The Dirty Dozen spamming countries – introducing the SophosLabs SPAMMIERSHIP League Tables!


Once every three months, we tot up our country-by-country spamtrap statistics for the previous quarter and calculate the Dirty Dozen.

Of course, this is one “competition” in which getting promoted into the Premier Division of spam senders is a cause for disappointment, not jubilation.

The promotion/relegation analogy is particularly apposite this time.

Three countries exited the Dirty Dozen this quarter, but didn’t drop any lower than the Serie B of spam (places 13-24 on the table).

Likewise, the three countries that took their place in the top flight all came up from the 13-24 range.

And, just like in your favourite football league, the majority of the high-flyers stayed put at the top.

Welcome, then, to the SophosLabs SPAMMIERSHIP League Table:

Click on the image above for a higher-resolution version.

But is it so surprising that the USA is the Man United of the SPAMMIERSHIP, “winning” as often as not, or that China and India are often found near the top?

With more than a billion people each and a thirstily-increasing demand for internet access in both countries, where else would you expect to see China and India except in the Dirty Dozen?

And with more than 300 million people and the lion’s share of the world’s internet connectivity, where else would you expect to see the USA than leading the pack outright?

What, then, if we scale the scores up or down in proportion to each country’s population?

Now things get interesting, becase a rather different story emerges:

Click on the image above for a higher-resolution version.

Half of the volume-based culprits are gone, and countries that would usually fly under the radar when measured on spamming volume alone – like Luxembourg and Singapore – suddenly burst onto the scene.

Don’t be surprised.

This doesn’t mean that usually law-abiding Singapore has turned into a seething swamp of spam-related cybercriminality.

Remember that although the Dirty Dozen denotes the extent to which a country’s computers are used for delivering spam, it doesn’t tell us where the spammers themselves are located.

That’s because most spam is sent indirectly these days, especially if it is overtly malevolent, such as:

  • Phishing emails. These try to lure you into entering passwords into mock-ups of a real site such as your bank or your webmail account.
  • Malware links. These urge you to click links that put you directly in harm’s way by taking your browser to hacked websites.
  • Malware deliveries. These use false pretences, such as fake invoices, to trick you into opening infected attachments.
  • Identity theft. These invite you to reply with personally identifiable information, often by claiming to offer work from home opportunities.
  • Investment scams. These talk up investment plans that are at best unregulated and at worst completely fraudulent.
  • Advance fee fraud. These promise wealth or romance, but there are all sorts of fees, bribes and payments to hand over first.

If the crooks behind this sort of cybercrime were to use their own computers, they’d never be able to send the volume of spam they’d like.

Also, using their own computers would lead law enforcement to their digital doorsteps.

Instead, cybercriminals rely heavily on bots, also known zombies: innocent users’ computers that are infected with malware that regularly calls home to download instructions on what to do next.

Those instructions may say something such as “here is a boilerplate email message, and here is a list of email addresses – send a copy to everyone on it.”

So, if your country is in the Dirty Dozen, it almost certainly has a much-higher-than-average number of unprotected computers that are actively infected with malware.

And if a cybercriminal can secretly tell your computer to send spam to 1000 people you’ve never heard of – leaving you to argue with your ISP why you shouldn’t be thrown off line for antisocial behaviour – then ask yourself this: “What else could he get up to on my account?”

In short, the SPAMMIERSHIP League Tables are meant as a light-hearted way of reminding us all of one very serious aspect of computer security: namely that if you put yourself in harm’s way, you’ll probably end up harming lots of other people, too.

In other words, getting serious about computer security is the easiest sort of altruism: by protecting yourself, you help to protect everyone else at the same time.