The “Dirty Dozen” SPAMPIONSHIP: Who needs to kill the most zombies?

Here they are: the latest “Dirty Dozen” SPAM­PION­SHIP tables, detailing the globe’s most dastardly distributors of delinquent data during the first quarter of 2015.

If you haven’t seen the Dirty Dozen before, here’s how it works.

SophosLabs maintains a large network of spamtraps, operated around the world with the express purpose of collecting spam.

And, boy, do they collect spam!

Of course, whenever spam falls into a trap, we can tell where the final step of its journey started by looking at the IP address of the computer from which the offending email was sent.

It’s possible to track back individual IP numbers fairly accurately, sometimes down to a street block, often to a suburb or metro area, and almost always to the sender’s country.

In other words, our spamtraps tell us which countries are the worst senders of spam.

What we’re saying

On a point of order, in case anyone from a Dirty Dozen country should take offence for all the wrong reasons, we’re not saying that the spam senders in our charts are also the worst crooks.

It would certainly be handy for security experts and law enforcement if the senders of spam were the crooks themselves, but that’s not how it works.

Crooks mostly gave up sending spam themselves years ago: they’re more likely to get blocked if all their spam comes pouring out of their own servers, and more likely to get caught.

What the crooks like to do instead do is to infect you with zombie malware, which gives them remote control over your computer.

Once they can order your computer around from afar, they send it commands to start spamming for them.

→ To understand how a crook can send commands to your computer remotely even if you have a firewall or a router that blocks all inbound connections, read our explanatory article, How bots and zombies work, and why you should care, or listen to our Techknow podcast, Understanding Botnets.

You pay for spam with your computer’s processing power, with your internet bandwidth, and – because you’re the person whose IP number shows up in the spamtraps – with your reputation.

So if you’re in the Dirty Dozen, you may not be a crook yourself.

But you’re helping crooks out, even if you don’t realise it.

The SPAM­PION­SHIP results

With that clarification out of the way, here are the results, which we jokingly refer to as the SPAM­PION­SHIP, for Q1 (January-February-March) of 2015

Firstly, Spam-Relaying Countries by Volume, a chart usually topped by the biggest, most populous, best connected countries:

Click on image for high resolution version

Secondly, Spam-Relaying Countries by Population, where we divide each country’s contribution by its approximate population.

This makes the results fairer for countries like the USA and China, and means that smaller but spammier countries can’t hide behind their modest total spam volumes:

Click on image for high resolution version

Spam by volume

The countries in the Spam by Volume chart are almost unchanged since 2014.

Taiwan was in last spot (#12) in Q4 of 2014, but fell out of the list (it’s now at #18); Italy came into the chart at #9 (off the leaderboard at #15 last time); the other 11 countries merely shuffled places.

Interestingly, China hit the #1 spot for the first time last quarter, sending one-sixth of all the world’s spam.

Was this because of temporary deficiencies in the Great Firewall that let more spam out than usual? Was it an indicator that China’s internet penetration and connectivity had finally eclipsed the USA?

We don’t know.

But China is back down to #6 this month, sending just one-twentieth of the world’s spam, leaving top spot to the USA.

Have the residents of China been on a concerted zombie search-and-destroy mission? Has the Chinese Firewall been tweaked to help control spam?

We don’t know.

Vietnam, unfortunately, has continued its climb, this time making it up into second place.

It’s a populous country with a growing economy, but has about the same population as Germany, down at #12, which produces just 40% as much spam.

So, here’s a challenge to Vietnamese computer users: plan on helping your country get out of the Dirty Dozen by next quarter!

If that happens, it means lots of people will have cleaned off zombie malware from their computers, and that will be:

  • Good for them. Fewer crooks snooping around their private files.
  • Good for Vietnam. Less foothold for cybercriminals.
  • Good for the rest of us. Less spam to worry about.

Spam by population

Switzerland is now conspicuous by its absence.

We urged the Swiss to check for zombies back in July 2014, when the country suddenly shot up from 20th place to #3; sadly, however, there was no change in Q3 of 2014, when the Swiss retained their Bronze Medal position.

But in Q4 of 2014, Switzerland was down at #12, and now it’s out of the Dirty Dozen altogether (currently at #31).

Perhaps that could be an encouragement to the Vietnamese, now at #2 by volume, and up to #10 per capita?

Vietnam may have been steadily climbing the SPAM­PION­SHIP table, but that trend can be reversed, if the Swiss are any indication.

This quarter’s concerns

The biggest concern this quarter is Moldova, which suddenly popped up as the spammiest nation on earth.

Worse still, it’s much more of a front-runner that we’ve seen recently, with a spam-per-person ratio more than twice as bad as Bulgaria, a serial offender that takes its third consecutive finish in the top three.

According to SophosLabs, Moldova’s spam spike was caused by something of a deviation from the usual pattern of zombified home computers sending spam from all over.

Many of the spams came from a small number of hosting providers, whose high total of available bandwidth made the spike so noticeable.

Whether those providers were hacked by crooks, or merely tricked into signing contracts for hosting services that have been roundly abused, we don’t know.

But we’re hoping that the providers involved will have cleaned up their act thoroughly by the time the next SPAM­PION­SHIP comes out.

Spam that comes in a concentrated blast from a rack of zombified servers in a NOC (network operations centre) is, in theory, easier to block, because the same sender IP addresses turn up over and over again.

But that spam is nevertheless being generated and flung out across the globe.

Even if you are able to block spam at the very start of an email connection (what’s called reputation filtering, where you simply don’t trust the sender at all), instead of after the email body has been sent, that’s still a lot of wasted effort.

And the most perplexing result in these figures is Israel, seemingly ensconced at #5, with its third successive finish at that level.

Israel is a tech-savvy country that has been an incubator for numerous successful global computer security firms over the past two decades.

Yet its residents seem to be punching above their weight in the SPAM­PION­SHIP.

That’s the very league that no-one wants to win, so this is a problem that needs sorting out.

SophosLabs has dug through the recent spam sender data for Israel, and it looks as though there are no hosting providers to blame in this case, so there is no quick fix to be had from cleaning up a rack or two of hacked servers.

It looks very much like an old-school zombie malware infestation instead.

Calling all Israelis…scan your computers today!

Kill zombies and other threats with the free
Sophos Virus Removal Tool

This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

Click to go to download page...

Coats of arms from Wikipedia’s Gallery of country coats of arms