During April 2013 a lot of customers report a bad filtering quality. We receive many feedback and complaint that a lot of spam are going through the filter and reach their mailbox and even after many reports of these spams to our analysis department.
We really measure an important growth of the reports to our spam analysis department.
As shows also the Commtouch “Spam Outbreaks 100”
for the same period, it is very easy to understand the problem. During April, the average of spam per day is around 2’000’000 per day but with many massive attacks with more than 14’000’000 per day !
The result is that instead of opening your mailbox the morning with zero spam, you will find 3 or 4 spam and your feeling will be that the filter is not doing a good job.
When we compare the number of spam stored in the quarantines of users for the same period, we see that the proportion is in the same and if we calculate the ratio false negative received at our analysis department by the number of spam stored in quarantines, we see it unchanged in comparison with a period with a low spam activity.
It is sometime difficult to explain this situation to the final customer, when he is used to have no spam at all in his mailbox. The challenge for any anti spam product is to maintain a very high catch rate, but when the number of spam on the internet is multiplied per 10 in a couple of days, the number of false negative increases in the same proportion, but the feeling change much.
The specificity of these massive attacks of April are a lot of spams coming from well known servers (gmail, yahoo, outlook.com,…) that cannot be blacklisted, and also spams that contain no text and only different urls each time. This is the worst case and if you try to be more aggressive with this kind of spam, the risk is a huge increase of false positive and no customers want that. Our strategy is always to minimize the false positive even if the price is a bad feeling of some customers, but for the best global result for all.