Last week, Graham Cluley of SophosLabs posted an article indicating that China had slid off the list of the top 10 spam relaying countries in the world. Here is the list, according to Sophos:
The top twelve spam relaying countries for January to March 2010 1. USA - 13.1% 2. India - 7.3% 3. Brazil - 6.8% 4. South Korea - 4.8% 5. Vietnam - 3.4% 6. Germany - 3.2% =9. United Kingdom - 3.1% =9. Russia- 3.1% =9. Italy - 3.1% 10. France - 3.0% 11. Romania - 2.5% 12. Poland - 2.4%
The top twelve spam relaying countries for January to March 2010
1. USA - 13.1% 2. India - 7.3% 3. Brazil - 6.8% 4. South Korea - 4.8% 5. Vietnam - 3.4% 6. Germany - 3.2% =9. United Kingdom - 3.1% =9. Russia- 3.1% =9. Italy - 3.1% 10. France - 3.0% 11. Romania - 2.5% 12. Poland - 2.4%
I decided to do my own quick investigation. Mine isn’t quite as historically oriented as Cluley’s, but I decided to check to see how much spam we have been receiving since Feb, 2010, from a particular set of botnets that I track (15 in total) and only IPs that make it past our RBL checks. By combining this with botnet statistics, I built a different set of results.
A couple of months ago, I wrote that certain botnets send the most spam, but it depends on how you count it. You can either count it by total envelopes, or total messages. An envelope can contain multiple messages since a botnet can put more than one To: address on the RCPT TO in an email connection. I decided to check to see which country sends the most messages according to specific botnets (but not all spam – this means that a lot of the spam that I track was left unattributed since I cannot attribute every single IP to a botnet).
To do this, for the Feb – April time frame, I determined the average number of spam messages per botnet. I then calculated the total number of envelopes each IP sent (that is attributed to a botnet) and multiplied by the average. Then, I took each IP and divided it up into each country. The result is the total amount of spam each country sends, accounting for botnet characteristics. Below are the results:
A few points to discuss here:
To be fair to Sophos, they have tracked a different time frame than I did and they haven’t restricted their numbers the way I have with botnets. Still, the two big divergences between the two of us is that South Korea hits us much harder and so does Australia.
These statistics are not very telling about how well countries manage their bot problem unless you pro-rate based on the number of internet users.
True. I have not normalized that data.
Australia shows up significantly in your analysis which indicates there is a significant production of localised spam i.e the spam source and the spam destination are both in Australia.