Spam Filter Performance

Spamassassin Spam Filter Performance

In March 2003, I received over twice the amount to spam that I had been receiving in the previous months. I was now getting 9 spams to 1 useful email. This is very likely because of the spread of the Sobig.a virus (see also the new sobig.B and sobig.C viruses). This virus results in an open proxy being installed on the victim's machine. An open proxy provides a means for spammers to hide their identity. This hiding of identity helps spammers because most ISP's will terminate the account of a spammer. Also, some spam is fraudulent, and the hiding of identity makes it difficult to prosecute such spammers.

I was spending a considerable amount of time just fetching email from my IMAP server, only to find out that it was just spam that needed to be deleted anyway. It was time for some automated help. I decided to employ the Spamassassin spam filter to reduce these nuisance emails. In order to get a better feeling for how this was performing, and to document the spam situation in general for my email address, I decided to generate these graphs of my spam.

It is of particular concern that the high level of spam on the internet today provides an excellent cover for covert messaging using steganographic techniques. From covert control channels1 for zombie DDoS networks to stealth messaging systems for drug cartels and terrorist cells, such hidden traffic is dangerous to national security. The spam problem is potentially much more serious than it might first appear.

An obfuscated keyword rejection filter for Spamassasin is here.

1 cf The Future of Internet Worms, sec. 6.4 p 16, & esp. p 17, ¶ "Spam makes an effective covert channel..."

