Common Tasks
Search
  • Advanced search options...
  • Search
News

Holy cow, I wrote a book!

Basics
Blogroll
Categories

A visual history of spam (and virus) email

MSDN Blogs > The Old New Thing > A visual history of spam (and virus) email

A visual history of spam (and virus) email

Rate This
16 Sep 2004 7:00 AM

I have kept every single piece of spam and virus email since mid-1997. Occasionally, it comes in handy, for example, to add naïve Bayesian spam filter to my custom-written email filter. And occasionally I use it to build a chart of spam and virus email.

The following chart plots every single piece of spam and virus email that arrived at my work email address since April 1997. Blue dots are spam and red dots are email viruses. The horizontal axis is time, and the vertical axis is size of mail (on a logarithmic scale). Darker dots represent more messages. (Messages larger than 1MB have been treated as if they were 1MB.)

Note that this chart is not scientific. Only mail which makes it past the corporate spam and virus filters show up on the chart.

Why does so much spam and virus mail get through the filters? Because corporate mail filters cannot take the risk of accidentally classifying valid business email as spam. Consequently, the filters have to make sure to remove something only if they has extremely high confidence that the message is unwanted.

Okay, enough dawdling. Let's see the chart.

Overall statistics and extrema:

  • First message in chart: April 22, 1997.
  • Last message in chart: September 10, 2004.
  • Smallest message: 372 bytes, received March 11, 1998. 
    From: 15841.
To: 15841.
Subject: About your account...
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

P
  • Largest message: 1,406,967 bytes, received January 8, 2004. HTML mail with a lot of text including 41 large images. A slightly smaller version was received the previous day. (I guess they figured that their first version wasn't big enough, so they sent out an updated version the next day.)
  • Single worst spam day by volume: January 8, 2004. That one monster message sealed the deal.
  • Single worst spam day by number of messages: August 22, 2002. 67 pieces of spam. The vertical blue line.
  • Single worst virus day: August 24, 2003. This is the winner both by volume (1.7MB) and by number (49). The red splotch.
  • Totals: 227.6MB of spam in roughly 19,000 messages. 61.8MB of viruses in roughly 3500 messages.

Things you can see on the chart:

  • Spam went ballistic starting in 2002. You could see it growing in 2001, but 2002 was when it really took off.
  • Vertical blue lines are "bad spam days". Vertical red lines are "bad virus days".
  • Horizontal red lines let you watch the lifetime of a particular email virus. (This works only for viruses with a fixed-size payload. Viruses with variable-size payload are smeared vertically.)
  • The big red splotch in August 2003 around the 100K mark is the Sobig virus.
  • The horizontal line in 2004 that wanders around the 2K mark is the Netsky virus.
  • For most of this time, the company policy on spam filtering was not to filter it out at all, because all the filters they tried had too high a false-positive rate. (I.e., they were rejecting too many valid messages as spam.) You can see that in late 2003, the blue dot density diminished considerably. That's when mail administrators found a filter whose false-positive rate was low enough to be acceptable.

As a comparison, here's the same chart based on email received at one of my inactive personal email addresses.

This particular email address has been inactive since 1995; all the mail it gets is therefore from harvesting done prior to 1995. (That's why you don't see any red dots: None of my friends have this address in their address book since it is inactive.) The graph doesn't go back as far because I didn't start saving spam from this address until late 2000.

Overall statistics and extrema:

  • First message in chart: September 2, 2000.
  • Last message in chart: September 10, 2004.
  • Smallest message: 256 bytes, received July 24, 2004. 
    Received: from dhcp065-025-005-032.neo.rr.com ([65.25.5.32]) by ...
         Sat, 24 Jul 2004 12:30:35 -0700
X-Message-Info: 10
  • Largest message: 3,661,900 bytes, received April 11, 2003. Mail with four large bitmap attachments, each of which is a Windows screenshot of Word with a document open, each bitmap showing a different page of the document. Perhaps one of the most inefficient ways of distributing a four-page document.
  • Single worst spam day by volume: April 11, 2003. Again, the monster message drowns out the competition.
  • Single worst spam day by number of messages: October 3, 2003. 74 pieces of spam.
  • Totals: 237MB of spam in roughly 35,000 messages.

I cannot explain the mysterious "quiet period" at the beginning of 2004. Perhaps my ISP instituted a filter for a while? Perhaps I didn't log on often enough to pick up my spam and it expired on the server? I don't know.

One theory is that the lull was due to uncertainty created by the CAN-SPAM Act, which took effect on January 1, 2004. I don't buy this theory since there was no significant corresponding lull at my other email account, and follow-up reports indicate that CAN-SPAM was widely disregarded. Even in its heyday, compliance was only 3%.

Curiously, the trend in spam size for this particular account is that it has been going down since 2002. In the previous chart, you could see a clear upward trend since 1997. My theory is that since this second dataset is more focused on current trends, it missed out on the growth trend in the late 1990's and instead is seeing the shift in spam from text to <IMG> tags.

Comments
  • denny
    16 Sep 2004 8:05 AM
    interesting ....

    I agree the white band may be related to the can-spam deal. it does fit.

    now if I had *MY* spam for the same time you might need to go by a few more disks.... for a while I was running about 4 email servers and web servers and was listed as the contact for them all.... so my volume for a while was *HUGE* I had to tell folks to take the email for the domains to someone else... it was killin me and i was not obliged to take all that work for them ...
  • Lorenzo Barbieri
    16 Sep 2004 8:07 AM
    Hey... I've done quite the same thing when I graduated in 1999...
    I ported a cluster analysis tool from Fortran to Visual C++ and I tried different sets of data to test it.
    One set was related to my emails.
    I don't remember what dimensions I checked or what clusters I found, but your post remembered me all that thing! Thanks!
  • James Curran
    16 Sep 2004 8:10 AM
    >> Totals: 237MB of spam in roughly 35,000 messages.

    Sheesh.... I did the same thing for ONE MONTH. My totals: 1GB in roughly 116,000 messages.

    (But after training using that, SpamBayes works fine!)

  • Robert Hahn
    16 Sep 2004 8:20 AM
    Actually, the quiet period is present in the work-email graph - it's harder to see because your 2004 column is as wide as your 2003 column, stretching out the data points horizontally a bit more. But it is there.
  • chris
    16 Sep 2004 8:41 AM
    what did you make that chart with?
  • SmartAs
    16 Sep 2004 8:45 AM
    Great. Now I know the great majority of spam is between 1.5K and 128K. I'll just eliminate all that to get rid of 90% of the spam. 8v)
  • BillT
    16 Sep 2004 8:50 AM
    I noticed a huge dropoff at one point, also. I associated it with new Comcast procedures to limit outgoing spam, mostly from zombies, I assume.
  • Edward
    16 Sep 2004 9:14 AM
    Does anyone have a similar analysis of the subjects of Spam? A few years ago it was all Get-Rich-Quick schemes now its become Medication, Loans, and conterfeit software.

    I'd like to see a page similar to the Google Zeitgeist with rising and falling SPAM topics. I thought I'd try and write one myself but I figured someone would already have done it.
  • William
    16 Sep 2004 9:22 AM
    Human brains are the best filters.
    http://www.cloudmark.com/products/spamnet/
    And the only ones likely to work.
  • Raymond Chen
    16 Sep 2004 9:42 AM
    The trend towards <IMG>-based spam impairs the ability to categorize them by subject matter.

    The Comcast shutoff was in March 2004 which doesn't seem to match up with any gaps in the charts.
  • Eric Hodel
    16 Sep 2004 9:48 AM
    Scanned images of a Word document printout placed in a word document.

    Yes, one was sent to my entire company by upper management.
  • Alex
    16 Sep 2004 9:56 AM
    I suspect that the reason that you see spam going away is to increased reliability and use of corporate-level spam filters.
  • David Voss
    16 Sep 2004 10:02 AM
    *bows* I'm not worthy, I'm not worthy...

    So how did you come to decide that you would actually save every piece of spam and virus email? For most people they want to dispose of it as quickly as possible rather than archive it, especially as long as you have.

    Thanks for sharing this. It was definitely an interesting read!
  • Larry Osterman's WebLog
    16 Sep 2004 10:18 AM
  • Todd Spatafore
    16 Sep 2004 10:18 AM
    It would be interesting to see SPAM flux by hour of day, day of week, and by month of year. Also, it looks like there is a relative dry period at the beginning of 2003 that has almost the same width as the one at the beginning of 2004.

    This was very interesting. Thank you for sharing.
Page 1 of 11 (156 items) 12345»