Trends Introducing “The Dip” And How It Relates To Anti-Spam Capture Rates By Ken Simpson | 2 minute read Our presentation at the recent MAAWG meetings focused on the effectiveness of Inbound Traffic Control in dealing with spam from unknown senders that represent most of drops seen in anti-spam effectiveness. Two parts of the presentation really stood out with the audience, the second was a look at what a 98% capture-rate really means to an anti-spam lab. Introducing “the Dip” Despite 98% long term capture rates leading anti-spam systems experience significant drops in effectiveness when both sender and content are unknown, the most common times being the use of botnets, targeted campaigns not passing through a central lab and new spam approaches. Any anti-spam lab worth its salt has a display that looks something like this graph in their lab showing their capture rate over time. Most of the time the capture rate is acceptably high, but once in a while – typically several times a day – the spam starts flooding through and then it’s all hands on deck while the lab figures out where that mail is coming from and how to plug the dike this time.Sometimes the fix is elegant and long lasting, and sometimes its not.The new technique can be network oriented or content oriented, and in either case the dip is what results. From an end users and a service provider’s perspective you can flip this curve upside down and the dips become peak traffic loads, spam outbreaks, help desk calls and flooded inboxes. Dips happen because anti-spam companies cannot have perfect insight into the spamming world. It takes enormous visibility and time to turn a new attack into the actionable quantities of known content and known senders. It takes the best filters 10 minutes to widely deploy a new filter rule capable of really making a dent in a new spam campaign. The blacklists take between 15 and 30 minutes to set up and distribute a new IP block. Wouldn’t it be great if we could make the unknown senders wait around for a while – at least until we’ve had a chance to set up a filter rule? In fact we can, this is one of the benefits of Inbound Traffic Control, messages from unknown senders are forced to wait for better anti-spam information. Taking away the spammers head start.