The Geography of Spam

sgorman1 · March 2, 2004, 4:11pm

Thought folks might find this blurb from Sophos on the geography of Spam interesting. 30% of Spam, they report, comes from hijacked PC's. Matches pretty close to what we see across our network - i.e. all sorts of stuff from swbell.net

o U.S. Routes More Spam than World Combined, Study Shows

Paris -- Intentionally or not, the U.S. routes more spam e-mail traffic
than the rest of the world combined, according to a new study by
anti-virus firm Sophos. The study concludes that most of the unsolicited
junk e-mails originate in Russia and then passes through hacked computers
in the U.S. "More than 30% of the world's spam is sent from these
compromised computers, underlining the need for a coordinated approach to
spam and viruses," said Charles Cousins, Sophos' Asia managing director .
The U.S. accounts for a whopping 56% of the global spam pie, followed by
Canada with 6.8%. Europe did not fair very well in the report either, with
the Netherlands (5th), Germany (7th), France (8th), the U.K. (9th) and
Spain (12th) all making the list.
http://www.sophos.com/spaminfo/articles/dirtydozen.html

Brian_Bruns · March 2, 2004, 4:23pm

I guess I can say, that I can somewhat agree with what they are saying, but
the percentage seems to be a bit lower then what I would have said. With the
recent round of viruses that seem to be designed to help spammers hijack end
user machines, I'd say the percentage is more towards 45-50%. Sometimes its
very hard to tell the difference between an open proxy, and a drone running an
open proxy (take the AHBL's proxy list, which is over 410,000 proxies listed,
and our infected/hijacked machine count comes nowhere near that).

Part of the reason why alot of the spam comes from outside of the US is
because US spammers need to hide their actual locations in order to avoid
getting snared by CAN-SPAM and similar. This is why Ralsky bases his spamming
campaigns out of China, where the laws are more relaxed in terms of this
stuff, and is less likely to get yanked off of his net connection. This is
also why spammers have 'fronts'.

Michael_Airhart · March 2, 2004, 8:57pm

[snip]

Somehow it seems like when you take into account the number of PCs on high speed connections, these numbers make a lot of sense. The US has a large population of these PCs so yeah, duh, the US leads in compromised hosts.

IMO, what would be a really useful "report" or "study" is to expose the companies that are actually making money from "spam" advertising. If it didn't work, these companies would hire firms to spam. Follow the money. Where does it go? How can legal avenues be used to make spam as expensive direct mail or telemarketing? (lawsuits, criminal prosecution, ?)

IMO

Michael
(speaking only for myself, ignore my @domain)

Joe_Abley3 · March 2, 2004, 10:39pm

Well, the report "Broadband Internet Access in OECD Countries" shows that in 2002 only 36% of all broadband internet users were in the US. That's a greater proportion than any other single country, but according to that report most broadband subscribers are not in the US.

http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-239660A2.pdf

The quoted report said "the U.S. routes more spam e-mail traffic than the rest of the world combined", not "... than any other single country".

So it appears there might be other forces at work than simply "more broadband users".

Joe

william_at_elan.net · March 3, 2004, 2:25am

> Somehow it seems like when you take into account the number of PCs on
> high speed connections, these numbers make a lot of sense. The US has
> a large population of these PCs so yeah, duh, the US leads in
> compromised hosts.

Well, the report "Broadband Internet Access in OECD Countries" shows
that in 2002 only 36% of all broadband internet users were in the US.
That's a greater proportion than any other single country, but
according to that report most broadband subscribers are not in the US.

Correct, so spamsources outside US will continue to increase.

The quoted report said "the U.S. routes more spam e-mail traffic than
the rest of the world combined", not "... than any other single
country".

Also correct. My own source (including @sophos) actually tell me the
report of 30% from zombies is understatement, its likely to be over 50% now
and stil growing - typical setup for spammer (who is actually quite
likely to be from US) involves getting dedicated server offhsore, such as
china, korea, russia, brazil; then getting/buying initial set of zombies
where some are thereafter used to scan for vulnerable hosts and infect
them and most are setup to spew (or act as proxy for their offshore
server that actually does the sending of) spam.

So it appears there might be other forces at work than simply "more
broadband users".

There are still some spammers sending directly (that are trying to operate
within the law, provide postal opt-out - usually in Florida, etc).

Additionally reasons for highier percentage in US that I can think of:
1. Number of IPs assigned to US is quite a bit highier in percentage to what
is assigned to rest of the world. If somebody is scanning fo find vulnerable
hosts from entire net, their chance of finding US ip is quite high.
2. In US every DSL line would have its own ip, sometimes more then one
but in foreign countries, availability of ips to ISPs is still smaller
then in US and some still use NAT and other means
3. Outside US less number of people (as percentage of total population in
some country) have access to broadband and as such those who do are more
advanced in their computer skills and better educated (and know not to open
attachments from unknown sources) where as in US number of "dumb" users
is highier just because the broadband has penetrated population at-mass.
4. Some countries with high number of broadband users (such as Korea) are
bad as source for email spam because of previous experience of them not
dealing quickly with abuse reports - those countries are simply blocked.
5. Because most target for spammers are in US, if spammer has choice between
US and foreign proxies some may choose US because it will work better (some
other may on the other hand choose offshore as its less likely to be traced
to him, but usually with server already offshore they don't care that much).

There are probably other reasons I could not immediatly think of but as
broadband penetration boom in US slows down and in other countries its just
picking up, the percentage of spam from US zombies will slowly go down.