Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Slashdot Deals: Cyber Monday Sale! Courses ranging from coding to project management - all eLearning deals 25% off with coupon code "CYBERMONDAY25". ×

Sophos Reveals Latest Spam-Relaying Countries 181

An anonymous reader writes "For the first time in more than two years, the United States has failed to make inroads into its spam-relaying problem. The U.S. remains stuck at the top of the chart and is the source of 23.2 percent of the world's spam. Its closest rivals are China and South Korea, although both of these nations have managed to reduce their statistics since Q1 2006. The vast majority of this spam is relayed by 'zombies,' also known as botnet computers."
This discussion has been archived. No new comments can be posted.

Sophos Reveals Latest Spam-Relaying Countries

Comments Filter:
  • Spam Sources (Score:5, Informative)

    by AaronW (33736) on Monday July 24, 2006 @11:48AM (#15770534) Homepage
    My experience is that around 60-75% of the spam I receive comes from China. On my home mail server I finally broke down and started blocking the worst offending subnets and the amount of spam I received dropped dramatically. There is a RBL for China, cn.blackhole.us, or a combination of China and Korea (cn-kr.blackhole.us), though these are no longer listed and will likely disappear soon.

    I also use several other RBLs which have helped a lot.

    I also decided to add the worst offending subnets in China as rules for my firewall to block. The worst offending subnet is 221.208.208.x where my firewall reports an almost constant barrage of IM spam, and from what I've read, this subnet has been a problem for years.

    For your own blocking, the following script will get all the subnets used by China (or any other country you're interested in, just change $ctry):

    #!/usr/bin/perl $ctry = shift || 'cn'; $_ = `wget -O - http://www.apnic.net/apnic-bin/ipv4-by-country.pl? country=$ctry [apnic.net]`; print join "\n", /([0-9\.]+\/[0-9]+)/g;

    At work, where I cannot do this, most of my spam is also received from China.

    Out of the rest of the spam I receive, the US is actually pretty far down on the list of sources, though still much higher than places like the UK, Germany or France. The rest seems to come from places like Poland, Romania and Estonia.
  • worrying? (Score:3, Informative)

    by pe1chl (90186) on Monday July 24, 2006 @12:13PM (#15770734)
    "It's worrying to see so many pump-and-dump emails - often with embedded graphics included - being spammed out to the general public," added Cluley. "The people that act upon these emails aren't skilled investors, and don't realise that purchasing the shares is likely to reap no reward, benefiting only the spammers, while creating a financial rollercoaster for the organisation in question."

    Why is this worrying, in the sense that it needs to be mentioned explictly?
    Most of the general public is not medically educated either, yet we have received spam about all sorts of pills for a long time.
    And many do not know what 419 is, yet lots of those mails are sent as spam.
    Lots of the spam I receive is in far-east languages which most western citizens are not skilled to read.

    SPAM in itself is worrying, but there is nothing especially worrying about pump-and-dump.
  • by jd (1658) <<moc.oohay> <ta> <kapimi>> on Monday July 24, 2006 @12:25PM (#15770838) Homepage Journal
    TCP is based on packet acknowledgement and it is very doubtful that spammers have thought to check their software for deadlocks or timeouts. Instead of dumping the data, just have the connection hang after it is fully established, or send deliberately malformed acknowledgement packets. The idea here is to try and crash the zombie by either running it out of resources or giving it replies it can't handle.

    Alternatively, if the spammer/zombie computer has port 25 open itself, have a netfilter rule that rewrites the destination address to that of the sender, increases the TTL, and sends the packets back in duplicate. Again, this is a resource-draining scheme. If it's an open relay, it'll get the spam and resend it. I believe the hop count for SMTP is something like 30 and each packet will go two ways along the wire, so it'll take 2^31 as much bandwidth overall, if a sufficiently large number of users set up this kind of loopback. Companies that simply don't care if their machines are zombies will suddenly notice a degradation of their networks but any packet monitoring they do will show all of the packets to have the IP addresses of their machines for both source and destination. At least some will zombie detox to save their sanity.

  • by Homology (639438) on Monday July 24, 2006 @12:27PM (#15770854)
    > Yes, Hormel Foods is based in Austin, MN.

    Hormel Foods sells SPAM not spam, and last time
    I checked they were quite picky about spelling ;-)
  • by fdiskne1 (219834) on Monday July 24, 2006 @01:14PM (#15771198)
    I see a number of people asking the question "But how many computers are there per country?" I found the numbers at:

    http://www.c-i-a.com/pr0904.htm [c-i-a.com]

    Here's what they show. I've added the % of spam coming from each country as the last entry in each line:

    Top 15 Countries in Internet Usage
    Internet Users (#X1000) Users% Spam%
    1. U.S. 185,550 19.86 23.2% of spam
    2. China 99,800 10.68 20.0%
    3. Japan 78,050 8.35 1.6%
    4. Germany 41,880 4.48 2.5%
    5. India 36,970 3.96 N/A
    6. UK 33,110 3.54 1.8%
    7. South Korea 31,670 3.39 7.5%
    8. Italy 25,530 2.73 3.0%
    9. France 25,470 2.73 5.2%
    10. Brazil 22,320 2.39 3.1%
    11. Russia 21,230 2.27 N/A
    12. Canada 20,450 2.19 N/A
    13. Mexico 13,880 1.49 N/A
    14. Spain 13,440 1.44 4.8%
    15. Australia 13,010 1.39 N/A
    Top 15 Countries 662,360 70.88
    Worldwide Total 934,480 100

    It looks like the USA's numbers are right about on track with most other countries with China way out in front as to percent of the spam problem compared to percent of Internet connected computers. What's this? France has twice the percent of spams relaying through their country compared to the percent of Internet users? For shame!
  • by phorm (591458) on Monday July 24, 2006 @01:32PM (#15771328) Journal
    I would like to see a per-capita or per-connection statistic for this. I notice that Canada isn't up there on that list, but they do have a lesser population than China/USA (though probably more than many of the others), and alternately a pretty high ratio of connectivity per household/business.

    How about a graph of "# of known connections in country vs amount of spam). If country X is only contributing 2% of the spam, but they've got 2% of the overall population and only 25% of that is connected... it shows a little more how the local control on such things may be a bit... lax.
  • by El Torico (732160) on Monday July 24, 2006 @02:31PM (#15771750)
    You asked very good questions, so I have an answer for some of them. You noted, "Furthermore, these percentages don't appear to be normalized in any way." AKA the "Is It Good, Or Is It Whack?" question.

    I normalized them (roughly). I found the number of Internet users per country at http://www.clickz.com/stats/sectors/geographics/ar ticle.php/5911_151151 [clickz.com] and then calculated what that was as a percentage of the world total.

    On the left is the percentages of spam from the article; on the right is the percentage of Internet users.

    United States 23.2 18.9
    China 20.0 10.7
    South Korea 7.5 3.2
    France 5.2 2.4
    Spain 4.8 1.6
    Poland 3.6 1.0
    Brazil 3.1 2.4
    Italy 3.0 2.7
    Germany 2.5 4.5
    United Kingdom 1.8 3.5
    Taiwan 1.7 1.3
    Japan 1.6 8.0

    Yes, I know that posting plain text is ugly, but my html was even uglier.

You don't have to know how the computer works, just how to work the computer.