Trends Spammers are Less Patient than Legitimate Senders By Ken Simpson | 2 minute read Our presentation at the recent MAAWG meetings (Messaging Anti-Abuse Working Group, 12th General Meeting Feb 18-20, 2008, San Francisco, California) focused on the effectiveness of Inbound Traffic Control in dealing with spam from unknown senders that represent most of drops seen in anti-spam effectiveness. Based on discussions afterward, two parts of the presentation really stood out with the audience, the first was the difference in spammer and legitimate sender behavior when faced with a slow connection. Spammers as Less Patient than Legitimate Senders What this graph shows is that spamming MTA’s are less patient than legitimate senders. The economics of spam means that if forced to wait by a slow MTA the spammers will abandon the connection, usually within 10 seconds and move on while legitimate senders will wait to complete message delivery. The SMTP RFC recommends that email servers wait at least three minutes for each chunk of data they send to be received by the receiving server and acknowledged via a TCP acknowledgment packet. Furthermore, the RFC recommends that senders wait at least ten minutes for the final message delivery acknowledgment. These long timeouts were established because in the early days of the Internet, the infrastructure was slow and unreliable, and the machines were easily overloaded, leading to frequent message delivery delays. Today, email servers and our networks are much faster, processing incoming messages in a matter of seconds. Delays still occur, but the timeouts defined in the RFC are vastly higher than what is required in today’s world. For what we imagine are economic reasons, spammers set their SMTP timeouts on the order of seconds rather than the levels recommended within the RFCs. This graph compares the timeouts for spam traffic versus legitimate traffic. 90% of spam connections are gone within the first 10 seconds, whereas legitimate senders hang on for at least a couple of minutes. The gap between these two lines is one of the things that Inbound Traffic Control can help you to exploit to reduce spam levels.