We all know about spam — clogging up our inboxes with adverts for Viagra and too-good-to-be-true offers from renegade African diplomats.
But who is actually responsible for sending it?
It might surprise many CNN.com readers to hear that the number one source of spam is not Nigeria, or China, but the USA, according to a report released on April 28.
The study by IT security and control firm Sophos lists the dirty dozen top spam-relaying nations and claims the USA is responsible for 13 percent of the global total, adding up to hundreds of millions of junk messages. India (7.3 percent), Brazil (6.8 percent), South Korea (4.8 percent) and Vietnam (3.4 percent) make up the top five.
China — often blamed for cybercrime by other countries — comes in at 15th place with responsibility for relaying just 1.9 percent of the world’s spam. A similar study earlier this year by Computer security firm Symantec found that the majority of targeted malware — malicious software that includes viruses, “Trojans” and “worms” — sent in March 2010 originated in the U.S. based on mail server location, at 36.6 percent.
It also placed London at number three in the list of cities sending out targeted malware attacks responsible for 14.8 per cent. (They named Shaoxing, China, as number one.) Spam is not just annoying, it is a serious problem for many businesses and responsible for a staggering 97 percent of all email received by business email servers, according to Sophos, putting both a strain on resources and wasting a huge amount of time.
But why is so much of it coming from developed western economies? Virtually all spam is sent from computers infected with malware (called bots, or zombies) that are then controlled by cybercriminals — called “botherders” — without the owners’ knowledge. PCs can become part of a botnet in a number of ways, usually via email or the web. Often users click on malicious links posted within a spam message and unwittingly download malignant malware.
“The UK and the U.S. rank near the top of many of these lists because such a large percentage of users are online with high speed connections to the Internet,” Chet Wisniewski, Senior Security Advisor, at Sophos Inc. told CNN. “Countries such as the USA would do well to remember that cleaning-up infected PCs in their own back yard will be an important step in fighting cybercrime,” said Graham Cluley, senior technology consultant at Sophos, in a statement.
The only way to reduce the risk of being compromised is to run anti-spam and anti-malware protection and ensure all software and hardware is up to date with security patches. “We have seen many high profile incidents in the last year with things like the Conficker worm and ZBot (Zeus) shutting down many government and corporate networks in the UK,” said Wisniewski.
“One of the problems is that many people focus on attacks from outside, and may not be looking at what they are sending out. “Most businesses have focused on stopping things at the edge of their networks and preventing stuff from forcing its way in,” said Wisniewski. “But in the interim the criminals are tricking users into requesting the malware from web sites which bypasses things like corporate firewalls and mail gateways.
“Government, businesses, and individuals all are responsible, and one of the problems is you wont know you are infected if you aren’t running up to date anti-virus, yet you might think you are clean and wont get viruses. “I think the most important lesson for users is to be educated that malware and spam are very advanced criminal operations. You don’t get infected only by viewing online pornography or gambling, it can happen anywhere.
“We have seen everything from embassies to football clubs, from Walmart to the U.S. Army, have their web sites compromised with exploits and people must run proper security software on their PCs at all times. “Organizations should be looking at not just traffic coming into their networks, but also going out.”
The prevalence of infected computers has led to a new mindset among some businesses who acknowledge a proportion of their clients and customers will inevitably be infected, yet they must continue to work with them, therefore they place greater emphasis on back-office systems that aim to spot the fraud associated with malware.
Ultimately though, we would be wise to remember the human aspect to all this — and be prepared to check our own behavior online. “We all shouldn’t forget that if no-one bought products sold via spam there would be a lot less incentive to send junk email,” explained Cluley. “Computer users should not just protect their computers from threats like malware and spam, they should also pledge to never, ever buy anything advertised via spam.”