Software

Spam: Previous record toppled

Incredibly, out of every 10 e-mail messages sent nine contain spam and that's a new record. Michael Kassner takes you through the latest statistics.

Every month, Symantec's MessageLabs releases statistics on the state of e-mail spam. In the May 2009 report, MessageLabs had the dubious honor of reporting that the number of e-mail messages containing spam reached an all-time high of 90.4%:

I'm not sure about you, but to me it's hard to grasp that nine out of every ten e-mail messages is unsolicited spam. On a brighter note, the number of e-mail messages containing virus code has decreased to one in 317 e-mail messages:

Also the number of e-mail messages containing phishing content is leveling off at one in 279 e-mail messages:

Security experts aren't surprised at the last two statistics, they even expected it. Users being more cognizant of phishing schemes and improved e-mail scanning are forcing the bad guys to find different tactics to ply their trade. Currently, the preferred methods are via malicious fake Web sites or compromised official Web sites.

Time of day matters

It may not seem like it, but the time you are most likely to get e-mail spam depends on your geographical location. If you live in the United States you can expect the most spam e-mail between 9 and 10 a.m. local time:

People in Europe can expect a fairly consistent increase in spam throughout the day:

People in the Pacific Rim area will be happy to know that their mailboxes will be full of spam right away in the morning.

At first, I didn't understand the logic behind the sending times. But as I read further, the report came up with three possible explanations for the distribution being the way it is:

  • Spammers are predominantly active during the US working day.
  • Most active spammers are located in the United States
  • Spammers are timing spam delivery to coincide with largest on-line audiences.

Here's two more interesting tidbits:

  • Sunday must be a day of rest for spam operators as spam levels drop considerably on that day.
  • Monday and Friday are peak spam activity days.
Europe tops the list

The battle for top honors in spam origination is a close race, with Europe taking the top slot in May:

  1. 31.6% from Europe
  2. 27.8% from Asia
  3. 21.4% from South America
  4. 13.4% from North America

Deciding first place is becoming increasingly difficult as 60% of all spam is sent from botnets. Since botnet members are more or less evenly distributed around the world, the spam origination statistic is beginning to lose significance.

Top spamming botnet

What may be more relevant is the amount of spam sent by each botnet:

  1. 18.2% from Donbot
  2. 16.1% from Rustock
  3. 8.6% from Cutwail
  4. 6.3% from Bagle

The report goes on to state that there's a significant amount of spam (40%) being sent out by smaller and relatively unknown botnets. Also the people controlling these botnets seem to prefer using stolen Web-based e-mail accounts like Gmail for sending spam.

One explanation for that is, using stolen Gmail accounts allow botmasters to apply spear-phishing and social-engineering techniques on the specifically targeted organizations or individuals. This usually increases the success rate. Using Web-based e-mail accounts also increases the likelihood of getting to the intended victim since most administrators don't filter e-mail emanating from sources like Gmail.

Final thoughts

I know a lot of high-powered groups are working on the spam problem, but these reports show little if any progress on their part. Every day, I check spam filters for several clients and it's amazing. For example, a spam filter for one client (only 20 users) captures over 5000 spam e-mails each day. What's going to happen when desired e-mail messages are only a fractional percent of the total amount of those sent?

I hope the experts figure something out soon, as this kind of growth can't continue much longer. Finally, I'd like to thank MessageLabs for their help in supplying the statistics and graphs.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

146 comments
Jaqui
Jaqui

two of the following, in two different accounts. [ yes, reported them. ] Subject: Account Alert From: "paypal@70083.com" Date: Sun, 14 Jun 2009 06:44:04 +0300 To: X-Account-Key: account2 X-UIDL: UID578-1203266671 X-Mozilla-Status: 1001 X-Mozilla-Status2: 00000000 Return-path: Envelope-to: ******** Delivery-date: Sat, 13 Jun 2009 22:57:38 -0400 Received: from [61.50.229.98] (helo=mail.pinggu.net) by source3.sourcedns1.com with smtp (Exim 4.69) (envelope-from ) id 1MFfuX-0005Od-4f for ********; Sat, 13 Jun 2009 22:57:38 -0400 Received: from [74.7.224.162]; Sun, 14 Jun 2009 10:29:35 +0800 Message-ID: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--YLDAXD65561" X-Spam-Status: No, score=0.1 X-Spam-Score: 1 X-Spam-Bar: / X-Spam-Flag: NO Dear Paypal Member, We recently noticed one or more attempts to log in to your PayPal account from a foreign IP address. If you recently accessed your account while traveling or ISP has dynamic IP address, the unusual log in attempts may have been initiated by you. Please visit PayPal as soon as possible to verify your identity: http://CPE-121-208-84-144.qld.bigpond.net.au Verifying your information is a security measure that will ensure that you are the only person with access to the account. Thanks for your patience as we work together to protect your account. Sincerely, PayPal ---------------------------------------------------------------- Please do not reply to this email. This mailbox is not monitored and you will not receive a response. For assistance, log in to your PayPal account and click the Help link located in the top right corner of any PayPal page. ---------------------------------------------------------------- PayPal Email ID PP643 edit to corrupt link enough to remove id tag

Michael Kassner
Michael Kassner

I'll keep that in mind as I'm researching a phishing article.

JCitizen
JCitizen

They seem to appreciate my honeypot as cannon fodder! HA! They make enough errors for me to learn a lot about malware too! I think I drive some of them crazy, because I wan't do defeat the malware instead of just wipe and reinstall. But I let them have the service for free, if I can find out something about how the bug works. Of course I wipe and reinstall anyway, after I'm done, just for security's sake. Some folks doen't care, however, as they never enter personally identifiable information on the keyboard or otherwise. For those folks I leave it repaired, as that is the quickest easiest way, compared to wiping and recovering from backup. The biggest problem lately has been recovering from IE 8!!! Almost worse than the malware if not installed properly. ]:(

Michael Kassner
Michael Kassner

I'm on it J and Santee. I been delaying it a bit to make sure I understand all of the details.

santeewelding
santeewelding

Shutting up. You...I use you to probe on ahead, and catch the rounds meant otherwise for me.

JCitizen
JCitizen

explainations in that article. I can't make anything out of mine. I realize they are probably coming from an address that is undeliverable inside an ISP; but I'm beginning to think ALL the information in my headers is bogus! No wonder they blow right through postini's filters! They can't even filter (no subject line) emails!!! Outhook's filters are totally worthless, but I havent' tested the new updates to it yet, so maybe I should shut up!?

Michael Kassner
Michael Kassner

I think these scams are still doing very well, other-wise the phishers would resort to something different. Second this exploit would be a great deal more effective if the phishers would offer it in two parts. 1. Ask the victim if they indeed accessed their account. 2. If the phishers receive a no response then ask the victim to check out their account information. I suspect it may be the next step in phishing via e-mail.

Jaqui
Jaqui

Paypal already sent a response after I forwarded the message to them, confirming it's a scam, and thanking me for reporting it. the scammers love to use paypal for their schemes, and paypal has made sure it is easy to spot the scams by not including links in their messages. Paypal chases them down as best they can to stop them.

Jaqui
Jaqui

neither email address that got the phishing email is part of a paypal account. :D I have two email addresses registered with paypal, and those ones never get spammed for paypal accounts.

Deadly Ernest
Deadly Ernest

I don't really care as every UPS office is a whole Pacific Ocean away from me, or more.

JCitizen
JCitizen

It seems - the last few weeks, doen't it! :) Please don't let us wear you out though - one subject at a time is enough!

Michael Kassner
Michael Kassner

Ernest mentioned one and there are may others. I seem to remember you asking me to write an article about this before and now again. I'm on it this time J. It's a difficult topic and ever-changing, but I'll give it a go.

Deadly Ernest
Deadly Ernest

put the same email address in as both recipient and sender, that way a bounce also ends up at the same place.

JCitizen
JCitizen

I have Outlook 2003 set to show headers. I can't make heads or tails out of them. It looks like they have figured out how to obfuscate them, completely. Maybe my ISP is using an obsolete version of Exchange Server or something. I get emails with MY ADDRESS in the header, which is impossible of course. Maybe I should call the ISP and make sure they areen't using my account as a spam server! Since it isn't being sent from me, my computer would have no "sent" record of such activity. But,this I doubt, as I would have literaly thousands of address undeliverable emails in my inbox.

Jaqui
Jaqui

what makes paypal spam so problematical though, mot people do have an account with them. You can't just ignore one if you have an account, the phishing emails like I got actually do look like the emails paypal sends. You have to check the headers to make sure it is from paypal. Not to forget, paypal never includes a link, they always tell you to log into your paypal account if there is anything you need to do there, but will not provide a link, so you know it is actually paypal you are going to when you go to log in.

Deadly Ernest
Deadly Ernest

it is all part of a major conspiracy. I want you to think about a couple of points: 1. Ten years ago spam was a minor irritation if anything. 2. Most of the vulnerabilities exploited to make a botnet have been known about for several years or longer, yet the new versions of MS Windows and other MS applications keep coming out with a lot of these old holes still accessible and vulnerable. 3. The level of spam, virus attacks, and Trojans has been growing steadily for several years. 4. About ten years ago Wintel and a few others put together the concept of Trusted Computing whereby the more computers locked in with a vendor the more they were deemed safe to deal with. 4.a. The Trusted computing idea got general trashed by the IT community. 5. Several years ago the Trusted Computer Group come up with an updated version called Palladium which was to basically create a way to have EVERY transmission from a system carry and ID marker so you can quickly identify who it came from. A centralised register would tell you who sent it. The system would be set up NOT to accept transmissions from non trusted computers. A bit more info is available at: http://en.wikipedia.org/wiki/Palladium_(computing) This system would automatically cull all spam and malicious code out of the system, and also immediately properly identify any system that is used for such. It would also heavily lock users into vendors. 5.a. Palladium got trashed by the IT community too. Since Palladium got kicked there's been a real growth in the amount of Spam and malicious code hitting systems, especially Windows systems. Hmm. Now the real question is: If the industry keeps rejecting the concepts put forward by MS and Intel to kill spam and malware by refusing to lock in with them through Trusted Computing, what incentive have they got to do anything about reducing spam and malware as the more people get annoyed with it, the more likely they may go to a vendor lock in solution to stop it? (queue Twilight Zone theme music)

Michael Kassner
Michael Kassner

1. Ten years ago spam was a minor irritation if anything. ..I'd suggest the increase is due in large part due to the exponential increase in Internet users, especially in third world countries and the ability to have a viable business plan and RoI.There are many Cisco and SAN reports that point out how successful spam is. 2. Most of the vulnerabilities exploited to make a botnet have been known about for several years or longer, yet the new versions of MS Windows and other MS applications keep coming out with a lot of these old holes still accessible and vulnerable. ..This I disagree with, malcode developers are always ahead of MS in this regards, all you have to do is think about Conficker. 3. The level of spam, virus attacks, and Trojans has been growing steadily for several years. ..See point one. There is money to be made and that drives the business. 4.a. The Trusted computing idea got general trashed by the IT community. ..Which is should have. It was a bad idea by locking in systems to a proprietary technology. If you want to dabate that issue, I'd gladly oblige. As a security advocate, security is never achieved in that method. Ask Chad. http://en.wikipedia.org/wiki/Palladium_(computing) ..Bad link, it goes to the element Palladium, and Palladium is now referred to as Next-Generation Secure Computing Base: http://en.wikipedia.org/wiki/Next-Generation_Secure_Computing_Base 5.a. Palladium got trashed by the IT community too. ..I also would question where this would have anything to do with spam, malware being introduced to the OS sure, but spam wouldn't be affected. Now the real question is: If the industry keeps rejecting the concepts put forward by MS and Intel to kill spam and malware by refusing to lock in with them through Trusted Computing, what incentive have they got to do anything about reducing spam and malware as the more people get annoyed with it, the more likely they may go to a vendor lock in solution to stop it? ..Saying that the IT community is at fault is grossly over-simplifying the problem and absolutely wrong IMO. I again fail to see where any of this focused on any individual group. The technology behind e-mail is a standard and that's where the problem needs to be resolved.

Deadly Ernest
Deadly Ernest

looking from different angles. I'm against Trusted Computing - I don't know why that link didn't come across right as I copied the url. Anyway, I do NOT blame the IT community. During the beta testing of each new version of window the first patches usually seem to be for old and known vulnerabilities. It's as if MS aren't that interested in cleaning up the kernel and fixing those problem areas properly and permanently. The real worry is the number of the vulnerabilities that are there because they're designed to be by MS as they're more concerned with enabling their applications to work better with the OS instead of securing the kernel and the system properly. We know MS is a big power behind the TCG and want TC, they are also introducing some of the Tc aspects by stealth. The more people get upset with spam and virus attacks the more they feel TC is a good idea. It seems to me that MS has no interest in doing much to kill spam and do that much against virus attacks as it leads towards their wanted TC and vendor lock in. Hence the comments about conspiracy etc.

JCitizen
JCitizen

Very interesting discussion! =)

Michael Kassner
Michael Kassner

Us a bit. I tend to agree with your assessment. Yet I will give MS some slack as they are trying (probably too hard) to prevent older OSs and applications from breaking and many security experts say that's a large part of their problem. It's a tough issue, ease of use will always fly in the face of security. Thanks for the interesting thoughts, I appreciate this sort of dialogue very much.

CG IT
CG IT

Palladium was a great idea but everyone saw it as a ploy to lock in the world wide market to microsoft products. open source proponents saw it as the death knell for them. Still it was a great idea.

Deadly Ernest
Deadly Ernest

but the way the Trusted Computing Group wanted to go about implementing it meant people would be a computer and then be locked into the TCG and TCG would have total control of the computer, not the owner. The TCG even rejected outright the concept of an owner override for the system. That is, they refused the right of the owner to turn the system off when they wanted to - excuse me!! Parts of the deal were a process like WGA, on-line validation, a central point to register all software and get all updates for all software from it - any suspected pirates or dual registered licences would be auto cancelled by the system. it also included auto encryption of data on the hard drive, whether you wanted it or not. It made big brother look like a dead aunt. The TCG is based on the concept the people who sell the software own the computer, regardless of who buys the hardware. And they wondered why so many professionals and groups pounced on it and spoke against it. They haven't given up on it at all, but are trying to introduce it by stealth and in increments.

Deadly Ernest
Deadly Ernest

Most of the spam has a valid contact email address for you to purchase from them. If we can get a lot of people start a mailing list with those email addresses in it and put them on our own email black list. Then every time we get a spam we send it on to everyone on the spam mail list without the FWD. After we get enough people involved they'll be getting heaps of their own spam and other spam, and will eventually get the message it's not a good way to do business. Once they stop paying the spam botnet managers the botnets should close down. edit to add - the system will auto improve as spam reduces.

Michael Kassner
Michael Kassner

First, in most cases the valid e-mail addr is pointed to a subverted computer that acting as a mail forwarder. I bet they'll have filters on it that will only allow acceptable e-mail through. Second the black list method is already in place, as it's what the spam filter services use.

Deadly Ernest
Deadly Ernest

how does the spam company mail system identify what is acceptable mail?.

Deadly Ernest
Deadly Ernest

do not have such a field or anything, just the email address to contact them to place orders etc.

Michael Kassner
Michael Kassner

They can have a field that has to be intentionally filled in by the customer and would be the focus of the filter.

Deadly Ernest
Deadly Ernest

exactly how much is spam and how much isn't. My actual spam received is about 2%, but about 70% of my mail is mailing lists like my TR Alerts and such. I wonder if they are miscounting mailing lists as a common way to ID spam is the number of recipients addressed to. I also find the origin information interesting as about 80% of the spam I do get is about buying Viagra and the like from Canadian chemist sites.

CG IT
CG IT

With the GFI program I'm deploying, there are many different filters and the reporting seperates out what is being filtered by what filter. Example, the company I just installed the spam filtering software, 80% were filters by the phishing filter, 10% by spam listing, blacklists, dynamic IPs, and other filters make up the rest. So the dashboard displays what type of filter is filtering the spam, how much it's filtering, when it comes in and who it's addressed to.

Michael Kassner
Michael Kassner

IF you notice the report broke it out in those categories as well. I'm sure the sensors used by the big AV concerns have exact information as to what's being sent by what botnet at any given time and they can preload the filters with that exact information.

BALTHOR
BALTHOR

It's a computer.

Michael Kassner
Michael Kassner

As you haven't visited my articles for awhile. I thought I was doing something wrong.

JCitizen
JCitizen

health concerns sometimes get in the way. I was stuck in the hospital for two months a year or so ago. I was so stupid, as the hospital had wifi and I didn't even think to ask my buds to bring me a laptop!! :(

JCitizen
JCitizen

Yes, I'm doing better now that I'm back to my desert habitat and excersising regularly. Who knows; maybe I can get off disability!! My pursuits of interest seem to improve my health daily; can't get enough outdoor activity, and the weapons research keeps me going! Getting too hot for that now, however!

Michael Kassner
Michael Kassner

That's a long time. I had heart bypass and they kicked me out after 5 days.

CG IT
CG IT

emails considered spam. This is using GFIs Mail Essentials for Exchange. Remarkable amount of emails in a short period of time. Using GFIs monitor feature, I can actually watch the spam being intercepted and can't scroll the list fast enough. The one driving force of spam that has never been addressed is the companies that pay the spammers to send spam. Further, no one collects statistics on the amount of spam that actually reaches a users mailbox. I for one believe that once the companies that pay for spam realize that the money they spend on the advertising that spam is, is being wasted, eg. only 1 in an estimated 100,000 spam messages actually reach a mailbox, they will stop paying spammers to send out spam. Just not good business sense to waste the $$ on ineffectual advertising.

Deadly Ernest
Deadly Ernest

possible to take action against the companies that are being promoted via spam. Say have the company's ISP close down their connection. One thing I did hear about someone doing, is they got so fed up with one Canadian chemist site's spam wanting to sell her Viagra she organised for a lot of friends to run a script that kept sending the same request for information email to the site at the same time GMT. Being a college teacher, and many of her friends are too, she and they also asked the students to help. As near as we can tell about four thousand people send their emails all at once, each from a different email address, and each had the address on the company on their spam blacklist so the reply will get dumped. I often wonder if that caused their mail system to have a hiccup and how many actual staff person hours were wasted in answering them. All for no sales.

JCitizen
JCitizen

and so is the effort. They sure don't spend any money publishing as those emails are just turkey scratches!

Michael Kassner
Michael Kassner

If it's run over a botnet.

Michael Kassner
Michael Kassner

It seems that botnets are going to be the problem for the foreseeable future. They are so versatile, I should have expected that.

JCitizen
JCitizen

that is why I keep recommending TechRepublic for reading! And of course I point a lot of folks on other forums here and to your articles, every chance I get.

Michael Kassner
Michael Kassner

Either case it's just once and the botnet effort is pretty much automated.

JCitizen
JCitizen

in man hours. Which is very small. I suppose advertising thru a bot-net is pretty cheap. Of course that matters less if the "advertiser" just wants to steal instead of sell.

santeewelding
santeewelding

Speaks to the ineffectuality of the defects running the defective businesses.

Michael Kassner
Michael Kassner

Are ineffective, where does that leave the defective business.

Michael Kassner
Michael Kassner

It's an example, but I readily agree with it. I even suspect that it's cheaper than that, as a single botnet can deliver over 7 billion e-mail spam messages a day easily.

Deadly Ernest
Deadly Ernest

response, that's still 1,000 sales at $0.10 cents per sale advertising costs - it's all part of the advertising numbers game.

santeewelding
santeewelding

...as far as I am concerned. And, I am concerned many, many times a day. I run a business. I am dimly aware of what it takes to run a business. I am acutely aware of what it takes to interfere with my conduct of business. Marketing interferes with my conduct of business (let me count the ways!). They who market -- "market" = "debt" -- are dead meat. I rely on credit, as in "credibility". Does that, sir, answer your question?

Michael Kassner
Michael Kassner

How many users? I also think that would be a great statistic to follow. I wonder if the bad guys are already and it's still a good RoI? Or may be they correlate actual sales to amount of spam sent. Interesting thought. Thanks for bringing it up.

CG IT
CG IT

16 total users and their spam amount was 5700 emails in 1.5 hours. Before I came in, they didn't have any antispam filtering on their Exchange server. We first tried Policy Patrol but for some reason that caused a block in the inbound and outbound queues. At one point there was 76,000 emails in the queue waiting for directory lookup so we went with GFI. With GFI Mail Essentials we didn't get the problem of emails getting clogged in the queue. They either were processed successfully or marked as spam and dropped. Needless to say, they have [hopefully had] a terrible spam problem.

Michael Kassner
Michael Kassner

I suspect you may have the record for organizations with under 20 users. I looked at GFI, but decided to filter before the Exchange server. I can't remember why that was important at the time. Is the per user fee a one-time charge?

Editor's Picks