Spam evolution: January – June 2009

Darya Gudkova
Elena Bondarenko

Half-yearly update
• The economic crisis has not impacted the volume of spam: spam averaged 85.5% of
email traffic.
• Malicious attachments were found in 0.3% of messages.
• 0.6% of all messages contained links to phishing sites.
• Asian and Latin American countries became the main sources of spam, with a shift away
from Western European countries, the US and Russia.
• The amount of spam advertising small and medium businesses declined during the reces-
sion.
• Spam advertising spammer services has partly replaced messages containing offers for
concrete goods and services.

Spam in mail traffic

Spam in mail traffic, 1H2009

Spam averaged 85.5% of mail traffic over the first half of 2009. The lowest figure was 72.8% on
April 26th, while the highest percentage was 93%, recorded on February 22nd. 0.3% of spam
messages included malicious attachments.
The financial crisis, which began in autumn last year, has not had an impact on the overall vo-
lume of spam in mail traffic: the figures do not differ significantly in comparison with figures for
1H 2008.

Phishing
Phishing-related spam is experiencing an overall decline.

Phishing emails, 1H 2009

Phishing emails accounted for 0.6% of mail traffic in 1H2009. The number of phishing emails
has fallen from month to month (with May being the exception). During Q1 2009, phishing
emails made up 0.78% of mail traffic, dropping to 0.49% in Q2 2009.

Anti-phishing systems now offer users better protection than ever against this type of fraud. Con-
sequently, cybercriminals now find phishing a less profitable and less attractive tactic.
The main targets of phishing attacks 

Organizations targeted by phishing attacks, 1H 2009

The primary target of phishers is still PayPal, with eBay ranking second among the most popular
targets. Over 60% of phishing emails imitate messages from these two organizations. PayPal,
eBay, and major banks have been active in providing users with information about the dangers of
phishing. As a result, users of such systems have become more cautious, and the phishing attacks
targeting them have become less effective. Meanwhile, phishing attacks which target less com-
monly-used services have not been particularly lucrative. These factors may be contributing to
the gradual decline in phishing spam.

Sources of spam on the Russian Internet: regrouping from the West

to the East

Countries 
The top ten countries which are major sources of spam have changed considerably over the past
six months. Less and less spam is coming from Spain and Italy, which previously took 3rd and 4th
places, respectively. These countries are no longer in the top ten, with Germany and Ukraine also
departing from the ranking. More spam now originates in India, Thailand, Romania, and Poland,
all of which are now included in the top ten.

Top ten sources of spam (2H 2008; 1H 2009)

Russia and the US are still the leading sources of spam, but in 2H 2009, they may be displaced as
the amount of spam sent from these countries is falling. In the second six months of 2008, 22%
of all spam was sent from Russia in 2H 2008, but only 11% was sent in 1H 2009. The figures for
the US also fell from 16% to 10%.

By June, only 8% of spam was being sent from Russia. Although the fight against spam in Rus-
sia has been successful, there has not been an ultimate victory, and it's likely that spam sent from
Russia will account for a stable 8 –10% of all spam.

India has seen a boom in spam mailings. In 2008, this country was the source of 2% of less of all
spam, jumping to 4% in Q1 2009. In June, India was responsible for a record 10% of spam on
the Russian Internet, and an average of 7% over 1H 2009. The spammers' focus on India may be
due to a range of factors: on one hand, as a developing economy, the country is beginning to en-
joy the latest Internet technologies, including widespread Internet access. On the other hand, In-
dian users are poorly protected, resulting in mass malware infections designed to create botnets
for sending spam.

The amount of spam originating from Turkey has also increased: in 2H 2008, spam from Turkey
represented just 3% of all spam, but during 1H 2009, this figure more than doubled to 6.6% of all
spam.

The list of European countries which are the top sources of spam has also changed. In 2008, the
top three sources of spam in Europe were Spain, Italy, and Ukraine. This list is now headed by
Poland, Romania and Italy.

Table 1. Top ten European sources of spam

Poland 4.30% +2.30%

Romania 3.00% +2.00%
Italy 2.60% -2.40%
Ukraine 2.00% -1.00%
Spain 1.90% -3.30%
Germany 1.90% -1.30%
Great Britain 1.60% -0.40%
Czech Republic
1.10% +0.70%
France 1.00% -1.60%
Hungary 0.90% 0.50%

In general, the amount of spam coming from Western European countries has decreased noticea-
bly, while the amount of spam sent from Eastern European countries has increased.

Regions 
In terms of the top regional sources of spam, there has been a general transition from West to
East. Nearly twice as much spam is now being sent from Asian countries, with an increase of
18% in 2H 2008 to 35% during 1H 2009. There has also been an increase in spam from Latin
American and Eastern European countries (excluding Russia). Over the same period the amount
of spam sent from Western European countries, compared to 2H 2008, decreased by almost half.
In the second half of 2008, Roughly 20% of all spam was sent from Western European countries
in 2H 2008, with just 12% in 1H 2009.

Sources of spam: 2H 2008, 1H 2009

This transition from the West to the East results from a number of factors: on one hand, the US
and Western European countries have become more proactive in fighting spam. These countries
have closed down spammer hosting sites, improved relevant legislation, and some spammers
have even been held liable for their actions. This makes sending spam from Western Europe and
the US a risky business for spammers. Meanwhile, Asia and Latin America — and Eastern Eu-
ropean countries, to some extent (excluding Russia) — are becoming more attractive to spam-
mers; the number of Internet users in these locations is beginning to increase significantly and
Internet access is becoming more prevalent. Furthermore, Internet users in these countries tend to
be less well protected against malicious programs and less aware of cyber threats.

Essentially, the main sources of spam have more or less transitioned from Western European
countries, the US, and Russia to Asia and Latin America. This is probably good news for end-
users, i.e. those who do not have any partners in these regions can simply choose not to open
messages originating from Latin American or Asian countries. For these people, simple modifi-
cations to spam filter configuration could cut the amount of incoming spam by half.

Spam by category
 Spam on the Russian Internet by category

Most common spam categories, 1H 2009  

1. Medications and health-related goods and services – 22.1% (+2.4%)

2. E-advertising services – 16.6% (+10.9%)
3. Adult content spam – 11% (-8.8%)
4. Education – 10.4% (+0.8%)
5. Fake luxury goods – 7.4% (+1.2%).

For the fourth year in a row, the most common type of spam is still Medications and health-
related goods and services. Most messages in this category advertise medications such as Viagra
and Cialis, as well as diet pills and supplements.

The second place is taken by E-advertising services, replacing the usual leading categories. This
category was in seventh place in 2008.

Adult content spam is still in third place, in spite of a considerable decrease in the number of
such messages. Compared to last year, the figure almost halved. This is probably due to the fact
that most of this type of spam consists of emails designed to lure users to fraudulent websites,
where attempts are then made to get money by persuading the visitors to send SMS messages to
short, premium pay numbers. This type of trick works well until it is uncovered; consequently,
the life span of such scams is limited and the amount of Adult content spam is now on the de-
cline.

The economic crisis and its impact on spam  
While the primary categories of spam remain unaffected, the economic crisis has affected the
distribution of spam categories.

Categories on the rise

First and foremost, the crisis has led to an increase in spammers advertising their own servic-
es. It would appear that the crisis has caused spammers to lose some of their regular clients and
have directed their newly available resources at advertising their own services in hopes of find-
ing new clients.
 Spam advertising spammer services, 1H 2008/1H 2009

During 1H 2008, before the economic crisis began to affect Russia, e-advertising spam made up
approximately 4.3% of all spam. During 1H 2009, this figure skyrocketed to 16.6%.

The amount of Real estate spam has also increased notably in comparison to last year. For the
most part, this type of spam advertises rental properties. In April, such offers accounted for 69%
of all spam in the Real estate category.

Real estate spam, 1H 2008/ 1H 2009

Having lost tenants due to the recession, landlords have actively been advertising their vacant
properties. Some reputable real estate firms may now be using spam as a relatively inexpensive
means of advertising their services.

Categories on the decline

Small and mid-sized businesses (a subgroup which falls into the Other goods and services cate-
gory) appear to have cut spending on spam advertising

Other goods and services spam, 1H 2008/ 1H 2009

On average, the volume of spam in this category fell 4% compared to the same period in 2008.

Prior to the economic crisis, there were a reasonable number of clients ordering travel and tour-
ism spam mailings. Spam in this category account for 8% of all spam in 2008. During 1H 2009,
the amount of spam in this category halved, and now represents just 4%. This drop is clearly re-
lated to the global crisis. Many people's financial situation is now worse than in 2008, and they
have found themselves cutting spending on travel and vacations.

The Travel and tourism spam category is always susceptible to seasonal changes; however,
given the economic background, these were less marked this year.
 Travel and tourism spam, 1H 2008/ 1H 2009

Education spam dropped by approximately 25% in the first five months of 2009. In June, how-
ever, this type of spam returned to pre-crisis levels due to exams at schools and universities.

Education spam, 1H 2008/ 1H 2009

The economic crisis has clearly had an impact on spam advertising goods and services offered by
legitimate businesses. This category represents roughly 35% of all spam. In comparison, in 1H
2008 (i.e. before the recession hit), this type of spam accounted for approximately 45% of all
spam. Despite the increasing amount of real estate spam, overall the amount of spam advertising
goods and services from legitimate businesses has fallen by nearly one-fourth.
Economic conditions have affected the remaining 65% of spam, which includes advertising of
grey market goods and services and, to a lesser extent, fraudulent spam. The reasons are clear:
firstly, anonymity makes it less risky for cybercriminals to find clients using spam than by other
means, and they are unlikely to be bothered by moral concerns. Secondly, some types of fraud
(such as phishing) simply could not exist without spam, since spam is an integral component of
these schemes. Finally, many cybercriminal groupings have their own botnets and therefore the
capability to conduct mass mailings at minimal cost.

Size and type of spam emails

Distribution of spam emails by size

Most spam messages are still 10 kb or less in size. The amount of the smallest spam emails (up
to 5 kb) has increased: in 1H 2009, messages of this size represented 58% of all spam, up from
46% in 2006. The overwhelming majority of such emails provide links to websites. The text of
the emails and the sites they link to can differ from message to message, even if the messages are
all sent in the same spam mailing. Advertising sites are either located on cheap domains (such as
.cn), or domains which use free hosting services. Spammers use such tactics in an attempt to by-
pass spam filters.

As before, most spam emails (45%) are sent in plain text format.
 Distribution of spam emails by type

Graphical spam 
Spam containing images now makes up nearly 15% of spam. This is due to the upswing in
spammers advertising their own services; most such advertisements are sent in image form.
Spammers are striving to achieve two things: to evade spam filters, and make their advertising
attractive. It should be emphasized that not only programmers, but also professional designers
and marketing experts work on spam mailings.

Images often offer the (fake) opportunity to unsubscribe from mailing lists.
 Extract from a spam message

Most emails containing images also contain text. In some cases, the advertising message and
contact information are part of the image, and the text is included merely to create “noise” in or-
der to increase the chances of evading spam filters. In other cases, the text in the message con-
tains contact information (usually a link to a website) and the image is used to draw the reader’s
attention and relay the spammer’s own advertising message.

Conclusion
The countries which act as the main sources of spam are now located in the East rather than the
West. Countries in Asia and Latin America, as well as countries in Eastern Europe (excluding
Russia), are becoming more attractive to spammers since users in these countries are poorly pro-
tected against cyber threats.

It is difficult to say just how long this trend will continue. However, it can be assumed that as
users in Eastern countries become more aware of security issues, the distribution of infected ma-
chines sending spam will level out. Given that computer technologies (thanks to the openness
and accessibility of information) are evolving faster than the economy (due to greater transpa-
rency and access to information) it is likely that the playing field will level out even before de-
veloping regions become highly developed.

In spite of predictions to the contrary, the share of phishing emails has declined. Some may re-
member that in light of the crisis, these fraudulent emails were expected to increase; as a rule,
phishers attempt to use negative situation to frighten users and persuade them into providing per-
sonal information. However, it seems that the anti-phishing measures that have been taken by
major payment systems and banks and increased awareness of cyber threats have begun to the
Internet scammers.

Although the crisis has not affected the overall amount of spam in mail traffic, it has had a con-
siderable impact on the distribution of spam by category. This primarily affects spam advertising
spammer services, which now makes up a record 16.6% of all spam. Meanwhile, the total
amount of spam offering goods and services in the real sector has dropped 10%. The 2008 an-
nual spam report noted that this type of spam acts as an indicator of the ecomonic health of small
and medium-size businesses during financially difficult times. And in fact, compared to the same
period in 2008, spam mailings contained fewer offers from tourism and educational companies
and advertisements for various goods and services. (However, the percentages of these spam cat-
egories increased slightly in June). Only time will tell how long these trends will last.