Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Spam rate increase is seen - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Spam rate increase is seen

Thanks to a reader (Thanks Bob), who wrote in this morning asking if we have seen an increase in spam lately, I can personally confirm that yes, I have seen more spam in my inbox lately.

Bob sent us a couple interesting graphics, the first being a graph of how much of a spam increase there has been recently:

Secondly another graph he sent in was an interesting correlation.  It was how many viruses have been blocked by ClamD.

 

As I said, I've noticed a big increase in spam lately in my own personal email as well.  

What about the rest of the readers?  Have you guys experienced similiar?

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Joel

454 Posts
ISC Handler
Spam has to be the greatest annoyance of the internet. It doesn't matter whether you use Linux or a Mac. It doesn't matter whether you run the best virus protection that there is. You still have spam to deal with in one way or another.

Filters work to a degree (I currently have 133K spam messages in my spam folder at work), but ultimately resources are wasted (server space, network bandwidth, etc). And I have had problems with false positives in the past leading to communication breakdowns.

There doesn't seem to be any sort of institutional top-down plan for putting an end to this once and for all (esp for virus-laden spam). All of the efforts seem to be focused on preventing individual machines from getting infected with viruses and educating users. And my feeling is that this is a lost cause - there are too many idiot users who will click on any old thing, and there are too many people who aren't computer literate who don't know what virus protection really is.

If I go away for vacation, when I come back I see page after page of spam. There are times that I am simply tempted to shut down my personal email and wash my hands of the whole mess..

Eric

43 Posts
"There doesn't seem to be any sort of institutional top-down plan for putting an end to this once and for all (esp for virus-laden spam)."

we need one of those team-america-world-police squads hunting down spammer sanctuaries like hosting providers and domain registrars. >:)
Anonymous
We have a Postfix/Spamassassin gateway in front of our Exchange server. Very little spam makes it to the end user, when more starts trickling through it's usually a sign I need to update spamassassins rules.<BR><BR>Anyway, I'm more wondering what people are using to create graphs of their spam detection rates?
Anonymous
I don't see such increase on our antispam gateways. It is still sky high but not higher than usual (since early september).
Anonymous
It isn't just hosting providers. Infected machines and botnets send out gobs and gobs of the spam email.

The SMTP protocol is another one of the old ones. In theory you can require authentication, but many don't.

And for that matter, at each hop a simple message is added with an IP address, but these can be forged. In theory one could fix things so that at each hop the server signs the message with a signing certificate. If enough sites did this, then it would be easier to track down where the things really originate.

Individual infected machines send out gobs of messages. Open relays aren't as common as they used to be, but an infected machine can still relay mail through the ISP's SMTP server. How do we stop this?

I know - some of these ideas are half-baked, but I am just frustrated, and the problem gets worse all the time. How long will it be before people will be forced to use web-based email clients and ISPs will no longer offer access to a SMTP server to non-business users.
Eric

43 Posts
We've remediated a few mass mailing worms in the last 24 hours and noticed a major uptick in Vundo/Virtumonde activity. Common indicators have been malicious files in user profile or system32 matching: java01.exe, document.htm/jpg/chm .exe (it's either htm, jpg or chm and yes a lot of spaces before the .exe extension), and file.exe.
Anonymous
I had not noticed it because we get so much of it. But, looking at the comparison of the past Sunday to the previous, there was over an 18 percent increase in messages we filtered [4.67 Mil to 3.84 Mil the prior].

Increase in Filtered Messages
From Prior Weekday [TOTAL Spam for Day]
-----------------
9/29 Tues (-3.5%) [4.28 Mil]
9/30 Wed 1.4% [4.61 Mil]
10/1 Thu (-0.2%) [4.41 Mil]
10/2 Fri 7.7% [4.65 Mil]
10/3 Sat 10.0% [4.77 Mil]
10/4 Sun 18.3% [4.67 Mil]
10/5 Mon 12.9% [4.79 Mil]
10/6 Tues 5.4% [4.54 Mil]

Anonymous
I had not noticed it because we get so much of it. But, looking at the comparison of the past Sunday to the previous, there was over an 18 percent increase in messages we filtered [4.67 Mil to 3.84 Mil the prior].

Increase in Filtered Messages
From Prior Weekday [TOTAL Spam for Day]
-----------------
9/29 Tues (-3.5%) [4.28 Mil]
9/30 Wed 1.4% [4.61 Mil]
10/1 Thu (-0.2%) [4.41 Mil]
10/2 Fri 7.7% [4.65 Mil]
10/3 Sat 10.0% [4.77 Mil]
10/4 Sun 18.3% [4.67 Mil]
10/5 Mon 12.9% [4.79 Mil]
10/6 Tues 5.4% [4.54 Mil]

Anonymous
Our spam gateway is reporting an increase (~10%average daily) in blocked spam as well going back to 9/21-ish.

Aside from the reported increase in certain virus distributions we've seen lately, this could also be the "usual" early onset of "Holiday Spam". I havne't specifically looked in my quarantine yet, mostly because I really hate looking in there (ok... I hate our "spam FW", but it's what I'm stuck with here at work.
GuenTech

16 Posts
We have seen the same increase.

I noted the comment about tracing the bad guys via IP addresses and other IT means. The bad guys are working for cold hard cash. Cash they get from others via credit cards, wire transfers and other means. Transfers that are easily traceable by any competent AND interested government.

I have been wondering for several years why governments have not gone after them.
KBR

63 Posts
We have seen the same increase.

I noted the comment about tracing the bad guys via IP addresses and other IT means. The bad guys are working for cold hard cash. Cash they get from others via credit cards, wire transfers and other means. Transfers that are easily traceable by any competent AND interested government.

I have been wondering for several years why governments have not gone after them.
KBR

63 Posts
The big issue with legislature enabling government to step in is where the line is drawn. Who's to say what is and is not spam?

Back to the original topic, I'm seeing a greater increase in spam getting through vs. spam blocked... it's something recent, so be sure to update your rules.
KBR
2 Posts
we can well confirm this increase.

From a quick weekly digest of our logs: thru last week, spam connect attempts have gone up to ~300% of the current 6 month avg (which had been quite level over that period).

About 15% of the current peak at our sites comes via orange.fr mail relays: France Telecom is a regular (and unfortunately notoriously non-reacting to abuse info) spam relay hitting here, and again seems to experience a phase of increased bot activity w/in their customer base - which they willingly forward.

The majority of attempts seems to come from APNIC ranges, with about half from .vn, and selectively addressing lowest and highest prio MX hosts only (!).
rpdenid

3 Posts

Sign Up for Free or Log In to start participating in the conversation!