A few weeks ago, I posted a piece on where individuals spammers were located in terms of sending IP.  The United States was number 1, followed by China.  This is in terms of total volume of spam that they send.

However, a second piece of data that I did not take a look at was where all of the individual spam sites contained within the spam was located.  For example, does a lot of spam sent from the United States point to spammy URLs hosted in China?  I decided to do a preliminary investigation and find out.

To determine this, I followed the following steps:

  1. I took a random sample of the past 4 days of 500 URLs from a URL reputation list.  All of these URLs had to hit our filters (ie, greater than zero hits) and get past our IP blocks.

  2. I took the number of individual spam hits per URL, and I then mapped the URL back to its A-record.  I then converted the A-record to its country of origin.  In other words, I did URL –> A-record –> Country.

  3. I then got the distribution of the proportion of IPs hosted in each country, and then the proportion of spam mail containing a URL hosted to each country.

The results are below.  Again, I emphasize that this represents 4 days worth of traffic of post IP-blocked mail, it is not necessarily representative of our entire spam mail stream:

image

To interpret the above chart, out of all the unique IPs mapped back from URLs found in spam, 55% were located in the United States.  However, 69% of the total spam messages contained spam URLs on hosts located in the US.  In other words, the US has a disproportionate amount of spam pointing to servers located within its borders.  While China may have a greater total of URLs registered to it, the fact is that our content filters are seeing way more spam to web sites located in the US.

In the above chart, the “n/a” column refers to sites that I couldn’t get an A-record for.  Perhaps the site has been taken down, or maybe moved on.  But it definitely had a big chunk of spam hits.

If you are interested in what domains are getting hit the most and where they are located, the results are below.  I have normalized the data to show relative frequency of how often a site gets hit using the 16th most frequent URL as the baseline.

Domain IP Country Frequency
fineunknown.com 72.46.154.186 US 9.4
hxukasln.cn 159.226.7.162 CN 7.6




scsend.com 67.225.194.7 US 4.9
mountainstas.com 65.254.57.198 US 3.1
100freemb.com 209.63.57.10 US 2.8
hrbalife.com 216.10.65.50 US 2.6
ammersmicht.net 69.28.56.4 US 2.4
yourschoolssite.info 67.21.115.90 US 2.2
mp010.net 83.206.207.181 FR 1.6
grapewatches.cn 60.12.166.157 CN 1.6
snurl.com 75.126.161.224 US 1.5
aafter.us 70.84.211.85 US 1.3
reduce-now.com 67.216.82.45 US 1.1
plumbwatches.cn 220.196.42.59 CN 1.1

The United States simply contains a lot of URLs that are spammed a lot and that is why they take up so much spam in the world of spam.  The US sends the most spam and it hosts the most spam in this limited sample set.

A few more interesting facts about the top 3 countries (US, China, Russia)

US avg spams: 3532
US median spams: 75

China avg spams: 2095
China median spams: 148

Russia avg spams: 1409
Russia medians spams: 40


This confirms what we see above, a few sites can dominate the spam volumes and skew the statistics.