I was reading All Spammed Up’s recent post entitled Are Spam Filters really that Bad?  It is referring to the latest test to come out of Virus Bulletin where they measure the efficacy of a variety of antispam products:

In the latest VBSpam comparative test, 20 solutions achieved a VBSpam award, but the majority displayed significantly lower spam catch rates than in other recent tests.

Overall, products' spam catch rates were significantly lower than in previous months, with many products seeing their rates of missed spam doubled. This is a worrying trend: many reports have indicated that global spam levels have dropped significantly in the past year. But if the performance of spam filters also drops, there is little net gain for the end-user, who will still regularly see their inbox filled with spam.

The drop in spam catch rates was most significant at the perimeter, suggesting that spammers are doing a better job at avoiding blacklists. It is possible that spammers are increasingly using legitimate services to send their messages, which poses new challenges for anti-spam companies.

VB’s test is reflective of a trend in spam – the move away from pure botnet-relayed spam to other techniques (which I allude to in my post Predicting the future of abuse).  In the good old days (2006-2009), spammers would infect a computer with malware, and then use that malware to send spam directly to the recipients.  Spam filters figured this out and created IP blocklists to reject mail from these IPs since they were mail servers that were never intended to be mail servers in the first place.

Spammers reacted to this by tweaking the purpose of their botnets.  Now instead of sending spam directly from malware infected hosts, they use the botted hosts to connect to Yahoo, Hotmail or Gmail and send mail from those accounts directly (either through accounts they created themselves, or through compromised accounts – their preferred source).  Spam filters cannot reject mail from these services because it would cause too many false positives as the majority of email from them are good mail.

The loss of IP blocklists will almost always result in a drop in spam catch rates. Unless your spam filter catches 100% of the spam, it cannot be as good as it was before.

The reason is mathematics.  If a spam content filter is 90% effective, then any mail coming from an IP that would otherwise be on a blocklist is flagged as spam 90% of the time.  In other words, if you are not using an IP blocklist, then if you get 100 messages from a spammy IP, you will block 90 of them.  If you are using the IP blocklist, you block all 100 – a difference of 10 false negatives.

Most content filters are are better than 90%, but few are as good as 100%.  This means that catch rate must dip slightly.

The loss of IP blocklists results in lower spam effectiveness but usually lower false positives, too.  Sometimes IP blocklists list legitimate IPs, or shared IP space, and legitimate mail cannot get through to its intended destination because it lives in a bad neighborhood.

Anyhow, the VB tests still showed that most filters were well over 99% effective.  However, a shift in spam from direct-from-bots to bots-behind-legitimate-services does make such mail more difficult to filter.

And that’s why spammers do it.