In-Depth

Spam Levels Continue to Surge, MessageLabs Reports

Spam levels surged in May, but technologies such as traffic and connection management helped reduce or rein-in the volume of malicious traffic.

Spam levels have always comprised the bulk -- the overwhelming majority, in fact -- of all corporate e-mail. Last month, according to Symantec Corp. subsidiary MessageLabs, the spam tally surged even more, eclipsing 90 percent of all business e-mail. That was an uptick of 5.1 percent in just one month.

What happened in May to encourage such an increase?

MessageLabs ascribes the surge to the persistence of botnets. More than half (57.6 percent) of spam is generated by such networks, MessageLabs officials say, with the Rustock and Bagle botnets, in particular, accounting for more than one-fifth of all spam; both networks are heavily based in the Americas. (The single largest botnet, Donbot, is most active in Asia.)

The Americas, and the United States in particular, are popular disproportionately popular spam targets. Spammers largely hew to GMT -5 or GMT -8 clocks, MessageLabs found: most spam is sent during the U.S. work day.

Thanks to ever greater CAPTCHA-cracking success, spammers have been able to more effectively exploit Webmail services or social networking sites.

"Active profiles on social networks are goldmines for spammers to lure unsuspecting users. All spammers use is a subject line and a valid hyperlink to active profiles on one of a number of major social networking sites," a MessageLabs release indicated. "These e-mails originate from legitimate addresses on some of the main webmail providers making them harder to catch by regular anti-spam filters."

The spam watcher also flagged the appearance of a new spin on the always-intriguing "ransom" e-mail exploit – in this case, Russian language "ransom-style" spam. The content of such messages -- e.g., "We know your target audience,/If you want to get to them/Order e-mail distribution from us/Phone XXX/ICQ XXX" -- doesn't so much amount to a threat as a marketing pitch.

What's intriguing, according to MessageLabs, is that spammers are encoding English language words, phrases, or sentences in the Russian (Cyrillic) character set in order to fool spam filtering technologies. When an encoded message is received by an e-mail client, the client will use Roman character analogs to render the Cyrillic characters. "The unneccesary use of another character set to encode the English language subject is purely to hide the true content of the subject of the message, and a technique sometimes used by spammers to avoid content filters."

On the "good news" front, malware traffic was down slightly in May, dropping 0.01 percent from April levels. (This number reflects the global ratio of e-mail-borne viruses from "new and previously unknown" sources, according to MessageLabs.) For the month, exactly 7 percent of all e-mail malware featured links to malicious Web sites. That, too, was a decrease -- in this case, of 6.3 percent -- from April's tally.

The number and variety of phishing attacks increased last month -- albeit by just 0.11 percent -- such that 1 in every 279 e-mails (or 0.36 percent of all e-mails) was a phishing attack of some kind. "When judged as a proportion of all e-mail-borne threats such as viruses and Trojans, the proportion of phishing attacks had remained unchanged at 89.7 percent of all e-mail-borne malware and phishing threats intercepted in May," MessageLabs indicates.

Researchers say both traffic and connection management technologies have had some success in terms of reducing or reining-in spam levels. "Traffic Management continues to reduce the overall message volume through techniques operating at the protocol level," MessageLabs researchers report. "Unwanted senders are identified and connections to the mail server are slowed down using features embedded in the TCP protocol. Incoming volumes of known spam are significantly slowed while ensuring legitimate e-mail is expedited."

Last month, for example, MessageLabs says it processed an average of 3.54 billion SMTP connections per day, throttling back more than half (58.1 percent) of this traffic because it was "unequivocally malicious or unwanted."

Ditto for connection management, which researchers say is an effective tool with which to combat directory harvesting, brute force, or e-mail DoS attacks. In May, MessageLabs rejected an average of 45.1 percent of inbound messages (as originating from botnets or other known malicious senders).

Must Read Articles