I've been following the various reports on spam volume in January (especially about the massive drop between the years), and I have tried to compare them with my own data.
Now my view is very limited in comparison to the global services - all I'm running here is an MX for two .de domains (though one of them has been on the net since 1995, and should be on about every spam list out there). Also, my main metric differs from what I've seen elsewhere: I'm counting the number of hosts in my greylisting database (using the spamdb munin plugin I hacked up last year). So I don't see the volume of spam, but how many hosts have tried connecting to my system to deliver mail.
Let's start with two graphs - the first is my greylist summary, the second a spam volume count taken from the Symantec MessageLabs Intelligence Report for January 2011. I've resized the Symantec graph to roughly line up with mine.
That doesn't seem very useful: Apart from the marked drop after christmas, there's little to no similarity. At least the dark blue line for greylist entries could show some some correlation - it's the total count of sender / recipient address combinations that's been fed to my system by spammers.
In addition, I can't see a positive effect from events like the shutdown of Spamit (as reported by Brian Krebs) or the decline of Rustock traffic starting from October 2010: To the contrary, the number of distinct hosts connecting to my system (light blue line) almost doubles in that time frame.
The other observation that doesn't fit into anything is the bump in whitelisted hosts (green line): Obviously this means that a group of spammers has successfully defeated greylisting as a counter measure, a fact that can be verified by looking at the volume of mail that has gone through to sendmail on the same system:
Have I been hit with something that has gone under the radar elsewhere? When comparing with M86's "spambot activity over time" graph in Krebs' "taking stock of rustock" article, linked above, there seems to be an activity spike from one of the bots around that date. I just can't make out which one it is from the legend, even using a colour picker.
Now I'm left wondering why that effective spam weapon has gone out of use at the end of October... Maybe it just wasn't worth the hassle after all, as most of the hosts that managed to pass greylisting turned out to be blacklisted. Unfortunately I've been blinded by my disinterest in spamfighting over the past year: I don't have any logs that reach back into October to find out more.
Maybe anyone else has some useful information in this regard?
Now my view is very limited in comparison to the global services - all I'm running here is an MX for two .de domains (though one of them has been on the net since 1995, and should be on about every spam list out there). Also, my main metric differs from what I've seen elsewhere: I'm counting the number of hosts in my greylisting database (using the spamdb munin plugin I hacked up last year). So I don't see the volume of spam, but how many hosts have tried connecting to my system to deliver mail.
Let's start with two graphs - the first is my greylist summary, the second a spam volume count taken from the Symantec MessageLabs Intelligence Report for January 2011. I've resized the Symantec graph to roughly line up with mine.
That doesn't seem very useful: Apart from the marked drop after christmas, there's little to no similarity. At least the dark blue line for greylist entries could show some some correlation - it's the total count of sender / recipient address combinations that's been fed to my system by spammers.
In addition, I can't see a positive effect from events like the shutdown of Spamit (as reported by Brian Krebs) or the decline of Rustock traffic starting from October 2010: To the contrary, the number of distinct hosts connecting to my system (light blue line) almost doubles in that time frame.
The other observation that doesn't fit into anything is the bump in whitelisted hosts (green line): Obviously this means that a group of spammers has successfully defeated greylisting as a counter measure, a fact that can be verified by looking at the volume of mail that has gone through to sendmail on the same system:
Have I been hit with something that has gone under the radar elsewhere? When comparing with M86's "spambot activity over time" graph in Krebs' "taking stock of rustock" article, linked above, there seems to be an activity spike from one of the bots around that date. I just can't make out which one it is from the legend, even using a colour picker.
Now I'm left wondering why that effective spam weapon has gone out of use at the end of October... Maybe it just wasn't worth the hassle after all, as most of the hosts that managed to pass greylisting turned out to be blacklisted. Unfortunately I've been blinded by my disinterest in spamfighting over the past year: I don't have any logs that reach back into October to find out more.
Maybe anyone else has some useful information in this regard?