Wandering Thoughts archives

2013-06-27

How much of our incoming email is checked at SMTP DATA time

One of our anti-spam steps is to check some messages for signs of spam at SMTP DATA time. To qualify for checking, a message must have only (accepted) RCPT TOs of people who've opted in to enough checking to make this worthwhile. I have previously done figures on how many recipients each average inbound email has, but I haven't looked directly at how much of a workout this DATA time check is getting.

Over the past 30 days we've accepted 487,000 messages and run 49,000 through SMTP DATA checks. Over roughly the same amount of time we rejected about 21,000 of those checked messages; about 190 of those rejections were detected as 'viruses' (which includes some phishing attempts because that's how the commercial filtering system we use works).

At first I was all set to be depressed about this low ratio of email checking. Then I actually looked at how many email addresses had opted in to some degree of DATA time filtering and, well, it's tiny. We have about 300 local addresses enrolled in this checking, while over the same past 30 days we've had messages sent to about 1700 different local addresses. It turns out that less than 120 local addresses have rejected any spam at SMTP DATA time over the past 30 days and thus are responsible for those 21,000 rejections.

(As you might guess, a few heavily spammed local addresses are disproportionately responsible for rejections. The most spammed address rejected over 30% of the messages, although after that the remaining very active addresses drop to the 5% level.)

Since I just generated the stats to check my work: it looks like only somewhat less than half of those enrolled addresses actually had email sent to them that went through SMTP DATA checks. If my crude log crunching is accurate there are only about 25 local addresses that did SMTP DATA checks but did not reject any spam at DATA time. I guess this makes sense; if our users bother to go out of their way to enroll themselves in this, it's because they need it.

(This does imply that the enrolled users are not getting a significantly disproportionate amount of our incoming email. About 8.5% of the destination addresses are enrolled and about 10% of the incoming email gets checked at DATA time; this is a bit higher than a completely fair distribution but not that much off for crude measurements.)

spam/OurMilterVolumeLevel written at 01:12:44;


Page tools: See As Normal.
Search:
Login: Password:

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.