|
A few weeks ago, I posted a piece on where individuals spammers were located in terms of sending IP. The United States was number 1, followed by China. This is in terms of total volume of spam that they send.
However, a second piece of data that I did not take a look at was where all of the individual spam sites contained within the spam was located. For example, does a lot of spam sent from the United States point to spammy URLs hosted in China? I decided to do a preliminary investigation and find out.
To determine this, I followed the following steps:
The results are below. Again, I emphasize that this represents 4 days worth of traffic of post IP-blocked mail, it is not necessarily representative of our entire spam mail stream:
To interpret the above chart, out of all the unique IPs mapped back from URLs found in spam, 55% were located in the United States. However, 69% of the total spam messages contained spam URLs on hosts located in the US. In other words, the US has a disproportionate amount of spam pointing to servers located within its borders. While China may have a greater total of URLs registered to it, the fact is that our content filters are seeing way more spam to web sites located in the US.
In the above chart, the “n/a” column refers to sites that I couldn’t get an A-record for. Perhaps the site has been taken down, or maybe moved on. But it definitely had a big chunk of spam hits.
If you are interested in what domains are getting hit the most and where they are located, the results are below. I have normalized the data to show relative frequency of how often a site gets hit using the 16th most frequent URL as the baseline.
Domain | IP | Country | Frequency |
fineunknown.com | 72.46.154.186 | US | 9.4 |
hxukasln.cn | 159.226.7.162 | CN | 7.6 |
scsend.com | 67.225.194.7 | US | 4.9 |
mountainstas.com | 65.254.57.198 | US | 3.1 |
100freemb.com | 209.63.57.10 | US | 2.8 |
hrbalife.com | 216.10.65.50 | US | 2.6 |
ammersmicht.net | 69.28.56.4 | US | 2.4 |
yourschoolssite.info | 67.21.115.90 | US | 2.2 |
mp010.net | 83.206.207.181 | FR | 1.6 |
grapewatches.cn | 60.12.166.157 | CN | 1.6 |
snurl.com | 75.126.161.224 | US | 1.5 |
aafter.us | 70.84.211.85 | US | 1.3 |
reduce-now.com | 67.216.82.45 | US | 1.1 |
plumbwatches.cn | 220.196.42.59 | CN | 1.1 |
The United States simply contains a lot of URLs that are spammed a lot and that is why they take up so much spam in the world of spam. The US sends the most spam and it hosts the most spam in this limited sample set.
A few more interesting facts about the top 3 countries (US, China, Russia)
US avg spams: 3532
US median spams: 75China avg spams: 2095
China median spams: 148Russia avg spams: 1409
Russia medians spams: 40
This confirms what we see above, a few sites can dominate the spam volumes and skew the statistics.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byRadix
And a domain resolving to an IP in China now will suddenly resolve to somewhere in Brazil within the next minute or two (or whenever the TTL expires). So that’s not a usable metric.
Do what I suggested last time - check whois for the domain registrar, and for the contact information in the whois record.
You’ll get a rather more accurate metric than what you’ve posted here.
Checking those names one week later I find: unchanged chabad.org unchanged scsend.com unchanged mountainstas.com unchanged 100freemb.com unchanged ammersmicht.net unchanged yourschoolssite.info unchanged mp010.net unchanged snurl.com unchanged aafter.us unchanged reduce-now.com unchanged plumbwatches.cn ineunknown.com was 72.46.154.186, does not resolve now hxukasln.cn was 159.226.7.162, does not resolve now grapewatches.cn was 60.12.166.157, is now 60.12.166.150 That does not look like fastflux to me. hrbalife.com was 216.10.65.50, is now 69.64.155.125 ;; ANSWER SECTION: hrbalife.com. 3600 IN A 69.64.155.125 With a one hour TTL, that does not look like fastflux either.
That's a Jewish charity or religious movement or something. Probably got hacked. Then 100freemb.com is a free webhost, snurl is a link redirection / short url service .. pretty mixed bag, that.
Perhaps it’s easier for spammers to hijack PCs hosted in .CN
The spammer could be anywhere.
The domain chabad.org was originally listed on my list and has been subsequently removed. It is a false positive that was being abused by spammers and subsequently listed on a URL blocklist.