AT&T WorldNet
and
Brightmail
fight spam for me

(count)
visits since November 29, 2003

My tally of spam elimination for me by ATT WorldNet

This web page is http://obri.net/att/brightmail.html

copyright 2003-2004 by Jay O'Brien

jayobrien@att.net

updated September 27, 2004

Is this web page of use to you?

Please let me know, as I am considering stopping the collection of this data.

Thank you!

Jay O'Brien   6/14/04

jump to other ATT WorldNet related issues

This web page is a summary of my observations of the efficacy of the spam filter (Brightmail) made available to me as an AT&T Worldnet customer.

These observations are on mail sent to my email address that was established seven years ago.  I have made no effort to obfuscate this address. It is present in many usenet newsgroups and on many web pages, thus it is "ripe" for spammers to "harvest" as a valid address.

I turned on the Brightmail spam filter on September 28, 2002. I opted to have the filter put messages identified as spam into a "screened mail" folder rather than delete the messages outright. I review the screened messages each day. On the rare occasion that a message is wrongly identified as spam (a "false positive") I move it into my inbox and then download it into my mail client (Netscape 7.1).  After reviewing the screened mail folder each day, I empty the folder.

When I get a spam message into my mail client that was missed by Brightmail, I forward it, complete with all headers, to missed-spam@att.net. The exception is those messages containing a virus; I don't send them to missed-spam.

 I didn't keep track of the number of messages caught by brightmail in 2002. However, I forwarded 916 messages to missed-spam in 2002.  (In 2004 I opted to stop sending messages to missed-spam - see correspondence below.)

Starting in 2003, I recorded each day's total of spam messages caught by Brightmail and placed into my screened mail folder. I recorded spam missed by Brightmail; these are the messages I forwarded to missed-spam. I have also recorded false positives, and, recently, the number of the "swen" virus messages that were placed into my screened mail folder by Brightmail.  I count as "swen" those messages that are 143K in size in the screened mail folder; this conclusion is based on my experience with this virus and may not be entirely accurate.

I do not use the Brightmail virus filter; I suspect that the results would be somewhat different if I was using both the spam filter and the virus filter. At this time I prefer to handle virus messages with my mail client and McAfee VirusScan.
The number of spam messages has increased from 43 per day in January 2003 to 186 per day during the last full week of November 2003. Even though Brightmail has improved from catching 77% in January to 82% at the end of November, the sheer number of spam messages gives a false appearance that Brightmail isn't working as well as it did earlier in the year.

I feel Brightmail is doing a superb job; it isn't perfect, but the number of false positives are nearly zero.

I hope this information is useful to others.

This web page is copyrighted.  Link to this page if you like, but if you wish to publish or use this information in any other way, please contact me for permission to do so.

Jay O'Brien
Rio Linda, CA
November 29, 2003

(See later information and correspondence below the tables)


TABLE 1: Monthly summary starting January 1, 2003

Month
 Brightmail
Screened
Mail
 % spam
caught by
Brightmail
 Brightmail
missed
spam
 Total
spam
 spam
per
day
 false
positives

 screened
swen
virus
1/03
 1028
 76.8%
 311
 1339
 43
 0
2/03
 1017
 69.4%
 449
 1466
 52
 0
3/03
 1616
 77.1%
 481
 2097
 68
 1
4/03
 2022
 78.1%
 568
 2590
 86
 0
5/03
 2783
 82.0%
 610
 3393
 110
 0
6/03
 2997
 85.2%
 519
 3516
 117
 7
7/03
 3282
 85.3%
 565
 3847
 124
 0
8/03
 2890
 86.7%
 443
 3333
 108
 1
9/03
 3414
 90.1%
 376
 3790
 126
 2
 33
10/03
 3748
 88.6%
 482
 4230
 137
 3
 350
11/03
 4161
 83.2%
 840
 5001
 167
 0
 129
12/03
 3706
 78.3%
 1028
 4734
 153
 0
 36
 Total 2003
 32664
 83.0%
 6672
 39336
 108
 14
 548
1/04
 3366
 82.4%
 718
 4084
 132
 1
 74
2/04 3831
 92.1%
 328
 4159
 143
 1
 124
3/04
 3795
 90.7%
 387
 4182
 135
 0
 28
4/04
 4136
 88.4%
 542
 4678
 156
 2
 15
5/04
 3818
 89.2%
 464
 4282
 138
 0
 1
6/04
 3676
 89/.9%
 411
 4087
 136
 0
7/04
 3397
 87.8%
 474
 3871
 125
 0
8/04
 3575
 83.7%
 697
 4272
 138
 0


TABLE 2: Weekly summary starting June 1, 2003

Week
starting
 Brightmail
Screened
Mail		 % spam
caught by
Brightmail		 Brightmail
missed
spam		 Total
spam		 spam
per
day		 false
positives
 total
email
received
6/1/03
 656
 86.9%
 99
 755
 108

6/8/03
 706
 88.4%
 93
 799
 114

6/15/03
 695
 82.1%
 152
 847
 121
 7
6/22/03
 744
 83.5%
 147
 891
 127

6/29/03
 631
 85.2%
 110
 741
 106

7/6/03
 559
 82.0%
 123
 682
 97

7/13/03
 816
 84.6%
 149
 965
 138

7/20/03
 837
 86.4%
 132
 969
 138

7/27/03
 846
 86.2%
 135
 981
 140

8/3/03
 763
 85.1%
 134
 897
 128

8/10/03
 510
 82.5%
 108
 618
 88
 1
8/17/03
 601
 89.0%
 74
 675
 96

8/24/03
 707
 91.2%
 68
 775
 111

8/31/03
 636
 91.0%
 63
 699
 100

9/7/03
 806
 89.4%
 96
 902
 129

9/14/03
 671
 91.2%
 65
 736
 105
 1
9/21/03
 975
 90.3%
 105
 1080
 154

9/28/03
 969
 90.8%
 98
 1067
 152
 1
10/5/03
 950
 91.4%
 89
 1039
 148
 2
10/12/03
 713
 89.7%
 82
 795
 114

10/19/03
 872
 88.9%
 109
 981
 140
 1
10/26/03
 823
 83.7%
 160
 983
 140

11/2/03
 888
 85.0%
 157
 1045
 149

11/9/03
 969
 83.2%
 195
 1164
 166

11/16/03
 963
 82.9%
 199
 1162
 166

11/23/03
 1061
 81.3%
 244
 1305
 186

11/30/03
 898
 78.2%
 250
 1148
 164

12/7/03
 817
 75.4%
 266
 1083
 155

12/14/03
 833
 78.5%
 228
 1061
 152

12/21/03
 770
 78.6%
 210
 980
 140
2121
12/28/03
 785
 79.0%
 209
 994
 142
2606
1/4/04
 655
 77.1%
 194
 849
 121
2451
1/11/04
 744
 75.7%
 239
 983
 140
 1
 2452
1/18/04
 846
 88.7%
 108
 954
 136
2494
1/25/04
 849
 91.3%
 81
 930
 133
2590
2/1/04
 938
 87.3%
 137
 1075
 154
2458
2/8/04
 927
 92.2%
 78
 1005
 144
2270
2/15/04
 937
 94.4%
 55
 992
 142
 1
 2304
2/22/04
 917
 94.5%
 53
 970
 139
2411
2/29/04
 994
 94.7%
 56
 1050
 150
2583
3/7/04
 646
 91.5%
 60
 706
 101
2032
3/14/04
 884
 88.8%
 111
 995
 142
2320
3/21/04
 853
 89.9%
 96
 949
 136
2052
3/28/04
 929
 86.7%
 143
 1072
 153
2655
4/4/04
 979
 86.8%
 149
 1128
 161
2459
4/11/04
 949
 88.8%
 120
 1069
 153
2301
4/18/04
 1037
 89.3%
 124
 1161
 166
2659
4/25/04
 869
 91.1%
 85
 954
 136
 2
 2296
5/2/04
 818
 87.8%
 114
 932
 133
2214
5/9/04
 842
 88.7%
 107
 949
 136
2479
5/16/04
 862
 90.0%
 96
 958
 137
2463
5/23/04
 973
 90.1%
 107
 1080
 154
2566
5/30/04
 937
 87.9%
 129
 1066
 152
2373
6/6/04
 888
 90.9%
 89
 977
 140
2518
6/13/04
 840
 89.8%
 95
 935
 134
2408
6/20/04
 808
 91.5%
 75
 883
 126
2409
6/27/04
 785
 91.4%
 74
 859
 123
2592
7/4/04
 710
 86.3%
 113
 823
 118
2455
7/11/04
 732
 88.5%
 95
 827
 118
2730
7/18/04
 846
 89.5%
 99
 945
 135
3262
7/25/04
 753
 84.7%
 136
 889
 127
3560
8/1/04
 823
 86.1%
 133
 956
 137
3274
8/8/04
 837
 82.5%
 177
 1014
 145
3102
8/15/04
 782
 86.1%
 126
 908
 130
3043
8/22/04
 808
 80.9%
 191
 999
 143
3402
8/29/04
 759
 81.5%
 172
 931
 133
2722
9/5/04
 714
 78.7%
 193
 907
 130
1938
9/12/04
 750
 82.1%
 164
 914
 131
1983
9/19/04
 794
 89.4%
 94
 888
 127
2178
69 weeks
 56484
 86.5% 8817
 65301
 135
 17
 note 1
   note 1: Totals collected starting 12/21/03 are spam plus valid email.

Follow-up information and correspondence:

-------- Original Message --------
Subject: Brightmail spam filter summary
Date: Sun, 30 Nov 2003 21:18:16 GMT
From: Jay O'Brien <jayobrien@att.net>
Newsgroups: worldnet.users.spam-killer

It's time for the other side of the story. I'm quick to criticize when ATT screws up, so I really should say so when ATT is being vilified without cause. Here goes...

Many posts complain about the Brightmail spam filter. I've found it to be very effective, and other than the fact that ATT won't share any details with or provide feedback to its customers, I'm quite pleased with the filter. The recent increase in spam has created a false impression that Brightmail isn't doing its' job. That is just not true.

My spam this year has gone from 43 per day in January to 186 per day last week. Brightmail caught 76.8% of the spam in January; last week it caught 81.3% of the spam. Brightmail is doing a slightly better job, even though the count of spam messages missed by Brightmail went from 10 per day in January to 35 per day last week.

I've posted my results at http://obri.net/att/brightmail.html that back up these numbers.

Jay O'Brien

-------- Original Message --------
Subject: Re: Brightmail spam filter summary
Date: Mon, 01 Dec 2003 13:02:25 GMT
From: Sjur
Newsgroups: worldnet.users.spam-killer

Hi Jay,
Thanks for the link and post.  I've been keeping similar logs since September for two addresses, one with and one without Brightmail, and percentages agree ca. 1%.

I spent yesterday browsing the brightmail site and, for those with an interest beyond grousing, several white papers may be of interest:

http://www.brightmail.com/enterprise-as-features.html
http://www.brightmail.com/pdfs/Brightmail_Anti-Spam_5.1_datasheet.pdf
http://www.brightmail.com/pdfs/Brightmail_Server_5.1.pdf

(Brightmail offers an Enterprise version for the 'little' guys and a Service Provider version for the likes of Worldnet.  Pages for the former are a lot more informative.)

Brightmail's claim of a 99.9999% accuracy rate with respect to false positives seems at variance with your statistics.  I'd guess this is due to the 'Custom Rules Editor' that lets an ISP modify BM's default filtering - black lists, etc. <g>

I've always considered BM as only the first level for filtering, to be supplemented by POP3 server-side filters and client-side filters for messages actually downloaded (<1%).  What struck me as particularly interesting were several options available to the ISP, e.g.
Modify Header or Subject Line
Add a configurable X-header ... For example, X-spam or X-newsletter.
Enable end-user to create simple client-side filters to handle messages Brightmail has processed.

An X-header with a BM score would be a winner in my book, but how to convince the ITs it's their idea?

Sjur
--
Note: All replies are subject to server-side deletion unless in plain text with a single recipient.

-------- Original Message --------
Subject: Re: Brightmail spam filter summary
Date: Mon, 01 Dec 2003 23:18:25 GMT
From: Jay O'Brien <jayobrien@att.net>
Newsgroups: worldnet.users.spam-killer

Sjur,
Actually, my results make Brightmail look worse than it "really" is. The 7 false positives on June 21 were all in a 23 minute period when there was a trouble condition where most mail processed by ATT was identified as spam. And, 4 individual false positives were all from a "questionable" mailing list to which I was subscribed that probably was reported by others as being spam. That leaves only two "real" false positives this year, and one of those was from ebay. If you only count the two "real" false positives out of 34602 spams so far this year, that calculates to a 99.9942% accuracy rate, not at all out of line with what is claimed by Brightmail.

Thanks for weighing in on this issue.

Jay


-------- Original Message --------
Subject: Brightmail spam filter summary for 2003
Date: Thu, 01 Jan 2004 23:00:15 GMT
From: Jay O'Brien <jayobrien@att.net>
Newsgroups: worldnet.suggestions

Many posts complain about the Brightmail spam filter. I've found it to be very effective, and other than the fact that ATT won't share any details with or provide feedback to its customers, I'm quite pleased with the filter. The increase in spam has created a false impression that Brightmail isn't doing its' job. That is just not true.

My spam this year has gone from 43 per day in January to 186 per day one week in November, and now it is running 140 per day. Brightmail caught 76.8% of the spam in January; it was over 90% effective in September and in December it caught 78.3% of the spam.

In 2003, 39336 spam messages were sent to this address. Of those, Brightmail placed 32664 of them, or 83%, in the screened mail folder. In 2003 I had to deal with the 6672 spam messages Brightmail missed, and I sent them, one at a time, to the missed-spam address at att.

It takes me 8 seconds per message to send spam properly to missed-spam. That means that I spent 14.8 hours working for Brightmail last year. Now that ATT has made it easy for those customers who use webmail to report the missed spams, I have decided that I'm not going to devote a couple days of my time to this effort in 2004; I'll leave the missed-spam reporting to others. However, I will continue to report missed-spams from another worldnet address that I access exclusively via webmail. I will also continue tallying my experience with Brightmail.

I've posted my results at http://obri.net/att/brightmail.html that back up these numbers. Please see if these numbers track with your experience.

Jay O'Brien

  /end/

click here to jump to the top of this web page