AOL Cans 1 billion Spams In One Day

linuxwrangler writes "AOL announced today that its spam filters hit the 1 billion reject mark for a 24 hour period. This is an average of 28 rejects per day per member. In addition, AOL spam engineers say they receive 5.5 million spam submissions each day from AOL users. Other reports here(1) and here(2)."

Wow!

[Tyler Eaves]

28 per subcriber per day caught.

Only leaves 103 apeice...

Failure rate?

[waytoomuchcoffee]

And how many got through?

AOL members aren't sending 5.5 million spams a day

[jrstewart]

Well, maybe they are, but that's not what's reported in the article.

AOL users are reporting 5.5 million spam messages a day to customer service.

Statistical analysis would be nice...

[sgtsanity]

I would really like to see what kinds of spam are being sent and received. Sorta like the Google Zeitgeist, but for mass email.

It would probably have the same #1 term, though...

dang

[Anonymous Coward]

I admin a machine that filters 10,000 spams per day. And I think that's a lot.. I can't even comprehend 1 *billion* junk mail message *per day*.. good LORD! Who writes this stuff? How can there be so *much*... is it sent out by the hundreds every day? Is it the same one bouncing around? How many are false positives?

Geeze... forget *BSD is dying, I think email is dying....

"Allow all mail" doesn't work?

[lwbecker2]

In the AOL "Mail Center" there is an option to "Allow ALL mail". I take it this doesn't work, or that AOL should change it to "Allow all mail that we decide to let through..." ?

Save those bits!

[smartin]

If this is true, can you imagine how much bandwidth and disk space is wasted by spam. I'd be willing to bet that the money lost to spam exceeds the money lost to pirate software and mp3's combined.

Intelligent filters

[digital bath]

It would be interesting to see the code behind AOL's spam filters. What do they consider spam? Does the email have to contain a certain percentage of capitalized letters, come from a certain user/address, have lots of embedded images etc?

If the filter is anything like the filters in use in public schools and library networks, then it would be a fair guess that quite a few legit emails were blocked by the filters. It seems like writting an intelligent filter is pretty hard.

Re:This is the most important story of the year

[meringuoid]

Fuck you AOL for making yourself judge, jury, and executioner of the First Amendment.

Ah, frea speach. What an overrated 'right' that is. Sorry, but your precious Amendment only prevents the government from shutting you up. There's no reason AOL can't censor you, and there's nothing to stop the Slashdot mods putting you to -1. That was settled long ago; Sanford Wallace, the Ralsky of his day, sued AOL and Compuserve for filtering his junk out, and he lost.

It costs AOL $2 per month per user just to handle the spam traffic. AOL's huge userbase makes them a magnet for dictionary attacks. If you want an unfiltered mail feed, then by all means pay someone extra for spam storage, or run your own mail server.

Holy.

[Saint Aardvark]

Fucking. Shit.

I just totaled up the logs for the spam graph [dowco.com] I keep for our mail server. In maybe a year and a half, we've caught approx. 1.6 million spams. I thought we were doing well.

But Jesus Christ! Who here wants to start a pool? We'll bet on how long it'll take before AOL has stopped a googol of spam, total. I bet two and a half years; three tops.

Re:This is the most important story of the year

[bkocik]

AOL has taken it upon themselves to decide for their users what is appropriate speech and what is not

No, we have not. Spam is the #1 complaint we get from our users. They don't want the stuff, so we're fighting it. We block what they ask us to block.

But, of course, we're AOL and this is Slashdot, so naturally everything we do is wrong.

Ambivalence

[iiioxx]

I'm kind of torn on this issue. On the one hand, I hate spam and those who allow it to proliferate. On the other hand, I abhor censorship in any form. I wouldn't have an issue with this at all if AOL simply provided its users with the *tools* to eliminate their own spam if they choose to do so. My problem with this is that AOL itself is deciding to filter its members' email, and making the determination itself as to what is and is not "spam". That's a reckless step down a slippery slope, in my opinion.

Strategy

[Anonymous Coward]

If AOL wants a strong anti-spam law passed so spammers can more easily have criminal charges or civil lawsuits brought against them, they ought to consider completely stopping the filtering so their customers get overwhelmed with junk e-mail. When the customers complain, AOL then tells the customer to contact their congressperson and complain about it and demand something be done.

wow that's expensive or is it cheap.

[goombah99]

there is a claim that spam costs money. Money to the ISP for bandwidth and money to the end user for reading/deleting. is this really true? well certainly I delete lots of spam and it costs me time. but what about the ISP?

I would guess that deleting spam is about as expensive as transmitting it for an ISP. that is the processor intensive task of scoring and removing a spam probably is a wash with the processor light task of tranmitting and storing it. Now for the sake of argument lets just guess a wild number for the cost of filtering or passing along a spam. lets say 0.001 dollars.

if that were true then a billion spam deleted would cost AOL 1million dollars per day (plus the ones that got through). that would be a third of a billion dollars a year. THat seems way to high. So it must be less. SO maybe its 0.000001 cents?? that would come to a third of a million dollars a year.

My guess is that the latter is probably a good guess. why? well how many engineers has AOL assigned to the de spamination? perhaps a third of a million dollars worth every year? it would of course not make sense to spend more on de spamination than the harm it costs.

so anyhow assuming this wild guessing is within an order of magnitude then the proper charge to fine a spammer would be some multiple of 0.000001 dollars per spam sent. which is not an awful lot.

so is spam really that costly to ISPs??? Maybe not

Mailing lists?

[Titusdot Groan]

How many of those 5.5 "spam" submissions are mailing lists the user is too lazy to unsubscribe from?

I had several lists bounce back and forth from my Yahoo inbox to my Yahoo bulk box before Yahoo figured this out and stopped moving legitimate mailers like NYTimes.com, Palm and Apple news into the bulk category.

Re:Holy.

[Badge 17]

We'll bet on how long it'll take before AOL has stopped a googol of spam, total. I bet two and a half years; three tops.

Um... no.

I'll easily take you up on that bet, as a googol is more than the number of elementary particles in the universe

In fact, even if AOL stops 1 billion spams/day, it will take 10^91 days to accumulate 1 googol... which is "somewhat" large. (I know, spam will probably increase exponentially, but still...)

Source:http://whatis.techtarget.com/definition/0 ,,sid9_gci213798,00.html [techtarget.com]

Some are configured to reject ALL outside email

[Kakurenbo Shogun]

Apparently AOL users can set up their accounts to reject ALL email originating outside AOL (as if the rest of the internet were worse SPAMmers than AOL folks). Amazingly, this setting is turned on on some accounts (many, I suspect) without them even knowing it. I run a webserver for a few businesses, and we get LOTS of mail bounced back from AOL account for this reason. It's a real pain when, for example, an AOL customer is trying to sign up on our site, and their account activation key gets bounced back to us because of this stupid setting. I bet they're counting all these messages in their total.

Re:bandwidth usage

[Anonymous Coward]

I run a small web server and answer lots of questions on Usenet Linux groups. I run a small business. I own several domain names. I've had the same email address for about 4 years now. As a consequence, I get somewhere on the order of 20 messages a day that get past my SpamAssassin filters to my inbox. On a good day I get about 50 filtered by SpamAssassin. On a bad day there may be 100-150 spams. My procmail filters show over a thousand spams since this month started.

20 messages not so bad? Well, the subjects are deceptive -- "Re: Contract Extension", "Proposal for Work", etc.. If they get past the filters they're likely to be valid so I end up checking them. Each costs me 5 seconds or so. OK, 5 minutes a day wasted may not be a huge amount. Multiply that by a year and I've lost a day to reading spam.

Let's talk about my Netscape account. I used to use it for personal email. Each week it receives close to a thousand spams. It's completely useless now. The problem is that some old friends still have that email address so occasionally they send me something. If I catch it I'll tell them about another personal address but why should I have to?

Bandwidth, as you've noted, is negligible for me. But the cost in time (both for reading and for implementing a spam filtering policy) is not.

If you could press a button...

[FyRE666]

I remember some survey from years ago that asked "if you could press a button and someone on the other side of the World would die, but you'd recieve 1,000,000 dollars, would you do it?". I'm now wondering, if you could press a button, and a spammer, somewhere would die - would YOU do it? Scary as it seems to me, I'd probably say "yes"...

Re:How?

[StarOwl]

My spam counts tend to get run up because of how my eight-year-old domain is set up (all incoming mail, regardless of the to address gets directed to the same inbox) and because I've made use of tagged addresses.

Having all email routed to my inbox means that my figures above include dictionary attacks.

Using tagged addresses also runs up the total a lot. Every time I give out my email address, either on a registration form or in a public posting, I use a different tag.

I started tagging addresses in the early days of spam. Remember when we foolishly thought we could attach a disclaimer to usenet posts along the lines of "send me spam, and I'll bill you $50 under the anti-fax laws"? Well, I was dumb. I figured that in order to "prove" that unsolicited email was unsolicited, I had to have some proof [google.com] of how the spammer got my email address, and that I had a clear disclaimer.

The good news: I have a pretty good idea of which of my online activities generate spam (e.g., posts to control.cancel and *.test, my NIC registrations, and usenet group-creation votes all seem to be popular for the spam-database trollers)

The bad news: I can easily get hit 30, 40, or 50 times for any one mass-spewing a spammer decides to do.

The totals above contain NO false positives -- they're all tied to tagged addresses which only produce spam. Not included are the 50 or so false negatives I get a day, which get tackled through other means [tmda.net].

Re:This is the most important story of the year

[Phroggy]

Thanks for doing your part. I worked with the abuse department at DirecTV Broadband before they went out of business, and I know when our abuse department fell behind on shutting down spammers, AOL notified us that they were about to block some of our customers' IP blocks. This happened multiple times, and we were able to use the threat to convince management to give us some additional manpower to handle the work.

None of us will probably use AOL's service, but their abuse department certainly earned our respect.

The untold story

[Anonymous Coward]

My provider is of the opinion that email is a luxury--they provide it but make no guarantees--and it shows. I'd switch but they are the only ISP that can provide me with broadband.

I run an email server for my private needs. It is not an open relay and I do not spam but there is one RBL that has decided that any mail coming directly from the user IP address space of my provider is suspicious. I've never had a problem but my fiance, Kim, has run into a few servers that bounce her emails.

If you've guessed that AOL is now blocking mail from my server then you guessed correct. Kim doesn't have many contacts on AOL and they don't get much mail from her but she discovered, within the last week, that mail to any of these contacts bounces back.

So AOL's solution to block spam is to use RBL's--the message specifically mentions the familiar RBL that blocks my address range. I understand that the RBL's are in a difficult situation because their task is monumentally difficult but at least one has chosen an easy way out. I've long considered this RBL to be practicing bad netizenship and I now feel justified because their services are being utilitized by the provider who has been historically associated with bad netizens.

Re:wow that's expensive or is it cheap.

[Kohath]

Dude.

there is a claim that spam costs money. Money to the ISP for bandwidth and money to the end user for reading/deleting. is this really true?

Then later:

I would guess that deleting spam is about as expensive as transmitting it for an ISP.

If deleting it costs money, and not deleting it costs money, then it costs money.

Re:Unbeleivable.

[StarOwl]

If it weren't for what being slashdotted would do to my web traffic quota, I'd post a URL to a days worth of spam.

However, nothing says I can't post a screenshot of my spam-box as viewed via pine.

PINE 4.44 MESSAGE INDEX <Rahul> /backupspam-030305 Msg 1,278 of 1,278 NEW

N 1249 Mar 5 eznorton54998236@h (3428) RE: Protect Your Computer !!
N 1250 Mar 5 gspaMellie (6416) Adult News Letter starowl-960916a@tr
N 1251 Mar 5 ifnMaye (6461) Online Phree Slutz starowl-960922a@
N 1252 Mar 5 qxyMicheal (6320) 100% MEMBERSHIP TO PORN SITES staro
N 1253 Mar 5 ihvbLeonie (6487) 100% Freee Porn Membership starowl-
N 1254 Mar 5 golMaple (6457) Don't Buy Porn Get it Free starowl-9
N 1255 Mar 5 oeuLeonila (6436) Porn is Freee!!! Stop Getting Ripped
N 1256 Mar 5 alyMeridith (6373) Adule Newz Letter starowl-960911a@tr
N 1257 Mar 6 kxwLili (6464) re:Free Porn starowl-961017a@triskel
N 1258 Mar 5 tibsLuis (6413) Stop Paying For Porn starowl-961010a
N 1259 Mar 6 ewbMagaret (6485) Dilicious Free Girlz starowl-960928a
N 1260 Mar 5 Blake (2748) My Slumber Party
N 1261 Mar 5 Blake (2749) My Slumber Party
N 1262 Mar 5 Blake (2749) My Slumber Party
N 1263 Mar 5 Blake (2749) My Slumber Party
N 1264 Mar 5 Blake (2749) My Slumber Party
N 1265 Mar 5 Blake (2749) My Slumber Party
N 1266 Mar 5 Blake (2746) My Slumber Party
N 1267 Mar 5 Rapid Deals By Ema (6903) starowl-961213b@triskele.com, Compute
N 1268 Mar 6 jim zuccaro (8148) Re: Bigger penis in 3 minutes
N 1269 Mar 6 jim zuccaro (8148) Re: Bigger penis in 3 minutes
N 1270 Mar 6 jim zuccaro (8148) Re: Bigger penis in 3 minutes
N 1271 Mar 6 jim zuccaro (8148) Re: Bigger penis in 3 minutes
N 1272 Mar 5 Rapid Deals By Ema (6905) starowl-961229a@triskele.com, Compute
N 1273 Mar 5 venom69@earthlink. (1895) $Home Loans!... Debt Consolidation...
N 1274 Mar 5 Julie Rezdon (12K) re: earn money from porno
N 1275 Mar 5 Kaye (1921) A beautiful Russian
N 1276 Mar 6 tanya1963@anjungca (3739) fascinated with yourself
N 1277 Mar 6 victorcole1 (4749) Hello
N 1278 Mar 5 carla@island-mail. (4830) Are you a homeowner

For the poster who asked about the amount of spam-per-address...to be honest, I'm not sure. I didn't keep a good record of how many different tags I've used, and I'm not entirely sure how to adjust for the effects of dictionary attacks.

I'd guess that I easily somewhere between 70-100 spams per day to the address I originally used in the InterNIC record for my domain, for example, but I haven't kept stats at that level.

I'm unfortunately running a tar pit. But I've got to make up a measurable portion of submissions to uce@ftc.gov...not that that does any good.

So yeah, I get way more than my fair share of spam, because of being curious/stupid and tagging my address. I'm certainly not representative of how much spam Joe Average NetUser is getting. However, I think my spamlog may be interesting reading in the context of the overall growth of spam on the net.

I've been tracking my spam volume in the form above since 10 April 2002. One of these days I need to write up an article on how this is evidence of the expansion of spam.

One encouraging factoid: The rate of spam volume growth, at least for my little cesspool, seems to be slowing, at least as compared to what I saw during the last half of 2002. I don't know whether this is a real slowing, or just more filtering going on upstream from me, however....

P.S. -- 15 spams arrived between the time I pasted the listing from pine and my hitting preview a few seconds ago. :(

costs

[Datasage]

Let see here....
if we have 1 billion spams per day, at roughly 5kb per message, this equals to almost 5TB of wasted bandwidth. This is only what is caught. Now with this we can start estimating the costs per day for dealing with spam.

Lets consider bandwidth cost $1 per GB, AOL being as large as they are may be able to make that less. At that cost it is $5000 per day. This does not include the cost for extra equiptment to deal with the extra bandwidth, for people to write anti-spam software, etc. i'm going to estimate that it cost AOL over $10000 per day because of spam. or over 3.5 million in one year.

Re:This is the most important story of the year

[Phroggy]

Do you really have no idea how much of a nightmare it would be to try to implement a whitelist of everyone who wants to send legitimate mail to an aol.com address? How big a holding queue do you suppose you'd need? Do you know how much legitimate mail is sent by automated systems? I can't imagine the tech support calls this would generate.

Besides, if you tried to implement a whitelist for all of AOL, the spammers would get around it pretty quickly - just sign up for a free trial, send yourself spam, add the spam to the whitelist, and away you go. It would have to be per-user to be meaningful, and if they implemented it, it would just mean most AOL users would start using Hotmail or Yahoo instead, as I'm sure many do already.

Email viruses

[chrisbtoo]

Straying a bit offtopic, but I suffer way more from being sent email viruses than I ever have from spam. I might see 1 spam (maybe 1k - 20k bytes) every couple of days, whereas I get anything from 20 to 100 copies of Klez or Yaha, at 45k - 188k bytes each per day.

AFAICT, all those came from the fact that I made the mistake of listing my real email address when I uploaded a Winamp skin. It was up for less than a week in December, and I'm still getting viruses now. The hotmail one I put up to replace it (only ever used for that Winamp skin) gets a similar level.

AOL spam solution

[Anonymous Coward]

I am AOL user since 1992 and I never lost any messages; except when I (twice actually) did not pay attention setting the exlusion filters.

What AOL really needs to do is:
1) allow more than 100 entries in the exlusion list (500 would be more reasonable)
2) perform more checking that the email header is really correct (reverse DNS etc). How can it be that spam is injected into the AOL gateway when clearly the FROM address is bogus?

I receive about 500 spam mails per month into my account; 20 real messages. More than 20 juk mails for every real message. I spend way too much time clicking the DELETE button!

Re:This is the most important story of the year

[Ambassador Kosh]

I have to admit I think what AOL is doing is correct and slashdot does not speak with one voice. Hell from my point of view block all of them but don't just block it for AOL find a way to keep it from being sent to help the entire world. I have no problem with blocking spam even if you catch some real email in it unintentionally. I get thousands of messages a day and if I lose 5% of my real messages to wipe out 95% of the spam then that is something I am willing to do. Spam just costs way too much to deal with.

Re:Some are configured to reject ALL outside email

[dcw3]

Please forgive me for being an AOHell Dork, but I signed up back in the early 90's when the choices were either them or CompUServ, and I've been too lazy to change.

Yes, the master screenname (AOL allows up to seven screennames) can set the e-mail blocking for each name...they can all be different. So, my kid is only allowed to receive e-mail from known addresses, while my junkmail account (the one I use whenever I *have* to give out an address to some website) is left wide open (I rarely look at it), and my spouse's is different still. So, while all the users may not know their settings, whoever did the master account setup does.

Lately, I've been using the beta AOL Communicator, which seems to be catching roughly +90% of the spam before it hits my inbox, and I've only noticed one false positive over the last month.

small company stats...

[Ender Ryan]

The company I work for currently has a grand total of 7 employees working here in the office. It used to be more before the economy fell apart, but I digress.

Spam became a huge problem here roughly a year ago, and it started taking up too much employee time. So roughly six months ago, we started using Spam Assassin. In that six months, Spam assassin has caught roughly 90% of the spam we get, totalling well over 500,000 spam mails.

Am I crazy, or is 1/2 million spams for only 7 people in less than six months absolutely insane or what? How can anyone argue that these spammers are running legitamite businesses?

I think it's high-time for some legis-fuckin-lation to curb this insanity :)

How effective is spam?

[oz1cz]

Just how effective is spamming from the point of view of the spammer? Do any statistics exist?

If I advertise a silly product to 50 million email addresses, how likely am I to get customers?