Observations on Spam

Sending out spam emails is still one of the major functions of current malware which infects computers. Bot herders – those people who write the malware to infect your computers – rent their bot networks to other criminals who use it to send out unwanted advertisements. We observe an interesting trend in the way spam is sent today.

The peaks in received spam start around 12 a.m. (GMT+1) and end at 7 p.m. (GMT+1). This can be explained by time in different locations:

– Across Europe (GMT – GMT+2) this is the middle of the day, so a lot of corporate computers are running

– After 5 p.m. (GMT+1) it is between the start and the middle of the office hours in the USA (West coast 8 a.m., East coast 11 a.m.)

– 5 p.m. (GMT+1) is 3 a.m. in Beijing, so China doesn’t add to the amount of spam seen there

– At 5 p.m. (GMT+1) it’s already 7 p.m. in Moscow, so Russia may add some more spam

From the looks of it, the most spam seems to be sent during the business hours around the globe. This leads to the conclusion that those botnets consists to a big amount of infected office computers. Most of those infected computers seem to be located in the USA and in Europe.

Unfortunately, we don’t yet have GeoIP for spam emails, but we use GeoIP for the dangerous domains our products block (which are advertised in spam emails, for example). For malware and phishing domains, the statistics are quite similar for the most abused location: The U.S. are hosting the most phishing and malware spreading sites, while Germany is on 2nd and on 3rd place, respectively.

Bottom line it would be recommended for all companies – even those small ones with 10 or less employees –  to use a recent anti malware product on their computers. This would lead to a huge decrease in spam emails sent.

Sorin Mustaca
Manager International Software Development