2013-06-27
How much of our incoming email is checked at SMTP DATA time
One of our anti-spam steps is to check some
messages for signs of spam at SMTP DATA
time. To qualify for checking,
a message must have only (accepted) RCPT TO
s of people who've opted
in to enough checking to make this worthwhile. I have previously
done figures on how many recipients each average inbound email has, but I haven't looked directly at how much of
a workout this DATA
time check is getting.
Over the past 30 days we've accepted 487,000 messages and run 49,000
through SMTP DATA
checks. Over roughly the same amount of time we
rejected about 21,000 of those checked messages; about 190 of those
rejections were detected as 'viruses' (which includes some phishing
attempts because that's how the commercial filtering system we use
works).
At first I was all set to be depressed about this low ratio of email
checking. Then I actually looked at how many email addresses had opted
in to some degree of DATA
time filtering and, well, it's tiny. We
have about 300 local addresses enrolled in this checking, while over
the same past 30 days we've had messages sent to about 1700 different
local addresses. It turns out that less than 120 local addresses have
rejected any spam at SMTP DATA
time over the past 30 days and thus are
responsible for those 21,000 rejections.
(As you might guess, a few heavily spammed local addresses are disproportionately responsible for rejections. The most spammed address rejected over 30% of the messages, although after that the remaining very active addresses drop to the 5% level.)
Since I just generated the stats to check my work: it looks like only
somewhat less than half of those enrolled addresses actually had email
sent to them that went through SMTP DATA
checks. If my crude log
crunching is accurate there are only about 25 local addresses that did
SMTP DATA
checks but did not reject any spam at DATA
time. I guess
this makes sense; if our users bother to go out of their way to enroll
themselves in this, it's because they need it.
(This does imply that the enrolled users are not getting a significantly
disproportionate amount of our incoming email. About 8.5% of the
destination addresses are enrolled and about 10% of the incoming email
gets checked at DATA
time; this is a bit higher than a completely fair
distribution but not that much off for crude measurements.)