Australia has a serious problem

Last week, Graham Cluley of SophosLabs posted an article indicating that China had slid off the list of the top 10 spam relaying countries in the world.  Here is the list, according to Sophos:

The top twelve spam relaying countries for January to March 2010

1. USA – 13.1%
2. India – 7.3%
3. Brazil – 6.8%
4. South Korea – 4.8%
5. Vietnam – 3.4%
6. Germany – 3.2%
=9. United Kingdom – 3.1%
=9. Russia- 3.1%
=9. Italy – 3.1%
10. France – 3.0%
11. Romania – 2.5%
12. Poland – 2.4%

I decided to do my own quick investigation.  Mine isn’t quite as historically oriented as Cluley’s, but I decided to check to see how much spam we have been receiving since Feb, 2010, from a particular set of botnets that I track (15 in total) and only IPs that make it past our RBL checks.  By combining this with botnet statistics, I built a different set of results.

A couple of months ago, I wrote that certain botnets send the most spam, but it depends on how you count it.  You can either count it by total envelopes, or total messages.  An envelope can contain multiple messages since a botnet can put more than one To: address on the RCPT TO in an email connection.  I decided to check to see which country sends the most messages according to specific botnets (but not all spam – this means that a lot of the spam that I track was left unattributed since I cannot attribute every single IP to a botnet).

To do this, for the Feb – April time frame, I determined the average number of spam messages per botnet.  I then calculated the total number of envelopes each IP sent (that is attributed to a botnet) and multiplied by the average.  Then, I took each IP and divided it up into each country.  The result is the total amount of spam each country sends, accounting for botnet characteristics.  Below are the results:

  1. USA – 14.3%
  2. South Korea – 14.2%
  3. Australia – 13.9%
  4. Canada – 6.2%
  5. China – 6.1%
  6. Brazil – 5.3%
  7. India – 4.1%
  8. Great Britain – 3.7%
  9. Russia – 3.0%
  10. Japan – 2.6%

A few points to discuss here:

  • The United States is number one and that agrees with Sophos’s overall results.  Rustock is the largest botnet and it is overwhelmingly sending spam based out of IPs in the US.  Without rustock, the US would drop down to third place.

  • South Korea is number two and that doesn’t agree with Sophos, at least for this time frame.  In our stats, it ranks number 1 or number 2 in 12 separate botnets (the US ranks first or second in only six botnets).  For us, South Korea is one of the worst offenders when it comes to spam.  I wouldn’t be surprised if it eventually overtook the US.
  • Australia has a serious problem.  The reason it has such a serious problem is that according to our statistics, it is the number one source for IPs for the lethic botnet.  Lethic is not a botnet that we have a problem stopping, but it sends the most messages per email envelope.  In terms of spam messages per IP, it averages 8 times as many as its nearest competitor (bagle-cb).  Thus, if you have a problem with lethic, you are going to have a serious problem with spam because it pumps out so many messages per connection.  It is attempting to push out as much as it can with limited resources.  This contrasts it with rustock which has a considerably wider footprint of spamming IPs but sends out fewer messages per IP.
  • Canada and the US both have problems with lethic as well.  This explains why Canada accounts for slightly more spam than China.  China’s infections problems are cutwail and cutwail2.  Cutwail2 is the third “heaviest” botnet but still far trails lethic.

To be fair to Sophos, they have tracked a different time frame than I did and they haven’t restricted their numbers the way I have with botnets.  Still, the two big divergences between the two of us is that South Korea hits us much harder and so does Australia.

Comments (3)

  1. Daniel Quinlan says:

    These statistics are not very telling about how well countries manage their bot problem unless you pro-rate based on the number of internet users.

  2. tzink says:

    True.  I have not normalized that data.

  3. Lucius Lobo says:

    Australia shows up significantly in your analysis which indicates there is a significant production of localised spam i.e the spam source and the spam destination are both in Australia.

Skip to main content