Test Center April Spam Report: 'Headline' Phishing Still Strong
current 'Let's Can Spam' anti-spam fight various anti-spam products
In terms of spam activity, there is a significant spike -- almost double mail volume -- towards the end of the month. Mail volume declined gradually to its monthly low of about 51,639 messages during the second week, before climbing up to the peak of 102,003 during the last week of the month. The difference in mail volume is entirely spam, since legitimate mail was always less than 2 percent of total mail received.
For this analysis, Test Center looked at the reports and statistics generated by the various appliances we've already tested. The appliances filtered production mail, so the spam volumes and composition are near to real-world conditions. The mail server was not seeded intentionally to receive spam, nor is it a honeypot. The reports contained daily, weekly, and monthly statistics on types of spam, viruses, and mail spoofs found. Some of the appliances also logged every message that comes in, regardless of whether they get rejected, quarantined, or delivered, letting reviewers see every message without it reaching the Inbox.
Spam is truly international. Spammers often send mail using a spam relay -- a third-party mail server, proxy server, or a botnet -- in order to hide the address of the source of the mail. The ten most frequently seen spam relays for April generated about 6,000 messages, or a little over 2 percent of the total mail volume that month. While the volume is negligible, a pattern was visible, with four of the top ten being from the United States, followed by a relay in the United Kingdom, Germany, Denmark, Canada, Brazil, and Israel. Someone should tell Halliburton that one of its mail relays in Houston, TX is in the top-10 list.
Similarly, a look at the virus relay -- mail relays being used to send viruses -- indicated that the biggest culprits were in Japan, Italy, and China. Russia, the oft-mentioned origin for malware, had only one low-volume virus relay this month. But that just means there's only one relay that is passing viruses through -- there are other delivery mechanisms.
A better idea of the global threat came from the world map generated by the eSoft ThreatWall 250. The "ThreatMap" shows pushpins on countries the appliance has associated with spam during the time period. There were only a handful of countries and regions that didn't have little pushpins -- the sub-Sahara ( including Nigeria, Niger, Ethiopia, Chad and Sudan), Mongolia, and Papua New Guinea. For the month of April, the bulk of the mail came from China, followed the Russian Federation, United States, and United Kingdom. Brazil, Italy, Turkey, Republic of Korea, Poland, and Thailand rounded out the top ten list. The ThreatMap based on Test Center mail traffic is similar to the map generated using eSoft's global data. The same countries were on the list, but in different orders.
A bulk of messages, about 90 percent, were rejected at the onset, for a variety of reasons, such as unknown recipients or rejected based on analysis performed by eSoft's Distributed Intelligence Architecture. The most common relays rejected by the systems were from Europe -- including Poland, Estonia, and Austria -- followed by Asia -- with Thailand, Hong Kong, Turkey, Japan, and Vietnam. Algeria and Egypt were also on the list. Having invalid SPF records or DomainKeys would also be grounds for rejection.
While spam traffic had only a peak in volume toward the end of the month, the reverse was the case for virus traffic. The number of viruses hitting the system was constant for the first three weeks, and then dipping about 25 percent during the last week. The most common viruses seen in April were Mal/Behav-112, Mal/frame-E, and W32/Netsky-P. W32/MyDoom-O was prominent during the first two weeks, but was no longer a major threat by the end of the month. Along with virus attacks, many of this attachments came with phishing-related viruses.
It's one thing to know where they're coming from, but what kind of messages are they? The most common messages still are sexual-related or financial-related. However, there was a significant portion of foreign-language spam, with subject lines including text in Hebrew, Japanese, and Russian script. During the days the Olympic relay passed through London, Paris, and San Francisco, there were a lot of messages pretending to be news reports, as well as a spike in Obama and Clinton related messages just before the Pennsylvania primary. There clearly was a link between significant news events and spam subject lines.
Test Center will continue analyzing mail traffic and threats in the coming weeks in search of more patterns or trends. Published reports from vendors such as Symantec have indicated there was a decline in certain virus activity since March, but Test Center data did not go far enough back to see the decline. It will be interesting to see how May fares in comparison.