Home / Blogs

Oh, Spammer, Where Art Thou?

Terry Zink

A few weeks ago, I posted a piece on where individuals spammers were located in terms of sending IP. The United States was number 1, followed by China. This is in terms of total volume of spam that they send.

However, a second piece of data that I did not take a look at was where all of the individual spam sites contained within the spam was located. For example, does a lot of spam sent from the United States point to spammy URLs hosted in China? I decided to do a preliminary investigation and find out.

To determine this, I followed the following steps:

  1. I took a random sample of the past 4 days of 500 URLs from a URL reputation list. All of these URLs had to hit our filters (i.e., greater than zero hits) and get past our IP blocks.
  2. I took the number of individual spam hits per URL, and I then mapped the URL back to its A-record. I then converted the A-record to its country of origin. In other words, I did URL → A-record → Country.
  3. I then got the distribution of the proportion of IPs hosted in each country, and then the proportion of spam mail containing a URL hosted to each country.

The results are below. Again, I emphasize that this represents 4 days worth of traffic of post IP-blocked mail, it is not necessarily representative of our entire spam mail stream:

To interpret the above chart, out of all the unique IPs mapped back from URLs found in spam, 55% were located in the United States. However, 69% of the total spam messages contained spam URLs on hosts located in the US. In other words, the US has a disproportionate amount of spam pointing to servers located within its borders. While China may have a greater total of URLs registered to it, the fact is that our content filters are seeing way more spam to web sites located in the US.

In the above chart, the "n/a" column refers to sites that I couldn't get an A-record for. Perhaps the site has been taken down, or maybe moved on. But it definitely had a big chunk of spam hits.

If you are interested in what domains are getting hit the most and where they are located, the results are below. I have normalized the data to show relative frequency of how often a site gets hit using the 16th most frequent URL as the baseline.

DomainIPCountryFrequency
fineunknown.com72.46.154.186US9.4
hxukasln.cn159.226.7.162CN7.6
scsend.com67.225.194.7US4.9
mountainstas.com65.254.57.198US3.1
100freemb.com209.63.57.10US2.8
hrbalife.com216.10.65.50US2.6
ammersmicht.net69.28.56.4US2.4
yourschoolssite.info67.21.115.90US2.2
mp010.net83.206.207.181FR1.6
grapewatches.cn60.12.166.157CN1.6
snurl.com75.126.161.224US1.5
aafter.us70.84.211.85US1.3
reduce-now.com67.216.82.45US1.1
plumbwatches.cn220.196.42.59CN1.1

The United States simply contains a lot of URLs that are spammed a lot and that is why they take up so much spam in the world of spam. The US sends the most spam and it hosts the most spam in this limited sample set.

A few more interesting facts about the top 3 countries (US, China, Russia)

US avg spams: 3532
US median spams: 75

China avg spams: 2095
China median spams: 148

Russia avg spams: 1409
Russia medians spams: 40

This confirms what we see above, a few sites can dominate the spam volumes and skew the statistics.

By Terry Zink, Program Manager
Follow CircleID on
Related topics: Cybercrime, Spam
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

These are mostly fastflux domains Suresh Ramasubramanian  –  Aug 20, 2009 5:45 PM PST

And a domain resolving to an IP in China now will suddenly resolve to somewhere in Brazil within the next minute or two (or whenever the TTL expires). So that's not a usable metric.

Do what I suggested last time - check whois for the domain registrar, and for the contact information in the whois record.

You'll get a rather more accurate metric than what you've posted here.

not mostly fastflux Carl Byington  –  Aug 26, 2009 3:57 PM PST

Checking those names one week later I find:

unchanged chabad.org
unchanged scsend.com
unchanged mountainstas.com
unchanged 100freemb.com
unchanged ammersmicht.net
unchanged yourschoolssite.info
unchanged mp010.net
unchanged snurl.com
unchanged aafter.us
unchanged reduce-now.com
unchanged plumbwatches.cn

ineunknown.com was 72.46.154.186, does not resolve now
hxukasln.cn was 159.226.7.162, does not resolve now

grapewatches.cn was 60.12.166.157, is now 60.12.166.150
That does not look like fastflux to me.

hrbalife.com was 216.10.65.50, is now 69.64.155.125
;; ANSWER SECTION:
hrbalife.com.  3600 IN A 69.64.155.125

With a one hour TTL, that does not look like fastflux either.

chabad.org? Suresh Ramasubramanian  –  Aug 26, 2009 4:03 PM PST

That's a Jewish charity or religious movement or something. Probably got hacked. Then 100freemb.com is a free webhost, snurl is a link redirection / short url service .. pretty mixed bag, that.

Could the spam come from unprotected PCs? Colin Sutton  –  Aug 26, 2009 3:24 AM PST

Perhaps it's easier for spammers to hijack PCs hosted in .CN
The spammer could be anywhere.

Correction to the list Terry Zink  –  Sep 04, 2009 9:56 AM PST

The domain chabad.org was originally listed on my list and has been subsequently removed.  It is a false positive that was being abused by spammers and subsequently listed on a URL blocklist.

To post comments, please login or create an account.

Related

Topics

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias