Home / Blogs

Oh, Spammer, Where Art Thou?

A few weeks ago, I posted a piece on where individuals spammers were located in terms of sending IP. The United States was number 1, followed by China. This is in terms of total volume of spam that they send.

However, a second piece of data that I did not take a look at was where all of the individual spam sites contained within the spam was located. For example, does a lot of spam sent from the United States point to spammy URLs hosted in China? I decided to do a preliminary investigation and find out.

To determine this, I followed the following steps:

  1. I took a random sample of the past 4 days of 500 URLs from a URL reputation list. All of these URLs had to hit our filters (i.e., greater than zero hits) and get past our IP blocks.
  2. I took the number of individual spam hits per URL, and I then mapped the URL back to its A-record. I then converted the A-record to its country of origin. In other words, I did URL → A-record → Country.
  3. I then got the distribution of the proportion of IPs hosted in each country, and then the proportion of spam mail containing a URL hosted to each country.

The results are below. Again, I emphasize that this represents 4 days worth of traffic of post IP-blocked mail, it is not necessarily representative of our entire spam mail stream:

To interpret the above chart, out of all the unique IPs mapped back from URLs found in spam, 55% were located in the United States. However, 69% of the total spam messages contained spam URLs on hosts located in the US. In other words, the US has a disproportionate amount of spam pointing to servers located within its borders. While China may have a greater total of URLs registered to it, the fact is that our content filters are seeing way more spam to web sites located in the US.

In the above chart, the “n/a” column refers to sites that I couldn’t get an A-record for. Perhaps the site has been taken down, or maybe moved on. But it definitely had a big chunk of spam hits.

If you are interested in what domains are getting hit the most and where they are located, the results are below. I have normalized the data to show relative frequency of how often a site gets hit using the 16th most frequent URL as the baseline.

DomainIPCountryFrequency
fineunknown.com72.46.154.186US9.4
hxukasln.cn159.226.7.162CN7.6
scsend.com67.225.194.7US4.9
mountainstas.com65.254.57.198US3.1
100freemb.com209.63.57.10US2.8
hrbalife.com216.10.65.50US2.6
ammersmicht.net69.28.56.4US2.4
yourschoolssite.info67.21.115.90US2.2
mp010.net83.206.207.181FR1.6
grapewatches.cn60.12.166.157CN1.6
snurl.com75.126.161.224US1.5
aafter.us70.84.211.85US1.3
reduce-now.com67.216.82.45US1.1
plumbwatches.cn220.196.42.59CN1.1


The United States simply contains a lot of URLs that are spammed a lot and that is why they take up so much spam in the world of spam. The US sends the most spam and it hosts the most spam in this limited sample set.

A few more interesting facts about the top 3 countries (US, China, Russia)

US avg spams: 3532
US median spams: 75

China avg spams: 2095
China median spams: 148

Russia avg spams: 1409
Russia medians spams: 40

This confirms what we see above, a few sites can dominate the spam volumes and skew the statistics.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Terry Zink, Program Manager

Filed Under

Comments

These are mostly fastflux domains Suresh Ramasubramanian  –  Aug 21, 2009 1:45 AM

And a domain resolving to an IP in China now will suddenly resolve to somewhere in Brazil within the next minute or two (or whenever the TTL expires). So that’s not a usable metric.

Do what I suggested last time - check whois for the domain registrar, and for the contact information in the whois record.

You’ll get a rather more accurate metric than what you’ve posted here.

not mostly fastflux Carl Byington  –  Aug 26, 2009 11:57 PM

Checking those names one week later I find: unchanged chabad.org unchanged scsend.com unchanged mountainstas.com unchanged 100freemb.com unchanged ammersmicht.net unchanged yourschoolssite.info unchanged mp010.net unchanged snurl.com unchanged aafter.us unchanged reduce-now.com unchanged plumbwatches.cn ineunknown.com was 72.46.154.186, does not resolve now hxukasln.cn was 159.226.7.162, does not resolve now grapewatches.cn was 60.12.166.157, is now 60.12.166.150 That does not look like fastflux to me. hrbalife.com was 216.10.65.50, is now 69.64.155.125 ;; ANSWER SECTION: hrbalife.com. 3600 IN A 69.64.155.125 With a one hour TTL, that does not look like fastflux either.

chabad.org? Suresh Ramasubramanian  –  Aug 27, 2009 12:03 AM

That's a Jewish charity or religious movement or something. Probably got hacked. Then 100freemb.com is a free webhost, snurl is a link redirection / short url service .. pretty mixed bag, that.

Could the spam come from unprotected PCs? Colin Sutton  –  Aug 26, 2009 11:24 AM

Perhaps it’s easier for spammers to hijack PCs hosted in .CN
The spammer could be anywhere.

Correction to the list Terry Zink  –  Sep 4, 2009 5:56 PM

The domain chabad.org was originally listed on my list and has been subsequently removed.  It is a false positive that was being abused by spammers and subsequently listed on a URL blocklist.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix