Don't get me wrong, I'm mostly glad that this happened. However, I want to make sure that the reasons for it happening are sound - rather than there being a problem with our methods. I'd like to illustrate what's going on here with a graph:
(source: lightspeed.ca)
The bright green line here shows the rate at which our server has rejected messages from IP addresses listed in realtime blacklists over the course of the last 12 months. Last May, we were rejecting an average of about 175 messages every 5 minutes, or 35 per minute, using this filter alone. It's pretty clear that since October, it's tapered off to a fraction of that - we're now averaging about 8 rejected messages per minute on this filter:
(source: lightspeed.ca)
Since we see no corresponding rise in the number of messages being trapped by Spamassassin (the teal line largely drowned out at the bottom of the graph) or any other filters, I can come to one of two conclusions based on these statistics:
1) All of our filters have become ineffective.
or
2) Spammers aren't spamming as much as they used to.
Historically speaking, I find 1 to be much more likely than 2. However, from experience and customer complaints (rather, a lack thereof), 1 isn't true because we're not seeing much spam in our inboxes anymore. So what the heck is going on here? I can't fathom that spam has somehow become unprofitable. Have they moved on to softer targets? I'm seeing little to no spam on Facebook or Twitter or any HTTP forums. Have there been massive arrests, removing spammers from the wild, and discouraging new criminals from entering the ring?
Whatever the reason, it sounds to me like a hard-fought victory for someone out there. But I still want to make sure that it's either time to break out the champagne or start sharpening our swords.
A few months ago, 'Rustock' (Which I think was the largest spam-producing botnet) was taken down (http://blogs.technet.com/b/microsoft_on_the_issues/archive/2011/03/17/taking-down-botnets-microsoft-and-the-rustock-botnet.aspx)
While it didn't produce 100% of spam, I think it was quite a big contribute. Also generally companies have been adding methods that slow down spam robots, even if you didn't do anything, say if GMail changed something that made BotNets take 1 second longer to deliver each message, it would slow spam delivered to your servers too.
Spam ebbs and flows like a great tide of sewage, lapping at the shores of our beloved email islands.
In all seriousness, this is a combination of two major factors -- As samarudge pointed out at least one big botnet recently got taken down. I've heard of a few others getting smacked down recently as well, and I believe MS may have made some impact with recent patches (though I could be remembering several patch sets ago too).
The other factor is that - yes - spammers are slipping past filters. I've noticed a slight rise in spam on a few of my accounts which is just beginning to taper off as SpamAssassin catches up with the new hotness in spam.
If your statistics look more-or-less like the SpamCop statistics your filters are probably working fine -- Enjoy the reprieve and be aware that when the tide rolls in again your users will be at your door crying that their forced to wade through raw sewage again.
From what I'm seeing the biggest difference between now and a few months ago is that the spam originating from Russian systems has plummeted markedly, which suggests someone has taken positive action. Beyond that, it appears to me that the level has simply returned to what has been the long term norm after a bit of a peak over the last year.
This image shows the stats for our system since about August 2009. Ignore the numbers, only the trend is important.
The stats were pretty stable for about the 5 years prior to this, which is when I first started charting this stuff. I no longer have the old data though.
The real reason why the number of spam messages goes down is the http://www.uceprotect.net/ list. This list doesn't take care who sends and why... They will blacklist the complete ISP by blacklisting his AS number (which means all ISP's mail servers will be blacklisted no matter did they send spam).
The main goal is to force net admins to block port 25 and let only legit mail servers through the firewall. Then compromised computers can't be used as a mail servers.
Forcing users to use your mail server is the second part of the rope...