|
In my department, we block about 92% of our total email (around 2.5 billion per day) at the network edge without accepting the message. When we do that, we don’t see any traffic from that IP anymore and don’t keep stats on it due to the overwhelming volume of mail. However, we do keep stats on mail that we block with our content filter.
I decided to go and calculate how much spam we receive from each country by mapping the source IP back to its source country. The results are below:
Rank Country % of all spam ---------------------------------------------- 1 United States 30.95% 2 China 10.37% 3 South Korea 9.53% 4 Brazil 4.71% 5 Argentina 2.47% 6 Russia 2.47% 7 Spain 2.17% 8 Great Britain 2.13% 9 Poland 1.93% 10 Japan 1.88% 11 Canada 1.77% 12 Romania 1.72% 13 Czech Republic 1.51% 14 India 1.48% 15 Italy 1.44% 16 France 1.36% 17 Germany 1.29% 18 Turkey 1.23% 19 Chile 1.02% 20 Australia 1.01%
If you were to look at this chart, you’d probably say “Hey, that tells us what we already know. The United States is the spammiest country in the world, followed by China. That Brazil, Argentina and Russia are on there comes as no surprise.”
But is this the best way to measure how spammy a country is? I decided that I had to normalize the results. Of course countries with bigger populations will be in the top 20, there’s more people and therefore more potential for spam. To normalize the data, I went and determined how many Internet users there were in each country by pulling it from the web. I then created a Spam per Internet User rating, by dividing the total amount of spam by the total number of Internet users. This normalizes the data. Now a country with a very large population does not necessarily outrank one with a smaller population. The results are below with the caveat that a country requires at least 2.5 million Internet users to get onto the table:
Rank Country Internet Users Spam Per User --------------------------------------------------- 1 Czech Republic 4,991,300 4.38 2 South Korea 36,794,800 3.75 3 Romania 7,430,000 3.35 4 The Netherlands 5,470,000 2.49 5 United States 222,723,436 2.01 6 Argentina 20,000,000 1.79 7 Chile 8,368,719 1.76 8 Slovakia 3,018,400 1.75 9 Hungary 5,215,400 1.66 10 Ukraine 6,700,000 1.62 11 Poland 20,020,362 1.40 12 Singapore 3,104,900 1.35 13 Denmark 4,408,100 1.30 14 Greece 4,932,495 1.23 15 Israel 5,263,146 1.21 16 Spain 27,028,934 1.16 17 Canada 23,999,500 1.07 18 Portugal 4,249,200 1.05 19 Brazil 67,510,400 1.01 20 Sweden 7,295,200 0.95
Looking at this table, the numbers completely change. The United States drops from first place to fifth place. China doesn’t even make the top 20! The Czech Republic, which was 13th on the previous list, bolts up to number 1. South Korea moves up one spot to 2nd, and climbs nine spots from 12th to 3rd. The Netherlands didn’t even rank on the previous chart but clocks into 4th place when the data is normalized against the base of Internet users.
The normalized data set changes my perception of who is spamming and who is not. China may send a lot of spam but Eastern Europe sure seems a lot more spammy than the Chinese. Indeed, the top 5 countries are much more efficient at spamming the rest of the world than the less developed countries. I’m not sure what this means in terms of how to interpret the data. Does it means that these developed countries are lax in their security policies? Does it imply that they are complicit in spamming? Does it imply that spammers are better organized over there?
In any case, another interesting study would be a projected spam count; if China had the same Internet penetration as Iceland (which is 90% of its population), then using the Spam Per User ratio, how much of the world’s spam would they be responsible for? That would be a good follow up post.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
When it comes to domains registered on a particular ccTLD / in registrars of a particular country and used in spam .. china is head and shoulders at the top.
For example -
Domains blocked: 5642
Top 10 TLDs:
3401 .com
970 .cn
558 .net
314 .info
131 .in
89 .org
51 .uk
49 .ru
18 .biz
16 .us
Out of which - just picking the china based registrars -
950 XIAMEN ENAME NETWORK TECHNOLOGY CORPORATION LIMITED DBA ENAME CORP
????
154 CHINA SPRINGBOARD INC.
China Springboard Inc. (R1749-LROR)
145 ONLINENIC, INC.
81 XIN NET TECHNOLOGY CORPORATION
??????????????
66 GUANGZHOU MING YANG INFORMATION TECHNOLOGY CO., LTD
59 XIAMEN CHINASOURCE INTERNET SERVICE CO., LTD.
It's true that I did not measure where the spamming domains are hosted. I only did this study based upon who is sending the spam, not where the spammy domain is located. That would be another good study to compare.
For domains listed in ob.surbl.org
In my opinion statistics about spam received at a single or even a small number of domains on the internet is too narrow a sample to reach any conclussions about world wide spam.
To get more accurate measures you need to have a much wider net, such as Project Honeypot
http://www.projecthoneypot.org/statistics.php
But I dont see them tracking domains found in spam, sorted by ccTLD / registrar. And ob.surbl (whose stats I quoted) is fed from like 400k ++ domains, 40 million users. I hope that meets your exacting (and quite appropriate) critieria?
If I were spamming from China I would be careful to target foreign victims, otherwise it would be too easy for one of them to find out where to complain and possibly shot down my zombie, account, or contract. Normalizing by recipient country may also be interesting.
There's a huge amount of "local" (chinese language, for a chinese audience) spam sent by bots, but you wouldnt see it in a provider that's primarily english language. If you run freemails or ISPs with .cn / .hk / .tw domains, you'd see that too. The typical spam that's sent by these domains I was referring to appears to be pill / porn, sent using fastflux domains, bots etc. Some mule recruitment, phish etc as well. Mostly in English, targeted at an American audience.
I'm not sure what "local" means. On an Italian MX I see a portion of spam targeted to Italians. However, part of it has obviously been translated automatically by non-native speakers. Spammers have i18n problems just like the rest of us, but I wouldn't classify a multilingual tidal as "local".
That advertises chinese products / websites to a chinese audience, has content written by a native chinese speaker, etc. Quite often these are legitimate products that just "hired an email marketer", who then sends out advertising using unethical means. There's at least one spammer for example who keeps sending spam advertising chinese electronics factories, restaurants etc - through hacked hotmail and yahoo accounts. There's of course no shortage of local MLM, scams, porn etc being advertised through the same means. The sort of spam where (say) a nigerian scam is run through google translate before sending to italians is not what i'm talking about. That exists, its not unknown - but the volume of "local spam" that's targeted at a local audience - but as its indiscriminately targeted spam, ends up mailing people who dont live there, dont speak the local language etc.
How do you know it’s actually spam from that country? While the source IP may be located in the country in question it could just as easily be argued that the devices sending the spam are compromised PCs / servers. Whether or not the actual spammers are located in the countries listed or not is, therefore, harder to prove.