In April, we started to go through our spamtraps (E-mail addresses designed
to collect spam), to find out which spam tests were most effective at
catching spam. The results this month are based on over 14,000 spams that
were received, all in November, 2002. In November, our spamtraps received
about 10% more spam than in October. In November, we received over 3.5x
the amount of spam that we received in January.
The following is a list of tests that we run against the E-mails arriving
at the spamtrap, and what percentage of the spam they caught (it will be
easier to read if you use a fixed-width font):
WEIGHT10 99.48%
WEIGHT20 96.66%
SNIFFER 86.61%
IPNOTINMX 80.28%
SPAMCOP 79.68%
XBL 70.97%
WIREHUB-DNSBL 64.69%
MAILDEFLECTOR 50.38%
POSTFIXGATE 42.83%
SPAMHEADERS 39.49%
REVDNS 34.52%
OSSRC 31.82%
HELO 29.99%
INTERSIL 29.12%
NOPOSTMASTER 28.03%
BADHEADERS 26.63%
SPAMHAUS 24.48%
DSBLALL 23.84%
DORKZTL 23.75%
NOABUSE 22.75%
HEUR10 21.85%
DSBL 21.68%
OSSOFT 20.97%
BLARSBL 17.11%
OSPROXY 16.12%
FIVETENDUL 15.48%
HEUR9 14.20%
VOX 13.90%
FIVETENSRC 13.31%
BLITZEDALL 12.63%
MONKEYPROXIES 12.44%
IPWHOIS 12.17%
ROUTING 11.90%
NJABL 11.18%
BASE64 10.24%
BLITZEDHTTP 9.51%
HEUR8 9.01%
DNSRBL-SPAM 8.97%
OSRELAY 8.40%
FIVETENIGNORE 8.11%
KUNDENSERVER 7.68%
ORDB 7.24%
RSL 6.31%
DELINK 5.62%
DORKS 5.55%
FIVETENOPTIN 4.96%
BADWHOIS 4.94%
SPAMBAG 4.00%
BLITZEDSOCKS 3.48%
DSN 3.38%
KITHRUP 3.34%
FABELSOURCES 3.15%
COMPU 2.96%
DNSRBL-DUN 2.81%
DEVNULL 2.35%
DSBLMULTI 2.11%
MAILFROM 2.06%
NJABLDUL 2.02%
WIREHUB-DYNA 1.94%
LNGSDUL 1.61%
PIGS 0.88%
OSDUL 0.70%
MONKEYFORMMAIL 0.62%
ABL 0.50%
DORKRELAYS 0.42%
FIVETENOTHER 0.40%
FIVETENMULTI 0.38%
LNGSBLOCK 0.32%
FLOWGO 0.23%
FIVETENWEBFORM 0.20%
BLITZEDWINGATE 0.16%
LNGSSRC 0.04%
JIPPG-DUL 0.03%
JIPPG-DULJP 0.01%
The WEIGHT10 and WEIGHT20 tests are just a weighting system that assigns a
weight to each E-mail, based on the spam tests that fail, so they don't
really count as spam tests by themselves (although they do catch the most
spam). It's also important to note that different tests are more likely to
produce false positives (such as the XBL, REVDNS, and SPAMHEADERS tests,
that all catch a lot of spam); those tests are best used in a weighting
system, so E-mail will only be marked as spam if it fails a combination of
tests.
The two best tests by far are SNIFFER ( http://www.sortmonster.com ) at
86.61% and SPAMCOP ( http://www.spamcop.net ) at 79.68%. However, there
are more and more reports of SPAMCOP reporting false positives (which they
will hopefully fix by adding the 'spam to legitimate mail ratio' to their
TXT record).
An interesting detail from this list is that over 10% of spam fails the
BASE64 test (compared to 7% last month), which detects text or HTML that is
specially encoded just so that it can bypass filters.
More information on most of the various spam tests shown above can be found
at http://www.declude.com/junkmail/support/ip4r.htm . You can look up an
IP address using the Spam Database Lookup tool at http://www.DNSstuff.com
. The most recent 20 spams in our spamtraps, and the tests they failed,
can be found at http://www.declude.com/spamtrap.htm .
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
- Re: [IMail Forum] November Spam Statistics R. Scott Perry
- Re: [IMail Forum] November Spam Statistics Brian Milburn
- Re: [IMail Forum] November Spam Statistics R. Scott Perry
