On Wednesday, December 9, 2009 at 06:20 (GMT) Project Honey Pot received its billionth email spam message. The message, a picture of which is displayed below, was a United States Internal Revenue Service (IRS) phishing scam. The spam email was sent by a bot running on a compromised machine in India (184.108.40.206). The spamtrap address to which the message was sent was originally harvested on November 4, 2007 by a particularly nasty harvester (220.127.116.11) that is responsible for 53,022,293 other spam messages that have been received by Project Honey Pot.
Every time Project Honey Pot receives a message we estimate that another 125,000 are sent to real victims. Our billionth message represents approximately 125 trillion spam messages that have been sent since Project Honey Pot started in 2004.
At this milestone, we wanted to take a second to report some of our findings. Our goal is not to rehash the same old insights but instead to give a new picture that only looking at five years and a billion data points can produce.
Who Are These Spammers?
Several organizations publish regular reports on the source countries for spam. We have one of our own. The problem is that these reports tell very little about the actual source of spam messages because of the nature of how spam is sent today.
Rather than sending spam directly, spammers primarily use “bot” machines in order to effectively launder their identities. These bots are PCs that have been compromised by a virus and whose owner usually does not know they are being used to send spam. The process is not unlike the stereotypical scene in a movie where the villain keeps his phone call from being traced by relaying it through a number of connections. Similarly, spammers’ use of bots can make their messages look like they are coming from somewhere completely different than their actual location. As a result, lists of spam origin countries tell you very little about where the spammers are actually located.
On the other hand, they can help provide insight into a country’s security policies because they give evidence on the number of bots operating within a country’s borders. Since every country will have a different number of PCs, to make this number comparable we needed to create a ratio. We decided to look at the number of compromised machines operating within the country divided by the number of security professionals operating in the country. This gives us a relative IT security score. As a proxy for the number of security professionals we used members in Project Honey Pot. Here are the results:
Best IT Security #1 Finland #2 Canada #3 Belgium #4 Australia #5 Netherlands #6 United States #7 Norway #8 New Zeland #9 Sweden #10 Estonia
Worst IT Security #1 China #2 Azerbaijan #3 South Korea #4 Colombia #5 Macedonia #6 Turkey #7 Viet Nam #8 Kazakhstan #9 Macau #10 Brazil
Because sending spam remains the primary use of bots, Project Honey Pot has a unique perspective on bot network activity. Since 2004, active bots have grown at a compound annual growth rate of more than 378%. In other words, the number of bots has nearly quadrupled ever year. In 2009, you could find nearly 400,000 active bots engaged in malicious activity on any given day with several million active over the course of any month.