Dealing with spam to your abuse desk?

Among other things, I run the abuse desk for a large service provider with lots of clients. We get a handful of complaints a day. For example, over the past three days, we’ve received about sixteen complaints. And about two hundred spams.

The “fun” part of our job (for various values of “fun”) is going through the abuse mailbox and separating the wheat from the chaff every day. More than 90% of that inbound mail stream is spam. Just random, stupid spam emails from people dumb enough to send spam to an abuse desk. We take turns taking out the trash, moving this mail out of the way so that we can focus on the actual, actionable reports that need to be reviewed and investigated.

How can I reduce the amount of spam our abuse desk receives? I’ve used a lot of different blacklists over the years to reduce the amount of spam received. Problem is, most of them have some level of false positives associated with them. I don’t ever want to knowingly reject a complaint from somebody trying to report abuse from one of our users.
Time to do a bit of testing. On February 2nd, I wrote a script that tags all inbound mail sent to our abuse desk. The sending IP is checked against the Spamhaus ZEN combined list. If the sending host is on the ZEN list, our script adds [SPAM] to the subject line. This helps us sort the mail faster. We spend less time looking at the mail with [SPAM] in the subject line, and more time reviewing the mail that isn’t tagged.
Reviewing the over 2,200 spams I’ve received to our abuse desk from February 2nd through today, Spamhaus has successfully tagged 79.3% of them as spam. I’m very happy with that rate – this correct classification significantly reduces the amount of spam I have to deal with in the long term.
But what about false positives? Since I’m tagging mail, and not rejecting it, it’s very easy for me to find and note false positives. (A false positive in this instance would be a spam report that I wanted to receive, but might have missed because it was tagged as spam.) To date, I haven’t had a single false positive! I’ve saved all the mail in question, and reviewed it multiple times, looking for mail that I might want, but could have missed previously. There doesn’t seem to be any. Score another point for Spamhaus!

If you run an abuse desk that gets a lot of spam, how do you deal with it? I’d love to hear your thoughts. And if you’re in the same boat as me, and wondering what to do? It might be worth your while to tag the mail with Spamhaus ZEN. I think you’ll find that it’ll correctly identify most of the spam, and that false positives, if any, will be few and far between.

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.