Home / Blogs

Think China Is the Highest Spamming Country? Think Again

Terry Zink

In my department, we block about 92% of our total email (around 2.5 billion per day) at the network edge without accepting the message. When we do that, we don't see any traffic from that IP anymore and don't keep stats on it due to the overwhelming volume of mail. However, we do keep stats on mail that we block with our content filter.

I decided to go and calculate how much spam we receive from each country by mapping the source IP back to its source country. The results are below:

 Rank    Country            % of all spam
----------------------------------------------
   1    United States        30.95%
   2    China                10.37%
   3    South Korea           9.53%
   4    Brazil                4.71%
   5    Argentina             2.47%
   6    Russia                2.47%
   7    Spain                 2.17%
   8    Great Britain         2.13%
   9    Poland                1.93%
  10    Japan                 1.88%
  11    Canada                1.77%
  12    Romania               1.72%
  13    Czech Republic        1.51%
  14    India                 1.48%
  15    Italy                 1.44%
  16    France                1.36%
  17    Germany               1.29%
  18    Turkey                1.23%
  19    Chile                 1.02%
  20    Australia             1.01%

If you were to look at this chart, you'd probably say "Hey, that tells us what we already know. The United States is the spammiest country in the world, followed by China. That Brazil, Argentina and Russia are on there comes as no surprise."

But is this the best way to measure how spammy a country is? I decided that I had to normalize the results. Of course countries with bigger populations will be in the top 20, there's more people and therefore more potential for spam. To normalize the data, I went and determined how many Internet users there were in each country by pulling it from the web. I then created a Spam per Internet User rating, by dividing the total amount of spam by the total number of Internet users. This normalizes the data. Now a country with a very large population does not necessarily outrank one with a smaller population. The results are below with the caveat that a country requires at least 2.5 million Internet users to get onto the table:

 Rank    Country       Internet Users Spam Per User
---------------------------------------------------
  1    Czech Republic     4,991,300    4.38
  2    South Korea       36,794,800    3.75
  3    Romania            7,430,000    3.35
  4    The Netherlands    5,470,000    2.49
  5    United States    222,723,436    2.01
  6    Argentina         20,000,000    1.79
  7    Chile              8,368,719    1.76
  8    Slovakia           3,018,400    1.75
  9    Hungary            5,215,400    1.66
 10    Ukraine            6,700,000    1.62
 11    Poland            20,020,362    1.40
 12    Singapore          3,104,900    1.35
 13    Denmark            4,408,100    1.30
 14    Greece             4,932,495    1.23
 15    Israel             5,263,146    1.21
 16    Spain             27,028,934    1.16
 17    Canada            23,999,500    1.07
 18    Portugal           4,249,200    1.05
 19    Brazil            67,510,400    1.01
 20    Sweden             7,295,200    0.95

Looking at this table, the numbers completely change. The United States drops from first place to fifth place. China doesn't even make the top 20! The Czech Republic, which was 13th on the previous list, bolts up to number 1. South Korea moves up one spot to 2nd, and climbs nine spots from 12th to 3rd. The Netherlands didn't even rank on the previous chart but clocks into 4th place when the data is normalized against the base of Internet users.

The normalized data set changes my perception of who is spamming and who is not. China may send a lot of spam but Eastern Europe sure seems a lot more spammy than the Chinese. Indeed, the top 5 countries are much more efficient at spamming the rest of the world than the less developed countries. I'm not sure what this means in terms of how to interpret the data. Does it means that these developed countries are lax in their security policies? Does it imply that they are complicit in spamming? Does it imply that spammers are better organized over there?

In any case, another interesting study would be a projected spam count; if China had the same Internet penetration as Iceland (which is 90% of its population), then using the Spam Per User ratio, how much of the world's spam would they be responsible for? That would be a good follow up post.

By Terry Zink, Program Manager
Follow CircleID on
Related topics: Cybersecurity, Email, Spam, Web
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Depends on what sort of metric you use. Spam origins dont tell the entire story. Suresh Ramasubramanian  –  Jul 18, 2009 6:40 PM PDT

When it comes to domains registered on a particular ccTLD / in registrars of a particular country and used in spam .. china is head and shoulders at the top.

For example -

Domains blocked: 5642

Top 10 TLDs:
3401 .com
970 .cn
558 .net
314 .info
131 .in
89 .org
51 .uk
49 .ru
18 .biz
16 .us

Out of which - just picking the china based registrars -

950 XIAMEN ENAME NETWORK TECHNOLOGY CORPORATION LIMITED DBA ENAME CORP
易名中国
154 CHINA SPRINGBOARD INC.
China Springboard Inc. (R1749-LROR)
145 ONLINENIC, INC.
81 XIN NET TECHNOLOGY CORPORATION
北京新网数码信息技术有限公司
66 GUANGZHOU MING YANG INFORMATION TECHNOLOGY CO., LTD
59 XIAMEN CHINASOURCE INTERNET SERVICE CO., LTD.

It's true that I did not measure Terry Zink  –  Jul 20, 2009 2:48 PM PDT

It's true that I did not measure where the spamming domains are hosted.  I only did this study based upon who is sending the spam, not where the spammy domain is located.  That would be another good study to compare.

That by the way is last week's "weekly domains blocked report" Suresh Ramasubramanian  –  Jul 18, 2009 6:41 PM PDT

For domains listed in ob.surbl.org

Statics from a single point are hardly conclusive Colin Dijkgraaf  –  Jul 19, 2009 4:49 PM PDT

In my opinion statistics about spam received at a single or even a small number of domains on the internet is too narrow a sample to reach any conclussions about world wide spam.
To get more accurate measures you need to have a much wider net, such as Project Honeypot
http://www.projecthoneypot.org/statistics.php

Honeypot's stats are not bad either Suresh Ramasubramanian  –  Jul 19, 2009 5:55 PM PDT

But I dont see them tracking domains found in spam, sorted by ccTLD / registrar. And ob.surbl (whose stats I quoted) is fed from like 400k ++ domains, 40 million users. I hope that meets your exacting (and quite appropriate) critieria?

I wouldn't spam my neighborhood Alessandro Vesely  –  Jul 21, 2009 7:56 AM PDT

If I were spamming from China I would be careful to target foreign victims, otherwise it would be too easy for one of them to find out where to complain and possibly shot down my zombie, account, or contract. Normalizing by recipient country may also be interesting.

Well - it cuts both ways. Suresh Ramasubramanian  –  Jul 21, 2009 9:30 PM PDT

There's a huge amount of "local" (chinese language, for a chinese audience) spam sent by bots, but you wouldnt see it in a provider that's primarily english language. If you run freemails or ISPs with .cn / .hk / .tw domains, you'd see that too.

The typical spam that's sent by these domains I was referring to appears to be pill / porn, sent using fastflux domains, bots etc.  Some mule recruitment, phish etc as well. Mostly in English, targeted at an American audience.

Is it worth distinguishing I18N from local spam? Alessandro Vesely  –  Jul 22, 2009 12:53 AM PDT

I'm not sure what "local" means. On an Italian MX I see a portion of spam targeted to Italians. However, part of it has obviously been translated automatically by non-native speakers. Spammers have i18n problems just like the rest of us, but I wouldn't classify a multilingual tidal as "local".

By local I mean chinese language spam Suresh Ramasubramanian  –  Jul 22, 2009 7:08 PM PDT

That advertises chinese products / websites to a chinese audience, has content written by a native chinese speaker, etc.  Quite often these are legitimate products that just "hired an email marketer", who then sends out advertising using unethical means.

There's at least one spammer for example who keeps sending spam advertising chinese electronics factories, restaurants etc - through hacked hotmail and yahoo accounts.

There's of course no shortage of local MLM, scams, porn etc being advertised through the same means.

The sort of spam where (say) a nigerian scam is run through google translate before sending to italians is not what i'm talking about. That exists, its not unknown - but the volume of "local spam" that's targeted at a local audience - but as its indiscriminately targeted spam, ends up mailing people who dont live there, dont speak the local language etc.

How do you know it's actually spam Michele Neylon  –  Jul 25, 2009 1:37 PM PDT

How do you know it's actually spam from that country? While the source IP may be located in the country in question it could just as easily be argued that the devices sending the spam are compromised PCs / servers. Whether or not the actual spammers are located in the countries listed or not is, therefore, harder to prove.

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Domain Names

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

New TLDs

Sponsored byAfilias