State of Spam: August Marked By Campaign-Related Mischief
For this monthly analysis, Test Center looked at statistics generated by the Sophos ES1000 e-mail filtering appliance. These messages are not simulated or forwarded from other servers, but real-world mail hitting the lab's mail server. The ES1000 scans approximately 6,000 messages a day. August's mail volume was about 206,651 messages, a 10-percent decline from July's total mail volume.
Looking at the overall mail volume, the Sophos appliance rejected about 91 percent outright based on certain criteria, such as malformed addresses and originating from known malicious servers. The remaining nine percent of mail was flagged as spam.
Mail volumes remained fairly constant throughout the month. However, during the third week, there was a peak in the number of blocked connections, a 20 percent increase. There was a bump of about 1000 more spam messages during this time. The lowest number of blocked connections occurred during the fourth week. Spam volumes dipped by about 500 messages simultaneously. For trending purposes, the fluctuation is interesting, but the changes weren't significant enough to reflect any particular spam campaign.
The ES1000 flagged 85 percent of spam that made it into the system as "high" and automatically deleted these messages. About 11 percent were quarantined, which is a higher proportion than in previous months. This may be a direct result of spammers using Google's hosted applications -- Docs, Pages, Calendar -- to host malware and phishng pages. The spam and phish messages often contain links to sites.google.com domains. Test Center noticed a significant number of messages with Google-related URLs in quarantine. We expect this number to rise.
More viruses were sent in August than in July. The Test Center was hit with 4.6 times more viruses in August, with the largest amount -- 32 percent -- sent during the third week. The virus outbreak coincided with the increase in blocked connections. The ES1000 identified and protected against 95 percent of the viruses outright, with the remaining five percent undergoing extra analysis before being discarded. While virus activity dropped somewhat in the fourth week, it did not drop to July levels. In fact, preliminary analysis indicates virus levels climbed back up to near peak by the beginning of September.
What happened during the third week of August? A quick look at the logs indicate there was an increase in U.S. presidential election-related subject lines during this time. Increased media coverage on the vice-presidential picks, runup to the Democratic and Republican conventions, and general interest in the elections seem to have driven a lot of the malware attacks and continued in the final week.
Test Center will be looking at September activity to see continued election-related attacks.