At the end of each calendar quarter, we dig into our spam databases and calculate each country’s scores in a league table we jokingly call the SPAMPIONSHIP.
Unlike conventional sporting events such as the Superbowl, the Six Nations or the Bundesliga, the Spampionship is one title that no team wants to win.
But like it or not, someone has to finish at the top, and that’s how we decide our “Dirty Dozen” spam-relaying countries.
Here they are, for the last quarter of 2013: the countries in the world from which you are most likely to receive those emails you wish you hadn’t.
As you probably expected, the USA came in first place yet again, completing a clean sweep of top finishes throughout 2013.
Of course, that’s not surprising, given that the USA is the third most populous country in the world, and almost certainly the best connected.
China and India, the world’s most populous countries, were also both in the top six in every quarter.
The results become a bit fairer when they are scaled by the population of each country, thus giving an approximate “spam per person” measurement.
We scaled the numbers so that the USA, which drops to a more respectable 27th place when spam per person is concerned, had a rating of 1.0.
In the per-person table, Belarus was the undisputed champion, with a score of 10.4.
Very loosely speaking, that means you are ten times as likely to receive spam from a randomly chosen computer in Belarus as from a random computer in the USA, and that’s been the case all year.
But does that matter? Is spam still something to worry about? Do the Belarusians need to lift their game?
After all, the security news has been dominated lately by data breach after data breach, with credit card numbers and other personal information stolen en masse from customers who did nothing wrong or insecure themselves.
Given that a lot of spam either gets knocked out by spam filtering (so we never see it) or is woefully obvious at a glance (so we never bother to read it), should we care at all?
Why spam still matters
Spam is almost always sent by regular computers – in other words, by desktop or laptop computers at home or at work – rather than by dedicated email servers.
You’re probably familiar with the process by now:
- Your computer gets infected with a bot, also known as zombie malware.
- The bot “calls home”, typically using a simple web download, to fetch a spam message and a list of addresses to send it to.
- The bot sends the message over and over again, using your computer and your internet connection to clock up the mail deliveries.
- GOTO 2.
Why do criminals go to such lengths to get you to send their spam?
The reasons are simple:
- You appear as the originator of the message, so if anyone gets blocked for spamming, it’ll be you.
- You pay for the traffic, so the crooks don’t have to.
- You act as an online anonymiser for the crooks, so they stay out of sight.
In short, by getting you to send their spam, the crooks have effectively woven you, and your computer, and your internet connection, into the fabric of their cybercriminal operations.
The global nature of the threat
If your country isn’t in the Dirty Dozen, it’s easy to feel smug, or at least complacent.
Don’t do that: if you’re a spam sender, Dirty Dozen or not, you are a net positive contributor to cybercrime.
The most obvious message from the Dirty Dozen charts – both by volume and by population – is that the problem of zombified computers spewing spam is a truly global one.
Every region of the world is strongly represented, with the exception of Africa. (And Antarctica, of course, but no country “owns” it and it has a population well below 300,000, so it would be excluded from our lists anyway.)
Western, Central, Northern and Eastern Europe; the Middle East; North and South America; South East Asia and the Subcontinent: all sizes and shapes of economies, speaking a Babel of different languages, make it onto the list.
And in most cases, those countries made it onto the list because a statistically significant proportion of their residents are going about their business online using computers that are actively infected by remote-control malware.
That bears repeating: their residents are going about their business online using computers that are actively infected by remote-control malware.
We need to act
If crooks can remotely instruct your computer to send spam to tens of thousands of randomly-scattered recipients, stop for a moment to think what else they can do at your expense.
Zombie malware that is capable of spamming almost always includes functionality that is even worse, such as:
- Downloading additional malware, such as CryptoLocker, which scrambles your data and demands $300 if you want to get it back.
- Searching for and stealing data such as account passwords, payment card numbers, personal documents, and more.
- Scouring your hard disk for email addresses to add into the spammers’ databases. (So you contribute not just to today’s spam, but to tomorrow’s spam as well!)
- Mapping out the network inside your firewall for future attackers.
- Attacking third party web sites and servers with worthless traffic to knock them off the air, either to benefit an unlawful competitor or to extort money in return for turning off the attack.
So the spam aspect of malware infection is just a symptom – the start of the problem.
Zombie malware means the crooks are already on the inside, and it’s up to you to turf them out.
(Audio player not working? Listen on Soundcloud.)
Don’t be complacent
It’s almost exactly 10 years since Bill Gates famously told the World Economic Forum in Davos, Switzerland, that spam would be a thing of the past within two years.
We can laugh at Bill’s apparent naivety if we like – indeed, we thought his two-year timeframe was unrealistic back in 2004 – but at least part of the “problem that won’t go away” is of our own making.
Don’t be complacent: look out for your own security, and if you are the IT expert for your friends and family, look out for them too.
Remember, getting rid of malware gets rid of spam at the same time.
That helps to make every country, whether it’s in the Dirty Dozen or not, a safer place to go online.