Internet and e-mail policy and practice
including Notes on Internet E-mail


2012
Months
Feb

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email

18 Feb 2012

How spamtraps work, maybe Email

This, uh, fell off a truck. I cannot vouch for its authenticity.

> Who wants to answer this one?
Oh, what the heck, tell him about it.
---- snip ----
Our spamtraps are pretty straightforward.  We consider a significant
ISP to be one with a thousand or more mailboxes, so for fairness we
have spamtraps at all of them.  We also have honeypots, old user
accounts, and a couple of more kinds we can't discuss due to pending
patent applications.  (By the way, did you know the third largest taxi
fleet in NYC is run by the NYPD?)
As the spam comes in to the network of spamtraps, it's analyzed in
real time.  We used to do it in software with pattern matching and
scoring and OCR of images, but it turns out to be faster and cheaper
to have people do it, using systems similar to Amazon's Mechanical
Turk.  We've found that people can classify 20 to 30 messages per
minute, more if they happen to speak the language the message is
written in.  We used to give each message to multiple people to
cross-check the results, but that slowed things down so we don't any
more.
Once we have the spam classified by source, topic, URL, and product,
then we do a comparison against normalized traffic for the Internet as
a whole.  In cooperation with several Tier I NSPs we do a whole-net
survey three times a year, sampling traffic through their backbone
routers to get a baseline level of spam and malware.  Then we look for
significant deviations from the baseline to decide what to list in our
proprietary blacklists.  So if, for example, the baseline traffic
level is 0.0001% spam, and we see spamtrap traffic from an IP at the
0.001% level, that's an order of magnitude up which makes it a slam
dunk to list.
Any more questions, feel free to ask.

  posted at: 15:15 :: permanent link to this entry :: 1 comments
Stable link is https://jl.ly/Email/traps.html

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
It turns out you don’t need a license to hunt for spam.
62 days ago

A keen grasp of the obvious
Italian Apple Cake
620 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed



© 2005-2024 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.