Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Sophos’s list of top spamming countries vs Forefront Online’s list

Sophos’s list of top spamming countries vs Forefront Online’s list

  • Comments 1

Last week, Sophos released a blog post on the top 12 countries that relay spam during the first three months of 2012.  Their summary:

  1. The country with the highest amount of spam sent is India.

  2. Spam has decreased over time because of better efforts to combat spam worldwide, but also because of a shift in tactics by spammers to mobile spam and social network abuse.

I decided to compare Sophos’s list with our list during the 1Q 2012.  I don’t know how Sophos compiled their list, but here’s how I did mine:

  1. I only count spam that makes it past our IP blocks.  Prior to be blocked at the network edge, I don’t have the data and therefore cannot get a geographical distribution.  However, my assumption is that it would look roughly the same as it does after IP blocks.

  2. I perform country/IP analysis and assume that the originating country of the spam is the same as the IP that relayed it.  This isn’t strictly true because a bot in Russia can control a bot in China and cause the Chinese bot to send the spam.  Which country originated the spam?  Russia?  Or China?  In my statistics, I count it as China even though you could make a case for Russia.  However, I cannot get accurate statistics on bots that originate the mail instead of relaying it. 

So without further ado, here’s a comparison of the two lists by the total amount of spam that we saw from each country.  The numbers in parentheses in Sophos’s list are where that country ranked in our list:

image

You can see that countries like India, the USA, Indonesia, Brazil and Pakistan are roughly the same between Forefront and Sophos.  But Sophos’s numbers vary wildly for South Korea, Taiwan and Peru.

But is total number of spam the best way to denote that a country is spammy or not? After all, skewing the US simply represents our customer base.  What percentage of mail does that country send that is marked as spam?  The proportion of mail that a country sends that is spam is a better indicator of its spamminess.  Here’s our top 12 list again by total spam messages, but now showing the percentage of spam:

image

Going by this, developing countries like India, Indonesia and Pakistan blow right by the US, the UK, France and Germany.  If we order by spam % and adjust for minimum amounts of spam, how does the list look?

image

This switches things.  While countries like the US, Canada and the UK all make the list for the most spam sent, it’s because the total Internet population is so large and they account for so much Internet traffic and email in general. 

However, in terms of the rate of spam, none of the developed world makes the list.  Instead, countries like Belarus, Indonesia and Vietnam are sending way more than their fair share of spam.  If you look through the list, every single one of these countries is in the developing world.  It’s clear that spammers have greater success compromising computers in nations where the infrastructure is not as developed.

What about the cleanest countries?  What do they look like?  Here’s the list:

image

This list is populated by northern Europe as usual.  Northern Europe, for as long as I have been investigating these statistics (for spam and malware) has always been a model citizen.  Japan and Singapore are similarly good (they are the only two far east Asian countries that are).  But what surprises me about this list is Oman and the United Arab Emirates.  These are not countries that you typically associate with the developed world.

In the case of the UAE, they have a very high rate of immigration (one of the highest in the world according to the CIA World Fact Book and depending on the source you consult, are classified as having a high human development index) and my theory is that all of the skilled workers are the ones with Internet connectivity.  Since they are skilled workers and have a lot of IT experience, they are very good about keeping their computers patched and up-to-date.  Their places of work will probably have policies around computer security.

Regarding Oman… I admit I am pretty clueless about Oman although the country is made up of 1/6 non-nationals so maybe their situation is similar to the UAE regarding skilled workers.  The fact that they made this list was very surprising to me.  I have to go back and look at my script that does IP/country assignment and see if maybe I have to update my tables.

Anyhow, that’s my list of the top countries that are sending spam and how it compares to Sophos’s list.

Leave a Comment
  • Please add 2 and 5 and type the answer here:
  • Post
  • Hie,the spam from USA,UK and Canada is mostly from proxies used by people from Asian countries like India

Page 1 of 1 (1 items)