Home / Blogs

Huge Increase in Spam in October Email

You may have read reports that the total amount of spam is on the decline. Don’t believe them. In the month of October, I saw the amount of spam in my traps here roughly double, from about 50,000 per day to 100,000/day now. In conversations with managers at both ISPs and corporate networks, I’m hearing the same thing. One corporate network has gone from about 12 million spam rejects a month in June and July to 28 million in 28 million in October. The very large mail systems don’t publish their numbers, but they tell me informally they’re seeing the same thing.

So far, nobody can figure out why. Perhaps we have a new generation of zombies, so numerous that price has dropped and spammers can buy twice as many of them. But whatever it is, if anyone tells you that the worst of spam is over, they’re just wrong.

By John Levine, Author, Consultant & Speaker

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


George Kirikos  –  Nov 6, 2006 6:57 PM

Postini publishes spam stats. According to them, 90% of all email is spam these days. I’ve seen more spam than usual the past month too, unfortunately. Harsher penalties are sorely needed.

Western Canada seems to be a big source of spam, according to their maps, which is disappointing (I’m Canadian, but from central Canada). ISPs should be more proactive and aggressive, with more port 25 blocking and better detection of botnets, among other measures.

Larry Seltzer  –  Nov 6, 2006 7:10 PM

I just did a column on this too.

Botnet hunters like Gadi Evron will tell you that the botnets are getting assertive these days, showing that they can’t be stopped. But why push more spam? Perhaps it’s just for the numbers. Even if spam filtering products block a high percentage of the stuff you can still get more through just with volume.

There are other advances, like resubmitting messages to defeat greylisting and big improvements in image spam.

OTOH, there was a burst in spam last December as well. I have a chart here somewhere, I can’t find it at the minute. It subsided after a month or so. This burst has been going on for about 2 months.

Alec Berry  –  Nov 15, 2006 7:23 PM

I administer a modest mail server farm (200+ users,  10,000 messages and 100,000 blocked messages per day). We have seen a huge increase in pump and dump image spam. The message has random text, with the spammed message in a GIF roughly 550x550. The GIFs are animated and have dim multi-color ruled backgrounds, presumably to evade OCR. The latest batch has random multicolored polygons in the background. The name of the embedded GIF, the MIME header, and even the charset are random.

Every message is slightly different, most likely all produced by the same program running on thousands of bots around the world. Each modification to the bots is noticeable, as from week to week the message, background, type of animation, etc. is consistent (more or less).

I have found greylisting helps a great deal, so perhaps the SMTP module in this bot is not as sophisticated as the image generator. Much of it comes from easily identifiable IP blocks, so blacklists are also effective. All my servers are behind an OpenBSD firewall, which is configured to block anything on port 25 from Windows 95, 98, or Me. This is also quite effective in general, but as with blacklists, I never see the messages so I don’t know what kind of spam it is.

I wish I had the time to write a Spamassassin filter, all we need to do is look for animated GIFs larger than 500x500. Give those messages a few points and that ought to push the messages over the SA threshold. In the meantime, I forward a copy to .(JavaScript must be enabled to view this email address) the SEC will hunt down stock scams. If we can make the risk factor (and thus the cost) of spamming higher, such scammers will find spam not worth the risk.

Michael Mettura  –  Nov 29, 2006 7:32 PM

Isn’t the true culprit of spam really domain accountablity, If everyone had to put thier real identitys in the domain registry then alot of the crap would stop.

Anyone can buy a domain and put down spongebob as the domain owner, As long as anonymous domain registrations are possible then the spam will not stop.

The Famous Brett Watson  –  Nov 30, 2006 6:09 AM

If everyone were obliged to give a verifiably true name and a location where they can be found and beaten with a lead pipe as part of their domain registration, spam would not cease. I doubt that it would even diminish. The black market for compromised DNS control-panel accounts would probably get a boost, and those crazy Western African scammers would just keep using third party webmail systems, same as always. So, no, the true culprit of spam is not “domain accountablity”.

It’s ludicrous to think that such a level of positive ID would occur at all, however. In the first case, a scammer only needs a domain for a short while, so if there is a window in which the domain is available to the registrant before the identity is confirmed, the scammer can just use false ID, same as always. You can raise the bar by making registrants turn up in person at an office with a certain quantity of ID in order to register a domain name, but take a wild guess as to the kind of impact that would have on the marketplace for domain names.

Michael Mettura  –  Nov 30, 2006 3:14 PM

I know a few spammers that I could have dealt with already if their domain registration wasn’t bogus, So instead of dealing with the spammer it just continues and I have to make an effort to block it out…

It would be very much like everyone being able to drive around in cars without plates and wearing mask, That is exactly what is going on with domain registrations…

The only people that would get beaten with a lead pipe are the ones that need to, There are alot of legitimate websites and ‘maybe’ there are more illegitimate websites. Thats ludicrous to think that dealing with this would have no effect, YOu have to start somewhere…

If someone is trying to get in your house every night then what do you do?, Do you put a radio by the door so you cant hear it?, Do you just try to make it where they cant get to the door?, Or do you open the door to see who it is…

If you get an email from a spammer there are two ways you can deal with it, You can deal with it by ‘where it came from’ OR you can deal with it by ‘where it goes’. If there was a way to deal with where the email led to then it would be alot easier to fight, This circle will likely never stop unless it becomes easier to track down domain owners…

Daryl C. W. O'Shea  –  Dec 1, 2006 7:12 PM

I wish I had the time to write a Spamassassin filter, all we need to do is look for animated GIFs larger than 500x500. Give those messages a few points and that ought to push the messages over the SA threshold.

Dallas Engelken’s ImageInfo plugin, available since August, is quite useful for detecting image spam.


Kevin Ohashi  –  Dec 13, 2006 7:11 PM

The only people that would get beaten with a lead pipe are the ones that need to, There are alot of legitimate websites and ‘maybe’ there are more illegitimate websites. Thats ludicrous to think that dealing with this would have no effect, YOu have to start somewhere…

That sets a dangerous precedent… who decides who is “deserving”?  I can see plenty of controvertial topics (see US elections for examples) which could lead to acts taking place with your lead pipe, but it is hard to determine whether they were justified.  Most of us (if not all?) do hate this spam but a real solution isn’t going to involve vigilante justice.  Perhaps a prison sentence and extradition of such culprits would be more suited to increasing the risk to spammers.  Even then, I find it hard to see any long-term solution until we have a more stable environment around the globe where all governments function properly and are accountable for their actions and actions of their citizens.

Kevin Wilson  –  Jan 12, 2007 10:19 PM


CircleID members may like to consider this.

To; The Spammaster.
          We are presently concerned at the costs, and consequential losses, being incurred to our business, in processing unsolicited communications.

  Therefore with immediate effect, please delist the, yourname.com url, from your “buy this” , “join this casino” etc ,spamming list.


    All of your earlier unsolicited communications have been logged, and will be billed at $60 an hour for administration and handling.

    In the event of you / your agents failing to delist our url, any future unsolicited communications will be billed at $120 an hour.

    Sending an unsolicited communication to the above url, is deemed to indicate that you / your agents acceptance of these charges.

    As an example, this letter is billed at
$45, and charges incurred will be subject to
30 day invoicing. Late payment where neccessary will be followed up and referred to our collection agents.

            yours sincerely


John Levine  –  Jan 12, 2007 11:12 PM

People have been sending out faux bills like that for at least a decade. Have you ever heard of someone collecting? Or a spammer stopping because of one?

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.



Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO

Domain Management

Sponsored byMarkMonitor

Domain Names

Sponsored byVerisign