Netherlands Study: Spam Comes from the Wrong Side of the TracksWritten by Malcolm James on June 10, 2013
If the Internet universe was analogous to the Star Wars universe, then Spam wouldn’t be the Emperor. Nor Darth Vader. It wouldn’t even be Boba Fett. As slimy as spammers are, they wouldn’t be in the same discussion as Jabba the Hutt or General Grievous. No sir. At very best, spammers would be likened to Salacious Crumb, Jabba’s creepy little rat-like pet, and that’s a perfect analogy of the role spammers play in the Internet universe.
As it turns out, the University of Twente, in the Netherlands, agrees with that assessment, sort of. Giovane Moura of the University’s Centre for Telematics and Information Technology recently published a study where more than 42,000 Autonomous System Numbers (ASNs) were monitored online using the Composite Blocking List (CBL). ASNs establish the routing and originating IPs for email, and so the researcher was able to track spam messages back to their originating servers, and guess what? Spammers truly are creepy little rat-like denizens, in the sense that they come from bad neighborhoods.
The study found that a huge portion of the world’s spam traffic can be reduced to a very small number of sources, the ‘bad neighborhoods,’ per se. Almost half of the globe’s spam traffic has been identified as belonging to less than half of a percent of the world’s Internet providers, and that’s a promising new development in the ongoing war on spam.
The University’s website explains it thusly:
“Just like in the real world, the internet has also “bad neighbourhoods” whose streets are not safe and where crime rates are higher than in other districts. Research into these “Bad Neighbourhoods on the Internet” can lead to better security solutions. To this end, Moura has carried out the first systematic investigation of malicious hosts, by monitoring and analysing network data. His main conclusion is that malicious activity is indeed concentrated in limited zones: areas in which the IP addresses show strong similarities, per ISP, or even per country. For instance, this PhD researcher found that 62% of the addresses at one ISP were related to spam. This knowledge can be used to link security measures to specific ISPs.”
If you’ve ever gone fishing, you know that when you find that one spot that’s good to you, you’ve found your favorite fishing hole, and none other will do. It’s somewhat the same for phishers, apparently. What’s also interesting about the study is how it identifies geographical ‘hot zones’ for different types of spamming activity.
“Different types of activities are associated with different parts of the world. For instance, spam comes mainly from southern Asian countries, while phishing occurs primarily in the United States and other developed countries.”
The main reason for the latter – the phishing activity – interestingly enough, is that the U.S. and other developed countries contain the most data centers and cloud computing providers. And we’ve long known that Asia has been a hotbed for spam activity, but knowing that such a huge amount of spam can be isolated to a few ‘bad neighborhoods’ is promising, to say the least.
It’s important, the University’s site writes:
“to distinguish between individual IP addresses that launch one-off attacks and a whole Bad Neighbourhood that almost always launches repeated attacks. This information, too, is very useful in terms of establishing a security strategy. The history of a Bad Neighbourhood, as identified by [Giovane Moura], can be of value here.”
Shock and Awe
The implications of this study are very encouraging, since we now know that spam and its related fraudulent activities can be isolated and identified in a few narrow spaces. Imagine being able to flick the switch on some of these ISPs and reduce the world’s spam by a significant margin. For example, the study identified a single ISP in Nigeria (where else?) where more than 60% of the ISPs traffic was spam-related.
Now that we know a huge chunk of the malicious code-based spam is coming from Asia, we may be able to develop additional defenses against messages originating in that area. Also, consider that now, because we know that phishing is isolated in the U.S. and more developed countries, we can focus anti-fraud efforts designed to target phishing-like activities in those countries.
The Sydney Morning Herald says it all, pointing out that the “most sobering statistic [of the study is] that just 20 ISPs – or less than 0.0005 per cent the world’s total 42,000 – represented almost 50 per cent of all spam sources.”
You may want to take the time to read the report. Copies of the report are available upon requests to the University of Twente.