The latest in spam and filtering stats for 2021

Rob McEwen, Carel Bitter, Steve Freegard, Kevin A. McGrail, Michelle Sullivan

Presented by: ​Rob McEwen, Carel Bitter, Steve Freegard, Kevin A. McGrail, Michelle Sullivan

Rob McEwen, Founder & CEO, invaluement
Carel Bitter, Head of Data, Spamhaus
Steve Freegard, Senior Product Owner, Abusix, Inc
Kevin A. McGrail, Principal Evangelist Dito
Michelle Sullivan, Staff Engineer, Spam Expert, and SORBS Maintainer and Architect Proofpoint

Rob McEwen 0:38
Hi, I’m Rob McEwen from invaluement and I’m here to introduce a special group of panellists that I think is amazing. This is for the latest in spam and filtering stats for 2021. And we have a fantastic representation here from four different dnsbl it’s actually three because one of our attendees couldn’t make them all to one at a moment. And due to weather emergency in Australia, unfortunately, and but we have some amazing panellists as well as another person representative who also well represent sample tree. So to start off, let me go one by one. First, I’m Rob McEwen, CEO, and founder of Understand list. The panellists include Steve Freegard, he’s the Senior Product Owner of Abusix Intelligence. And as I understand that steam is basically the brains and architects of the dnsbl part of abusix service abuse. It’s been long known for a variety of services, including providing anti spam data feeds, and then more recently, I think a couple of years ago, they made full entry into the dnsbl industry. Our next panellist is Kevin A. McGrail. He is the principal evangelists that did a business was held, which helps companies migrate modernise and scale with Google Cloud. But my favourite part about Kevin is that he’s the member and longtime chairman emeritus of the Apache spam spam assassin project. He’s he’s been in charge of many of the releases of spam assassin is and is often the public face of spam assassin answering people’s questions online. And if there was such a role as like CEO of spam assassin, he probably would have been considered that position for many of the of the past, you know, decade or a couple of decades or so. For the other panellists we have here today is Carl from spa Haas. He’s the head of data. Carl is one of the main people at slam Haas. And as you knows, everybody listening to as this one passes, probably the most widely used and well known and respected investment list. The fourth are our other panellists that wasn’t able to make it was Michelle Sullivan, when she said she couldn’t be here because in Australia, a large portion of Australia’s going through a catastrophic natural disaster with major flooding. And unfortunately, that affects where Michelle’s located out, so keep her in your thoughts and prayers, I hope she’s doing well. And, but I’ll briefly talk about her too, because she did send a have some of her notes and I’ll be incorporating that into one of my sessions, or many segments here. But Miss Michelle is the founder of the sorbs anti spam list, which was eventually acquired by Proofpoint where Michelle works for Proofpoint continuing to develop and maintain sorbs along with other things that she does to help preplant with their other anti spam services. So that’s uh, you know, not counting myself we have that would include representatives, as, as I said, from for anti spam lists, and as well as another representative from the most respected and open source anti spam software in the world. So that’s a fantastic if I was not on this panel, and I was watching, I would already be impressed. So thank you for joining me in this discussion. And so I’m going to start off with my, my, one of my two smaller small segments. And the first thing is, think about when you think about this type of meeting, but the the inbox Expo and these types of online email discussion forums, who tends to show up, well, let’s see there, we always get a high concentration of email marketers, USPS large ISP is large email holsters, large spam filtering providers, and maybe a few dnsbl off the end and some other vendors in the ecosystem that support all those things. And then now who have I left out and it’s it really think for a moment, who did I leave out Just then, and the person that I left out that often doesn’t come to these events is the small or medium sized, email hosting administrator So maybe we we can work on getting more of them to come to these in the future, they don’t tend to show up as much. But I want to give a shout out to those people.

It they’ve the email person industry’s just been through a lot over the past couple of decades, it’s a lot harder to run a mail server than it used to be, it takes a lot more resources, there’s a lot more headaches, there’s more hoops to jump through in order to manage a mail server successfully, it’s frustrated, many of them and many of them have moved to large cloud providers. And that’s not in and of itself a bad thing. But, but it I just am very impressed by the ones who stayed the course and continue to persevere learning, you know, keeping up with with, with all the new technology, keeping up the fact that there’s just a lot more, you know, set per person these days, that puts a lot much higher burden on the servers, a lot more to keep up with spam filtering accounts are constantly getting hacked into, and that’s very, you know, difficult, you know, to, to, to work through media have got so many more things, they have to learn SPF decam, DMR, for confirmed reverse DNS, paying attention to their IP and domain reputation and all that. So these are heroes and worthy to praise. And there are some things that they that they do that, that no, you know, there’s things the large providers do that I’m very interested to what’s kind of funny, yes, it’s fantastic. But some of these large providers, the way that you somebody can, people don’t tend to get mad at me that much anymore for an environment listening, because oftentimes, when they’re listed at environment, none other email to Google, you know, gets for Microsoft systems get delivered either. Because of the sort, that’s the root cause of the issues is the spam lists are something that sometimes they don’t even know about. And, and so they, and then the way some of those providers have very good metrics for, for just looking at that trends, like how many people are clicking the spam button, how many people are deleting the message, you know, that’s also putting some good pressure on the industry to improve. But, but one of the things that some of these smaller providers do, though, that the larger providers tend to sometimes not do is something to be celebrated. For example, when a I wish the larger providers did a better job of turning off accounts that have been hijacked, or accounts that were just set up by a criminal to begin with, and the criminals continually sending, you know, from a Gmail account or something like that, or for Hotmail account for months without end. And the only thing that can get shut down is a court order from the job. So a lot of these smaller providers tend to shut those accounts quickly, which is very good. Another thing that smaller providers do is they tend to be rejected connection time when they’re doing their spam filtering. And that’s a really good thing. Because if, if you don’t have all systems have occasional false positives. And so if an extremely important message, like a new renewal of a multimillion dollar contract gets in the spam folder, but there’s no reduction back to the sender, the sender might think that you’ve been just actually no person that this happened to and they almost their company almost lost the multimillion dollar contract because it’s gotten put into the spam folder by a large provider. And there was never a rejection notice back to the sender. sender thought they were just being blown off. And then the Thankfully, the message happened we spotted on spam filter in the nick of time. The other thing that’s smaller is understand the user better at fixing particular deliverability issues, both for incoming and outgoing mail. They actually booked the SMTP locks and make custom adjustments for the senders. They don’t just tell the customers Oh, well, it is what it is. That’s what our spam filter did. You just have to live with it or that’s what our our sending system did. But it hasn’t been easy. And it’s it’s good that we are all moving more in the mode of encouraging and educating the senators. I think that’s important. I add environment, we have some big plans for that that haven’t materialised, yet. We’re working towards that. And I’ve seen more recently I’ve seen sparkhouse produce some good articles for encouraging and educating senators. And both senators and you put people that are running your own mail server. And so you know, I’m very grateful for that I think we need to do a better job. Now I was specifically talking mostly in the segment about email hosting administrators.

That and but most of the people at this conference are email senders, so there’s some overlap. There’s some differences there but a lot of overlap between the the email hosting admins who also send mail and the senders like sending like DSPs and other companies sending mail from their own servers. And so as, as, as a set of you know, as you’re representing the anti spam industry, we have a lot of good suggestions for what listeners can do to to get their email delivered and and to do a better job with their system. So I’m going to turn this over to Steve Freegard. He’s going to continue this discussion, talking about just some good tactics and suggestions and techniques for getting your mail delivered and running your mouth server. Very interesting TV interface very well. I’ll take it away, Steve.

Steve Freegard 10:16
Thank you, Rob. And I agree with everything you said there. I think we talk about places that are too big to blog. But like you said about, like things like Gmail and filtering sort of the small guys stuff. And it’s like, oh, well, that’s just our filtering. I came up with the new term, marshy, we’re talking too big to care. Right. So thanks, Rob. So Rob already gave me a rather fine intro. And thank you for that. So obviously, I’m the architect of a b six, male intelligence. Abuse has been around for ages, you might notice for our abuse handling software, that’s abuse HQ, AV three abuse contact database lookup service or the ex off reporting abuse reporting standards that we worked on. However, for email, as Rob said, We’re the new kids on the block, not the boy band, by the way, we look nothing like that. And so BC, smell intelligence has been around for a couple of years. But I think we’ve achieved quite a lot in a short space of time. So in addition to providing IP and domain lists, we provide a number of datasets that are not available elsewhere, which are you need to us and until recently, there was a you know, there was some other stuff that’s that people have sort of caught up with, if you like. So, with that in mind, what as Rob said, I’ve kind of done a list of things. But when I obviously got involved with this panel, I kind of came up with a list of things that from a, from a block list operator’s point of view, what you could do that would be mutually beneficial to you. And that would kind of help us out as well. Because ultimately, we’re about stopping the abuse, we’re not about you know, making life difficult for you or anything like that. Some of you probably might already do some of these, I’m only going to give you you know, I’m conscious of time here. So I don’t want to go through, I probably won’t get through the whole list, to say that I’ve done this as a blog post, and we’ll put it up on on Monday. So if you miss anything, it will be there that you can you can grab this summit, let’s say some of you will already do this. Some of this will not be news, but it might be to some of you. And this is relevant to all senders, not just DSPs, but ISP, as well, to some degree. So my number one thing that I wish everybody did, would be to segment their outbound SMTP into pools of different IPS. And this some ideas for that kind of segmentation. Again, it’s not going to be relevant to everybody but put new customers in one poll for definite until they’ve until you’ve got experience with them. free tier customers really important, put them into their own poll.

existing customers, once you’ve got good behaviour, you can obviously move them into there. And then if you’ve got customers that are absolutely steadfastly refused to do confirmed opt in, then put them in their own pool. Likewise, if you’ve got customers that do affiliate programmes, they are probably affiliate programmes are the biggest one that I deal with on a fairly regular basis. You know, they are abuse magnets, don’t mix them with customers that don’t have affiliate programmes, do yourself a favour. So this just you know, in doing so it’s going to mean that, you know, it stops those different classes of users affecting one another and manages the risk of each type for for you as the sender. But most importantly, and this comes on in point three, publish this information, right? If you do this, tell everybody about it, that you do this, what your goals are, and make it public so that we know about it. Secondly, would be and I dealt with an ESP recently, and I’m sure I’m sure this particular person is watching you subdomains for each customer. So if you’ve got domains for things like clicking open tracking where the customer is using your domains for this, then please please please use a subdomain for each customer. And the reason this is useful is the and I can’t speak about the other, you know, domain lists and how they work. But from an abusix point of view, we do everything based on the mezuzah, the Mozilla public suffix registry, that means that we will only list the organisational domains based on how that Mozilla public suffix registry tells us to do. So and the reason we do that is that obviously if we were to list names by default, then the spammers could just create 1000s of subdomains and we would end up fitting a list with useless junk and they would still be able to get to the mailbox. So but we make exceptions to that list all the time. So if you tell us is it click an open track domain. We use subdomains per customer Ma’am, we will make exceptions for that, which means that if we see bad traffic from your customers hitting our traps, we go on to list them, then you’ll be immediately able to see which customers affected without even speaking to our support. So that that I think is quite a useful one. For some of you, I know quite a number of people don’t do that. The other one would be and this is kind of a personal one for me, because of how we manage our own personal list is to publish an SPF record, make sure the SPF records you publish, that you give to customers are only used for customers right and that they only contain you’re sending ranges so you should limit this to where you can should limit this to ipv4 and ipv6 mechanisms and anything that causes additional DNS lookups like a PTR and include should be avoided wherever you possibly can because obviously you’re limited to 10 DNS lookups and so if the customer has loads of including their own records, they can quickly exceed that limit and then everything’s going to start stopped working so that that’s an important one and the next one and I probably I’ll take a break after this one and see if we want to go on because obviously I’ve got a few few more but this I think is the one that I would most like to see based on the last three that I’ve kind of given you is to create a maintain a postmaster page please please please can we do this AOL one on one I honest they’re really good at doing this. There are dedicated postmaster pages so that they provide ranges and information about everything they do. So what I’d like to see is a postmaster page for each ESP that documents all of the stuff I’ve just talked about.

for male administrators and security researchers, any domains that you use in email or reverse DNS domains should point to this so you know if they’re not pointing somewhere else already The point is, I see this so often I saw it this morning before I came on this call you know I’ll see a random you know, ESP this one happened to be in India, it used a domain name that didn’t have that had security You know, it had registered masking on it when I looked at it and who is if I visited the domain name with my browser, it went nowhere. Alright, so I can’t tell who that entity is I can’t tell anything so at that point, I’ve you know, I’ve kind of hit a dead end will be far You know, all of us I think on this call would be far would appreciate if you did that because it saves so much time on our part and ultimately if we can’t find information about one of these click tracking domains we probably won’t bother and therefore we won’t we won’t give it the more diligence that we otherwise would if we knew it was from one of your domains so that would be that would be my biggest wish if you could do that and document all the things that I just talked about you know if you’ve got Paul’s put them down, have it in one place it would be greatly appreciated because it would save an awful lot of time. Just to very quickly say about the SPF point earlier as well is the male intelligence uses we don’t do manual whitelisting we always work this way SPF record so we extract all of the ranges you know, again, because we don’t have this sort of Central postmaster page it took me probably two weeks to go through every single ESP when I started Main Intelligence to try and work out what SPF records have published to customers you know, it was way harder than it should have been. And you know, some of its behind you know, you’ve got to be a customer to actually find this information out. And that’s not how it should be that needs to be open and in the clear, I’ll take a break there because obviously I don’t want to take up more time I’ve got another three or four points and I will be you know, if we’ve got time we can come back to them or however you want to play it Rob I don’t want to steal too much time from other people.

Rob McEwen 19:09
No problem I want to mention I totally agree with you about you know, the postmaster page I don’t think I’m doing enough good enough job without actually with my own mail server but I but at least my host names go somewhere and you see something important and it’s amazing how many of those domains just go to nothing or go to just like a page and you know, this page is blank or something like that, or just the four or four not found here. But But one of the things I want to add I think it’s critically important is I I actually have situations where somebody will get on the environment list and it’s almost always you know, there’s there’s usually some good cause for it. But it’s a situation where maybe they have small spam leak from a video about Apple customer or a compromised account, but they actually wouldn’t have gotten listed. Because our system if they had used their own main domain names and things like like the the PTR record for the sending IP and and and the clickable links in the in the body of the message but instead they just bought some throwaway domain name. Because an ESP told them to the ESP said to them, you know Don’t you know you don’t want to put your main domain name at risk, you need to buy this extra domain. And but it’s sort of counterintuitive, it actually makes it easier for them to get listed because that domain that they’ve used has no good reputation like zero, it’s starting to hang around. And and it’s just frustrating because it’s that now they’ve removed off the table good reputation points that we would have infused into their IP reputation and domain and other things that would have prevented either their IP or their domain name from getting lists, and

Steve Freegard 20:38
it looks fishy as well, doesn’t it right, then? How many? How many times have we seen domain names hitting our systems where they’re like, name, you know, 1-234-567-8910? You know, it’s, it’s so common, and it’s it just immediately rings, you know, alarm bells without us, right? Yeah. And

Rob McEwen 20:57
it actually is mirroring popular tactics that agree just snowshoe spammers are doing. So it’s like they’re trying to imitate a snowshoe spammer, you know, even though they might be a lot more legit, and don’t have as many stamps any problems. So yeah, so those are really good points. So the next mini session is back to me for a little bit. And then and then Carl, and Kevin will get larger segments towards the end here. But but the so kind of dovetailing what I said earlier about how a lot of emails has consolidated to a few large providers. And that’s not a bad thing. But I hope it doesn’t get get too much further because I don’t want just two main companies that make all the rules, for example, I don’t think that’s healthy for the industry. But similarly, there’s also been a trend where a large portion of you know, sending has been consolidated into a small, relatively small number, maybe dozen or so email service providers is actually about 200 ones that have a large enough footprint to notice. But it’s but but a lot of companies that used to send notifications from their own mail server constantly use email service providers. Well, the problem there that ended up self isn’t a bad thing. It’s in busy, most service providers provide amazing services, things like that bounce handling and tracking metrics and tracking engagement. And then that can be very beneficial for knowing who to purge, and who to keep when you’re trying to prune off some from some of your lists that the addresses that aren’t as engaging as much. So the DSPs do provide a lot of valuable services. But the problem we run into though is that a bad apple gets on you know, customer gets onto a DSP and anti spam lists are powerless to stop them from getting into the inbox because they’re using a shared IP that also sends a lot of legit messages. And they’re not even using the customers on a domain name anymore. Now they’re using the USPS tracking domain at the bottom of the message and that can’t be listed without massive collateral damage. So then at that point, the DSP becomes almost powerless. So there’s been a trend to moving towards other types of ways to surgically block the bat up customers. And, and if the different USPS is using some, some a lot of them are using somewhat of a different tactic. And and you’ll hear more tactics further and later on in this discussion from others. But for so added volume, and we’ve we’ve launched back in August, our service provider dnsbl, that’s focusing on the bad apple customers at DSPs and ISVs. And it’s done really well so far, for what little we’ve tried to do so far. But we got a long way to go a lot, a lot more portions of it are going to be coming out. But the first part of it focused on sendgrid. And, and sendgrid had gotten just out of control with help with, with how much abuse was happening. And our system, it was getting to the point where it was, you know, having a lot of a lot of issues. Oh, and it looks like Michelle has been able to join us. Thank you. Can you hear us myself?

Michelle Sullivan 23:51
I can hear you. Thank you very much. And yes, I’m very surprised I managed to join you. Oh,

Rob McEwen 23:56
good. That’s awesome. So um, so this is a perfect timing, because I’m just going Michelle, I’m just going into the segment, but where I was gonna add in some of your thoughts. So now I don’t have to do that I can just sort of I mentioned but I’m gonna say and I’ll give you a chance to kind of respond and add to it. So that’s perfect timing. So So basically, as I was saying the, the, you know, a lot of these DS while the anti spam lists are becoming powerless for blocking the battle for customers of certain of certain senators. And so, so I was discussing about the, the money, you know, service provider dnsbl with the sendgrid portion of it first released. So I wanted to mention some of the things I was I was doing some catch up auditing on my sendgrid list just last night, and I went through about 50 listings that were randomly selected, looked at every single one individually including the in the house. I wanted to give you some information about that. So one of the things that was interesting was about roughly 4% of all of the sendgrid listings are are wild. Web Forms. So sensitive. So if I didn’t explain that, well imagine that your one of your vice presidents is sitting down with a web developer. And he says, okay, so every time a user comes to our website, it fills out that form, I want to email a copy to the email address the user put on the forum. Okay, that’s like 1990s Nobody does that anymore. That’s, that’s it. No one does that because any spammer could just or bot could throw any address on there and turn your web form into a spam sending machine.

Steve Freegard 25:28
Sorry, can I just can I just quickly add to that, so this is a an attack, this increased in the last week, and it’s something I’ve been, I’ve probably dealt with probably probably 200 of these individually over the last week. And at the moment, there is a bot going around looking for abusable contact forms, is the work from home spam, basically, that it’s pretty much exclusively sending, and it’s so active at the moment. So if you’ve got an abusable webform, that does exactly what Rob says it’s, you know, what he’s described, basically, they’re using it to spam by proxy. So they’re the the bot will fill out the targets addresses the email, and then obviously, then these contact forms have a nice, you know, what’s your message and they’ll just put the body of the spam in there work from home, they typically using blogspot domains or other kind of free stuff, to get that, you know, to get their point across and then Julie, the bot submits, it moves on to the next site that it’s already discovered, you know, and it’s got basically the perfect snowshoe to go and do that. And obviously, I’ve dealt with, like, say, probably a good 100 200 listings of people that have come through support that I’ve been assisting with this, so it’s super common at the moment and something to watch out for and good point.

Rob McEwen 26:45
So it’s, it’s um, so basically, some of those web Mills, web forums I meant to say, are just are just glued right into the sendgrid system, about 4% of our sintered listings are just constant spammers filling out the form putting their like adult, you know, pornographic dating site link into the forum, and then it goes straight to the you know, to the email address, and the bot or spam are put into the into the form, it’s crazy. That other things kind of matching up what Steve was talking about the end, a lot of sometimes I wonder where do all these bad addresses come from, and a lot of them are from insecure signup forms, with no confirmed opt in. So you know, doing things like confirmed opt in, or other similar tactics can be really, really helpful for very helpful for that, and keeping those bad addresses off of your list. Another thing that I run into with some of my sendgrid listings is just a complete lack of bounce handling and engagement monitoring. And this also kind of goes back into the IP and domain, anti spam lists. But there’s some of them where they, they have basically, situations where customers whose domain names have been disabled for a decade are, are still being wrapped, you know, massively sent to buy certain large companies. I’m tempted to name names here. And I can’t in some cases, I’ve had to just whitelist for example, on only one name, Walmart. So Walmart sends up a tonne of spams, or I guess I should call them scams. Now. They’re probably people who really did sign up back in the 90s, or the, you know, back when, like George W. Bush was president, way back then. And, and they’ve been bouncing for a decade, but yet, they’re still massively since you, but since some of those same Walmart sendgrid emails are transactional, I have to just sort of whitelist it and let it go. But that’s getting to be a problem. And I’m gonna let Michelle good this, this matches up with some of the information that I was talking about some of that you take it from here for just like we’re running a little short on time, but you have at least a few minutes to add to them. So

Michelle Sullivan 28:46
yeah, I’ll just be try and be a little bit quick with this. I mean, basically, I’m backing up what you said here, and I mean, the support requests, I get into the sub support system, people when they get nowhere, with with the bots and the real people, they tend to sort of just message me or even if they just get frustrated, they just message me even some cases straightaway. And I’ve got one yesterday, and again, it will actually sendgrid I won’t mention the customer of sendgrid. But they started off with we’ve raised multiple support tickets requesting to do listing of IP blocks from your spam database. Out of all our requests. They’ve all been rejected by the robot with the following statement. This host cannot be separately listed as being previously listed more than five times. And then they went on to various different things. And they are supposed to give us reasons why they need an exemption. And they came back and said we’re a car dealership. You know, we’ve had this address for a while. And it’s a sub that were a subdivision of this bigger company, almost 44 million service appointments, blah, blah, blah and they go on to list a lot of monetary value, which is completely irrelevant to me, and then come back and say, we’re using sendgrid for all email activity. And currently we have 97% success rate with a 1.1% bounce rate and 0.01% spam reports added 28 million requests. This is after previously tell us telling us they’ve got 44 million people on their email list, which, obviously, the numbers don’t match up. But as I pointed out to the guy, and I, it’s gone very, very quiet. His his numbers just don’t add up. And there’s a 1.9% missing, which is, the bit where it’s not a bounce is not a successful delivery, it’s not a spam report. Therefore, it’s probably a spam trap hit. And quite likely one of ours is at least in there. All of the spam trap domains that we are currently using in sorbs, except for my personal email addresses, which I am absolutely positive is not signed up to this company. All of those domains are at least five years old, most of them are over 10 years old, and have never sent a real email in the last 10 years, we spent multiple years in some cases, just bouncing every single message of user unknown. And yet, they still have their email address on the list. The biggest problem for me is the amount of quote legitimate, unquote, senders that don’t clean their email lists. They just keep sending and sending and sending, and then expect everybody else to accept it, and deal with the consequences. And yeah, it’s gonna look past that. I mean, seriously, 2021. You know, this was a problem back in 2007, it should really, really be solved by now.

Rob McEwen 32:00
If I miss love, and you sent me a copy of what that Senator had sent to you, I mean, if I had only read that, my first thought would have been Wow, so I’m still stuck. It looks like they’re just being too aggressive. And this looks like a false positive. But then, you know, when you mentioned such a large portion of the of those addresses being addresses that have been bouncing for a decade, I mean, that’s that’s just ridiculous. And it should be the thing is csps tend to provide good tools so that you can purge off your list the addresses that are bouncing or have bad engagement. And it’s also beneficial to do that, because of the even for even for the Microsoft and Google system, mail systems, they tend to reward you for better engagement. But if a lot of your messages are, are hitting or hitting addresses that don’t exist, or not getting engaged with, you know, that’s only going to lower your engagement there. So those are really good points. Let me ask you one more thing yourself, you can add and maybe spend about a minute or two. We earlier in the segment, we were talking about how we all need to do a better job of educating and providing feedback to senators and you’d mentioned some tools that’s works that are good at that. You’re free to talk about that for a minute or two.

Michelle Sullivan 33:06
Yeah, okay. All that sort of blow my own trumpet as it were. And I was trying to avoid doing that. But many people will know that we launched sobs two back in 2010. Well, as part of that, it was a complete redesign of the site and redesign of the backend database. And we literally wrote it from scratch to deal with spam. And from the aspect of being able to deal with users and ISP is etc. And any ISP ESP, even just a large company that owns at least a slash 24 can come to us and request access to the database. And we do some obviously validation checks on what they want to get access to, etc, and providing them within their own networks, etc. We can allow them access to our database. This allows them to update things or like where their mail servers are, where mail shouldn’t be coming from. And also it allows them to sign up for direct reports. So they can specifically set and set networks all the way down to a single IP address all the way up to a slash nine, I think there’s a maximum per report. And they will basically get an instant email as soon as we receive some sort of intelligence to an IP address that is doing something that it shouldn’t. And that could be sending a virus, it could be an open relay, believe it or not, yesterday, there was 345 open relays detected. It could be an open proxy server or it could just be sending spam. It could just be bouncing messages that it shouldn’t be bouncing. And the ISP can do all of this of their own once they’ve got that access.

Rob McEwen 35:00
Wow, that’s that’s good to know. I think I did not even I mean, I didn’t know about that. And I think a lot of people don’t. So I’m really glad that you’re here to tell people about that thing. A lot of our viewers, viewers of this, this episode here on the inbox Expo are going to be glad to hear about that. Thank you so much. So let me we’re running short on time. So I need to go straight to Kevin. Kevin has a special set of rules for spam assassin, called the cam rules k m. And, and they’re excellent for especially since we were talking about earlier about how we’ve had to, you know, use additional methods of blocking spam that traditional anti spam lists are not able to do. The cameras are especially good at that. So take it away, Kevin,

Kevin A. McGrail 35:40
thank you so much. I usually laugh maniacally when anybody is dumb enough to give me the camera, the microphone here, but I will I will get off my soapbox. So Oh, by the way, For those wondering behind me, or that side, actually, I do not play with dolls all day. I’m doing a rubber ducky debugging presentation as well after that. So that’s why that’s back there. But the I’d say the first thing I want to want to just say is Michelle, I’m so happy to be here. And I’m glad to see your your house there is not overrun with spiders and snakes, because at least in the US with the historic flooding you’ve been having in Australia, they’re talking about how all the snakes and spiders I guess, are fleeing to houses. And I don’t like spiders in any way, shape or form. So yeah, so I’m very, very happy to

Michelle Sullivan 36:23
say that’s they’re all safe, you just pick them up and move them around.

Kevin A. McGrail 36:29
Yes, well, good, good. Well, I’m glad to see that you’re not infested with spiders, and whatnot, the stakes are fine. Steve, I have to say just a little intro real quickly that I hate your speech. So far, you’ve given me homework, and I don’t like that. But really great points. I look forward to seeing that blog on Monday because I realised I don’t have a postmaster page and never have. So we need to fix that. But I’ll get back to some of that. So originally, when this idea of this talk in this panel was pitched to me, they talked about statistics, and I wanted to get some statistics that I thought would be kind of interesting to people. So if anybody out there is using spam assassin, the camera rule sets have been published for nearly 17 years for a no charge, they’re available. And some of the things that most people don’t know is that the camera rule set is not just one file, we finally put it into a channel, a channel that you can download with spam assassin automatically. But the camera set actually includes the camera will set the non cameras set which are people that have given us rules that we’re allowed to use, as well as two other files deadweight and heavyweight. And I thought for two specific two statistics you might be interested. So with dead weight 2.0, which is our revised version, what we do is we look at rules that aren’t hitting, and we do this on the fly in a real mail stream. And then we can publish the data that basically takes out rules that aren’t needed to be run. So it’s 4% less resource intensive, which just dead weight is 3% faster, and it has effectively the exact same efficacy. Compared with dead weight 1.0. It’s actually 6% faster, while the FSC is still identical when you add in heavyweight, and you’re especially comparing against people using combat cf The results for both the resources. And well definitely on the speed, it goes up to 20%. So pretty, pretty dramatic improvements on just an out of the box, both with efficacy as well as resources as well as speed. So take a look at it. One of the things that a lot of people ask me about is how many how many samples or what we call samples as a joke in the industry that we look at to produce combat CF. We do it all by hand. We do use a lot of AI and machine learning tools that help us but it’s all done by hand. We only look at about 6000 emails a year. So it’s not very many. But it’s extremely effective. And I think you’ll find that it’s very useful to add one little interesting note when you start talking about machine learning and AI though is another statistic I came up with was the percentage of systems that I review. Now granted I’ve only asked to review when people are having problems with badly trained Bayesian classification is 100% you know, if you’re not a Bayesian expert if you don’t understand how the underpinnings of the systems work turn off your Bayesian classification you’re probably not using it correctly. Other than that, I think you know I thought one other statistic that would be good is what’s the top three rule sets that you know we’re working on pretty constantly. Number one is the mailbox rule set or the can mailbox This is all about mailbox scams you know your mail is full you know, we had an error during delivery. These are all just credential theft scams pretty common unfortunately. The second one is the the criminal website criminal set excuse me also known as cam underscore prim. This typically starts with extortion sextortion, Bitcoin, things like that. You know the I know your password and I Know What You Did Last Summer and I’m going to blackmail you for it kind of thing I see a tonne of those. And then finally just product spams. We see just a tonne of various products using all the techniques that the other panellists have been talking about. Selling really questionable items. And, you know, we do a lot to try and block those. So that’s kind of interesting. But now after those statistics, I do want to talk about a statistic that I actually hate in the industry. And so this is my soapbox moment. So a lot of people talk about like we blocked 99.9% of the spam or, you know, particular you were mentioning out of usage, you know, you had this guy who said, we only have 1%, of 29 million, etc. So I’m a technologist, I love software, I love different companies, I use all of them. So I don’t like to, you know, call anybody out. But I want to talk about, you know, like, some providers will say, we don’t have a high false positive rate, we have we do every, we only have a point 01 percent false positive rate. Well, that provider that I’m talking about does 300 billion emails a day. And if you do the math on that, that means that something like 30 million emails per day, are handled incorrectly. So what I try and ask people to do is to strive for what’s called the four and a half nines. That means, you know, 99.9995 should be what you aim for. And even with 999, you’re still only talking about 10 false positives for every 1 million. That’s not a number that most companies can say they meet. But anyway, so I’ll get back into some of the things and then I’ll give it the rest of the time, to Carl. So Rob, just another note, I do run an RDL, by the way, but we got DDoS. And we actually took down sales data centre, an entire North Northeastern data centre from it. So we had some very angry people. But a shout out to linode and to cPanel. And say, I think would have helped as well, but they particularly came to the table with with resources and help. So we’ll hopefully make it public. Again, it’s part of the cameras that actually additionally, throw away domains, please use them because we hand analyse all your spam, and when you use them, we track it back to the original one. And when you that, that’s great, because then we list both of them. So you know, don’t think that a throwaway domain or whatnot is going to help you on a DSB campaign. And as you guys said, it looks very guilty. It’s like, you know, you’re going to be spamming. So, you know, hey, but that does lead to a question. I know, we’re talking to a lot of inbox people, a lot of a lot of ISP, csps, etc. So I thought I would mention that the spam assassin project guy named Chris cemetery, he uses what is spam? Like what’s the definition of spam. And I like to mention this in almost all my anti spam speeches. So we use the term Spam is about consent, not content. What that means is you could be Mother Teresa, emailing me the cure to cancer, and if you don’t have consent for me to send that email, then it’s spam period. And so I don’t you know, and that’s very important to people it’s all about consent, that one little letter change. So if you don’t have consent, if you have bad data, if you’ve been buying lists, if you haven’t been handling things with opt in things like that, you have a problem. But other than that, I will hand it over to Carl with one final note which is that spam assassin 3.4 point five with a CVE and it passed vote last night at about 5pm Eastern, so its release is invalid imminent and the releases built if you want to go instal it so anyway, thank you so much for giving me the soapbox Carl take

Rob McEwen 43:22
up since shortchanged let’s take it all the way to the end. You can just say goodbye

Carel Bitter 43:28
Okay, I think thanks for thanks well thanks Kevin. Well thanks premises and use my own mail server so yeah, great points brought up so far. I mean, what what Steve said you know that these are sort of the basic things you need to actually do when you get it right and and it’s amazing to see how many people who are you know, doing doing sending emails for job are not getting some of the basics right. And so my story was going to be a little bit too short of you. If you’re if you’re sending email if you’re getting to this Expo and and that’s probably the case if you’re listening here you’re probably sending email you are competing with with cyber criminals who are doing the same thing. And some of the cyber criminals are doing extremely good job at sending email. Because it’s spam or abuse, it might be worse. Some of these things are actually platforms of launching malware text. A lot of the reason crypto campaigns and emails and some of these games are amazingly adept at getting their email delivered to the right people they will segment their list they will send the campaigns targeted at for example the Netherlands where I am from Dutch IP in Germany once will come from Germany in the finished order form for Finnish IP and the domain symbol you use are all really well set up their their SPF checks out there decam decom sign and they basically do everything by the book and which is why they they still get good results. And this is this is what what people will try to hardest to get away from their users. So or you need to be better than them. Basically, that’s sort of the message I was going to bring here is better than the actual screen for the actual cyber criminals. And there are still too many esbs and customers of ESB that are done or not. And that’s a shame because there’s a tonne of knowledge out there. If you’re willing to look for it. Then if you go to the right conferences, you can you can learn all these things. And there’s really no, no excuse not to do it right. I think anymore. That’s in a nutshell.

Steve Freegard 46:03
Yeah, I think you’re muted. Rob.

Rob McEwen 46:07
I forgot to unmute myself. Sorry about you guys. Sorry. I’m so so far. Did you um, did you mention also about the Spamhaus hash list? And what are you doing with that? Right?

Carel Bitter 46:20
Yeah, so so we have we have besides international IP domain list, we haven’t hairstylist and that’s you talking about malware, mail, spam email, one of the one of the things we do is have attachments that are missing my final email, they’re either malicious or, or suspicious. Yeah, you might be able to, you can check the hash of an attachment against others like that. And that’s that’s one way of dealing with that sort of thing. How many people here remember the image ad campaign that ran for many years, and finally, it was rolled up this year, at the centre of the legitimate mail service with a compromised account, so that that’s not something where regular IP domain reputation will do much good for you need to look deeper inside the email. And you will definitely one thing worth mentioning is that one of the clever tricks to them with that being what that did was, it sort of inserted the cell with their existing email conversations and using stolen credentials and whatnot, which is a super effective social engineering trick to get people to click on on whatever is in emails. And again, I want to remind the legitimate senders out there that this, this is the sort of the terminal, and this is the sort of stuff that that the people on this panel have to deal with. And in case what Steve said, in case it’s hard to find out if something is legitimate or not usually do is pick the site. Okay, well, you know, if it’s too hard, then it’s probably not legitimate. And, yeah, so you want to be careful to put yourself in a position where where people are able to find out if you’re not

Rob McEwen 48:16
excellent. Um, so we only have about a minute left, and our government and a half. Does anybody have any last minute thoughts? And also I should mention, I think there’s a we weren’t able to see the comments from the audience, unfortunately. So if you had asked a question there and it didn’t get answered, I apologise we just something some kind of weird bug. But does anyone have any final quick ideas? 22nd thoughts? Go ahead.

Kevin A. McGrail 48:37
I’ll give a quick shout out. And thanks to Rob So Rob McEwen runs and valued at one of the best lists out there, sorry, although the list runners here, but his work with the ESP plugin and blocking sendgrid, which, you know, sendgrid if you’re out there, contact us. I don’t know what the heck’s going on out there. But you have fallen from grace in the last year like I’ve never seen before. So you know, get it fixed. But great job there. And thank you to all the other people. These are some of the people I’ve most respected anti spam in the world here on this channel. So thank you.

Rob McEwen 49:10
Yeah, thank you. Thank you. Thanks for everybody for being here. And I want to start something else, but we have less than a minute left. So

Michelle Sullivan 49:21
Can I just add one last thing? Oh, sir. Damian has sent us a message as we saw on the private chat. Damien, if you want to message me offline, Michel. adsorbs dotnet just messaged me directly because I’m having trouble finding you on LinkedIn. Even though I’ve been given a link because I got myself locked out. Sorry. Where you go.

Kevin A. McGrail 49:44
Thank you. I’ve been spamming again on LinkedIn, Michelle,

Michelle Sullivan 49:48
trying to sign in for the wrong device.

Rob McEwen 49:52
Down there in Australia, hope everything keeps going well there and thank you all for, for viewing our session. Hope you’ve got a lot out of it. Goodbye.

Steve Freegard 50:00
Thank you, everybody.