Project Honey Pot: One billion spams and counting

Written by John P Mello Jr on December 29, 2009
Billionth spam received by Project Honey Pot.

Billionth spam received by Project Honey Pot.

Project Honey Pot announced earlier this month a dubious achievement. It had attracted its one billionth spam message. The ejunk purported to be from the U.S. Internal Revenue Service and informed its recipient:

“After the last annual calculation of your fiscal activity we have determined that you are eligible to receive 760,635 tax refund under section 501(c)(26) of the Internal Revenue Code. Please submit the Tax Refund Request form and allow us 3-9 days to process it.

“Yours faithfully,
“Sarah Hall Ingram, Commissioner”

Although the spammers forgot to put a dollar sign in front of the refund amount, they were accurate in some other details in the message. There is a section 501(c)(26) of the Internal Revenue Code. It lists non-profit organizations exempt from some federal income taxes, and subsection (26) includes in that category “State-Sponsored Organization Providing Health Coverage for High-Risk Individuals.”

Sarah Hall Ingram is an IRS commissioner, but not the IRS commissioner, as the letter would lead one to believe. However, she is the commissioner of the agency’s Tax Exempt/Government Entities Division, which would be a believable source for the message.

Project Honey Pot is a community of tens of thousands of web and email administrators from more than 170 countries around the world who are working together to track online fraud and abuse.

According to the Project, the IRS spam was sent from bot malware running on a compromised machine in India. It noted that the email address used by the bot was originally harvested on Nov. 4, 2007 by a grim reaper that has sent more than 53 million messages to the address since that time.

“Every time Project Honey Pot receives a message we estimate that another 125,000 are sent to real victims,” the group revealed in a Web posting. “Our billionth message represents approximately 125 trillion spam messages that have been sent since Project Honey Pot started in 2004.”

In that posting, the group disclosed an interesting ranking of states based the number of compromised machines operating within a nation’s borders divided by the number of security professionals operating in it. Based on that methodology, the country with the best IT security was Finland, followed by Canada, Belgium, Australia, the Netherlands, United States, Norway, New Zealand, Sweden and Estonia. The state with the worst IT security was, not surprisingly, China, followed by Azerbaijan, South Korea, Columbia, Macedonia, Turkey, Vietnam, Kazakstan, Macau and Brazil.

Botnets remain the number one delivery choice of spammers, the Project noted, and the number of active bots has increased at a staggering rate since mid decade.

“Since 2004, active bots have grown at a compound annual growth rate of more than 378 percent,” it reported. “In other words, the number of bots has nearly quadrupled every year. In 2009, you could find nearly 400,000 active bots engaged in malicious activity on any given day with several million active over the course of any month.”

In addition to ranking countries by their IT security, the Project ranked nations by their populations of harvesters. The group explained that identifying where spammers are located is difficult.

“Rather than sending spam directly, spammers primarily use ‘bot’ machines in order to effectively launder their identities,” the group explained. “These bots are PCs that have been compromised by a virus and whose owner usually does not know they are being used to send spam.”

“The process is not unlike the stereotypical scene in a movie where the villain keeps his phone call from being traced by relaying it through a number of connections,” it explained. “Similarly, spammers’ use of bots can make their messages look like they are coming from somewhere completely different than their actual location. As a result, lists of spam origin countries tell you very little about where the spammers are actually located.”

There’s one activity, however, that spammers can’t launder: harvesting email addresses. Unlike distributing spam, which can be done from many machines at once, harvesting requires crawling from site to site, in serial, snatching email addresses. Since machines used for harvesting tend to be more permanent and stable, their location reveal where spammers are likely to be hiding out, the Project reasoned.

Where are the harvesters located? Their number one fav place is the United States, followed by Spain, the Netherlands, United Arab Emirates, Hong Kong, Romania, Great Britain, China, South Africa and Germany.

  • (required)
  • (required)