Just under 86 per cent of spam sent to 1,000 enterprises between May and July came from U.S. spammers, according to a survey by CipherTrust Inc. In contrast, just over two per cent of spam originated from Canada.
While U.S. IP (Internet Protocol) addresses made up only 28 per cent of the spam-sending addresses in CipherTrust’s survey, those U.S. addresses sent out much more unsolicited commercial e-mail than spammers from other nations, according to the company. Nearly 29 per cent of the IP addresses sending out spam during the three-month survey were in South Korea, while only three per cent of the spam came from there.
The survey, which sampled about 5 million pieces of spam sent to 1,000 CipherTrust customers, runs counter to some other surveys and some critics of the U.S. Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, who suggested a law would have a limited effect because of the amount of spam that comes from outside the U.S. CAN-SPAM, which allows fines of up to US$6 million and up to five years of jail time for some fraudulent spamming activities, was signed into law by U.S. President George W. Bush in December.
CAN-SPAM sponsor Senator Ron Wyden, an Oregon Democrat, pushed for the law as a way to go after a small number of “kingpin” spammers, and Dmitri Alperovitch, a research engineer with CipherTrust, suggested that the survey shows that there is, indeed, a small number of U.S. spammers sending millions of pieces of spam.
“I was really very surprised by the numbers,” Alperovitch said. “(Kingpin spammers) have these very high-bandwidth computers, and they’re able to send out a large amount of spam.”
According to the survey, just under three per cent of spam came from China and Hong Kong, just over two per cent from Canada and about 1.5 per cent from the Ukraine. Of the IP addresses sending spam, 23 per cent were from China and Hong Kong, and another four per cent were from Brazil.
In contrast, competing antispam vendor Commtouch Software Ltd. in April suggested 40 per cent of spam came from outside the U.S. Commtouch’s survey, however, didn’t measure the total number of spam messages sent, but the number of spam “outbreaks,” and the company defined an outbreak as the bulk sending of one spam message.
During CipherTrust’s survey, Alperovitch also noticed another trend — an attempt by some spammers to make it harder for recipients to unsubscribe from spam messages. While the CAN-SPAM requires that senders of commercial e-mail include an “Internet-based” opt-out mechanism, some spammers have included only postal addresses in their opt-out messages, requiring recipients to send paper mail to the spammers to opt out of future spam.
CipherTrust has supported government efforts to attack spam, but enforcement and technology solutions are needed along with laws, said Jennifer Martin, CipherTrust’s manager of corporate communications. “The teeth that are in (the law) aren’t teeth enough,” she said.
More enforcement against large spammers is needed, added Alperovitch. “They don’t have the fear of God in them,” he said.
CipherTrust is an e-mail security company based in Atalanta.