As one of the most-connected countries in the world, computers in the United States have historically been the biggest source of spam on the Internet. That doesn’t mean the U.S. is full of spammers, but rather that the United States is comparatively packed with computers, and a significant number of those have been infected with malware and botnets that put them in the control of spammers. Those spammers, of course, can be located anywhere in the world.
However, recent changes to the spam landscape mean the United States is losing its crown as Spam King. Now, India appears to be the country sending the most spam.
Does the change mean the good guys are winning the war on spam? Or are the spammers just getting more devious?
It’s not easy being number one
Identifying where spam comes from might sound simple — just write a program to analyze spam messages you receive and determine the address of the computer that delivered it to you. (It’s in one of those evil-looking
Received lines in the headers of every message.) Then, look up who is responsible for that address — most of the time, that’ll tell you the country (and often the general area) of the particular machine that sent a message. Perform that analysis across millions of spam messages and voilà! Instant rankings of spamming countries!
That’s the basic principle behind all summaries of spam activity, but the reality is a little more complicated. Leaving aside issues like VPNs, misconfigured networks, and abused relays that can greatly obscure the true origin of an email message, you have to make sure the spam you’re receiving (and analyzing) is representative of all the spam being sent everywhere in the world, both in terms of type as well as frequency. Otherwise, your analysis doesn’t have any bearing on global spam activity.
It turns out this is no small feat. Different outfits take different approaches to the problem. Some provide security services and products for consumers and businesses, and generate their reports based on the spam their products catch on behalf of their clients. Sometimes their clients are huge, so the services see a lot of spam. Others set up so-called “honeypot” addresses (email addresses designed to do nothing but receive spam) and publish them widely on Web sites, newsgroups, social networking services, and other places to make sure they get into spammers’ databases — then analyze everything they receive. Still other companies operate email services, and base their assessments of spam on what users do (and don’t) report as spam. Others are network or email services operators, and simply watch their own network traffic and make a note when they see a message bearing the characteristics of known spam.
None of these approaches are perfect, so many outfits use a combination of these techniques (and more besides) to try to get a picture of the state of email spam around the world. But there will still be major gaps, thanks to geopolitics and cultural barriers. For instance, thanks to the Great Firewall, no Western security or email firm has much of a notion of the spam situation in China — and China boasts more Internet users than any other country on Earth.
So, it should come as no surprise that the folks trying to track spam almost never fully agree on where spam originates.
Sophos — Security firm Sophos has made a habit of publishing a “dirty dozen” list of the top 12 spam-sending countries, updated four times a year. For January through March 2012, Sophos says India took the top spot, with computers there sending some 9.3 percent of the spam Sophos analyzed. The United States came in second with 8.3 percent, and from there the amounts drop off quickly: South Korea was third with 5.7 percent, and Indonesia and Russia tied for fourth with 5 percent each.
Kaspersky, a security firm based in Russia, comes to somewhat different conclusions — presumably because the ways it’s sourcing spam are different from those used by Sophos. Nonetheless, for March 2012 Kaspersky found India the top source of spam, sending some 12.3 percent of spam messages it analyzed. (Kaspsersky also gave India top ranks for January and February 2012.) But there Kaspersky parts company with Sophos, consistently ranking Indonesia as the number-two spam sender, with Brazil, Vietnam, and South Korea consistently ranking above the 5 percent mark. For Kaspersky, the United States isn’t number two: in fact, it never even cracks the top ten.
German email security firm eleven also marks India as the top origin country for spam during March 2012, accounting for 11.7 percent of all spam for the month. But guess what? The United States isn’t number two, and neither is Indonesia. Instead, the Russian Federation ranks number two, accounting for 7.5 percent of all spam. Brazil ranked third with 7.1 percent, and while Indonesia and Vietnam round out the top five, neither of them broke the 5 percent barrier
Confused yet? SpamRankings, an academically-driven project looking at messages sent by systems listed in a pair of widely used blocklists (one uses honeypots, the other is more complex, using high-volume mail systems). SpamRankings still has the United States in first place for March 2012, although India was in first place in February. SpanRankings put the United States back on top in March thanks to a surge in spam from a single Web hosting company.
None of this means India has suddenly become a nation of spammers — just that the amount of email spam sent from computers in India now seems to exceed the amount sent my computers in the United States and other countries. To be sure, Indians are victimized by spam just as much as anybody else. And, of course, once a computer is compromised via malware, the spammers controlling the system and using it to distribute messages could be anywhere in the world.
Has there been some sudden upsurge in spam from India? The figures — such as they are — seem to indicate no: The amount of spam originating in India seems to have been relatively consistent for the last several months. However, that steady level now makes India a contender for the top spammer crown, since spam levels in many other major spam source countries have recently declined.
What makes spam levels decline? Kaspersky points to the takedown of the Hlux/Kelihos botnet, which sported a command-and-control infrastructure similar to the successful Waledac botnet. One of Microsoft’s coordinated legal-and-seizure actions was against Waledac in February 2011. There have actually been two Hlux/Kelihos takedowns, one in January 2012 (a sinkhole operation in conjunction with Microsoft) and another just a few weeks ago. One of the operators of the botnet has been identified as a Russian employed by an unnamed antivirus vendor.
Sophos attributes the overall downturn in spam not just to the efforts of security firms and ISPs, but also to new tactics from spammers. Although spammers still rely heavily on email spam, they’re increasingly shifting their efforts to social networking services to distribute marketing spam, as well as links to sites that try to infect visiting computers with malware — often making them unwitting zombie members of botnets. Social-network-spamming techniques don’t even have to rely on false marketing, scareware, or drive-by hijacking techniques: Some social network spammers just use the services to pick up commissions as affiliates — like the 24-year-old who claims to earn $1,000 a day spamming Pinterest.
Spam is getting more dangerous
Although overall spam levels seem to be declining in recent months, there are some shifts in the types of email spam being sent: Malware is on the rise. Many security firms report attempts to infect computers with the Zeus botnet via email are on the rise — this despite Microsoft taking a swipe at the command-and-control structure of one of the major Zeus operations last month. While theres’ still plenty of spam for prescription medications (it still seems to account for more than one third of all spam), online casinos, too-good-to-be-true job offers, and all the usual, the proportion of spam made up of malware (often sent as attachments designed to look like innocuous documents, receipts, invoices, or photographs) is on the rise.
Security vendors universally recommend that computer users keep their antivirus and security packages up to date, and be very careful about following links or opening attachments in email messages. Even messages that look like they’re from trusted sources might include malware, thanks to increasingly-sophisticated phishing techniques.
What to expect
Just as security researchers and law enforcement are reacting more quickly to botnets and other forms of malware, spammers are adjusting their tactics too.
Malware infections will continue to be the heart of and soul of most spamming operations. After all, without being able to use thousands of computers all over the world to distribute their messages (a technique known as “snowshoeing,” distributing their weight) spammers are too easily isolated and shut down. So, spammers are still going to rely on malware to infect computers, take them over, and use them to distribute messages.
However, the speed at which security companies and law enforcement responds to cyberattacks is improving, so spammers are focusing on the quality of their malware attacks (to add zombies to their operations), rather than quantity. Instead of campaigns promoting replica watches or apparel that seem to go on for months (or years!), spammers will rely on sudden, here-then-gone attacks designed to lure users in quickly, infect their machines, then vanish before security operations can fully react. Expect malware spam to increasingly focus on high-profile events (like the upcoming 2012 Summer Olympics in London), holidays (particularly at the end of the year), and messages designed to sound like an emergency in an effort to get users to open an attachment or click a link (fake warnings of suspended accounts, cancelled flights, even police actions). Spammers will also jump on any natural disasters that may occur, including fake messages soliciting donations for relief funds and emergency operations.
These tactics likely mean that spam levels will continue to decline overall — but the remaining spam will be increasingly dangerous.