co.uk sub-domains of the main ISP) so it’s a bit more complex than the situation at major webmail hubs or more consumer-oriented ISPs.

In particular there’s no evidence that spammers, in the main anyway, work out where domain MX records point. For if they did, MessageLabs would report very low percentages of spam as spammers didn’t waste their time trying to get material through their filters… but that’s not what they see.

However, it is indeed possible that there’s thousands of spam gangs each targetting a handful of ISPs each — you’d see the same graph at Demon, but you’d see all sorts of other indications that this was the case as well (such as spam filtering systems having to be customised on a per-ISP basis), and I can’t name any such evidence.

By: Lori

Lori — Wed, 11 Apr 2007 17:37:28 +0000

Doesn’t this only show that a given ISP is only being spammed by a small number of groups? It does seem to show that there aren’t thousands of high-volume spammers using similar/identical lists of addresses to send to, but couldn’t there be hundreds of groups of high-volume spammers, each of whom focused on a small number of domains and cycled among them? That is, there are high and low volume spammers, and the high volume spammers are (for the most part) getting their lists from different places, so that no more than a few are spamming any given ISP.

By: Richard Clayton

Richard Clayton — Wed, 11 Apr 2007 08:21:44 +0000

What you’ve missed is the large day-to-day changes (the moon isn’t bright one day and dark the next). There are two widely different possible reasons for this — one is that there are a few large spammers who target UK ISP customers at Demon one day and US ISP customers at, say, Earthlink the next. The other explanation is that several hundred smaller scale spammers agree that one Saturday they will go for Earthlink, on Monday they will switch to sending to Demon…

… I feel that the swings are more likely to be caused by a few large-scale spammers, than by some general factor (phase of the moon or whatever) that is causing many small spammers to behave the same way.

Of course this argument doesn’t count the spammers or identify their targets when they aren’t hitting Demon (maybe they just take days off?) but if you look at your inbox (especially the non-filtered version of it) then you can see a lot of repetition in the spam that arrives and what it advertises… my graph is not the only evdence for my proposition! but it is, in my view, striking corroboration.

Finally, it’s a mistake to view spammers as foolish or mad — they seem to me to be quite successful and inventive manipulators of the systems they encounter

By: Gary Hinson

Gary Hinson — Wed, 11 Apr 2007 05:32:21 +0000

Richard, maybe I’ve missed something. How does your graph say anything about how many spammers there are or which countries they are targeting? To draw this kind of conclusion, you would presumably need to identify the separate spam sources and correlate the numbers between multiple countries … which you don’t appear to have done in your study.

Let me put it another way: I feel your graph clearly shows a correlation with phases of the moon, therefore conclusively proving that all spammers are in fact loonies.

Kind regards,
Gary