Spam and phishing reports

Spam evolution: January-June 2008

Half-year summary

  1. This year may see a seasonal fall in spam.
  2. Spammers are concentrating more on the quality of adverts.
  3. The Russian spam market is developing rapidly.
  4. The quantity of spam in the Fake designer goods category increased considerably.
  5. To create background ‘noise’ in messages spammers have exploited various features of mail clients.

Percentage of spam in mail traffic

In the first quarter of 2008, the share of spam on the Russian internet averaged 85% of all mail traffic. The lowest percentage recorded this quarter was 64.2% on 3 May, while there was a peak of 97.8% on 1 March.

Despite the fact that the percentage of spam in mail traffic fluctuated over the first six months of 2008, a few patterns can be identified. For example, the large percentage of spam in January was down to the extended winter holidays and the subsequent fall in legitimate email traffic. This percentage gradually decreased, but rose sharply again in March.

By May, however, the percentage of spam had declined sharply and a slight increase in June could not prevent the usual summer lull in spam traffic. Interestingly, such a significant seasonal fall had not been witnessed in the previous two years: in 2007 the decrease was negligible, while there was no reduction at all in 2006.

Seasonal fluctuations are quite normal for the spam business. In summer, people tend to read less email, go on vacation, and as a result, mass mailings are less effective at generating a response. As a rule, this means spammers receive fewer orders in the summer months and the quantity of spam decreases.

However, over the last two years the spamming industry has been developing so rapidly that there was no noticeable summer decline: new ploys by spammers to attract more customers were so intense that the quantity of spam continued to grow, even in the summer months. The seasonal fall we have witnessed this year suggests the spammer market has been saturated and that the number of customers remains at roughly the same level. The drop in self-advertising by spammers is yet more evidence of this: in 2007 the share of spam in the Electronic advertising services category exceeded 7%; in 2008 it amounted to just 4.3%.

Type and size of spam messages

Types of spam messages

Types of spam messages

As can be seen from the graph, the majority of spam messages are in plain text format. This smaller format means large mailings can be distributed faster. The second most popular format used by spam is HTML. Although this type of message is larger, HTML makes a message visibly more attractive and enables the use of additional methods to bypass filtering. Next come messages with pictures attached (jpeg and gif), with a combined total of 23.9%.

Messages with other types of attachments did not even account for 1%. 2007 saw spammers actively experimenting with different types of attachments – pdf, fdf, exl, mp3 – but they were ineffective and spammers reverted to more conventional types of spam.

Spam messages by size

Spam messages by size

It’s not difficult to see a connection between the sizes and the types of spam messages. The smallest are plain text messages. HTML messages tend to range from 1 to 20 KB in size, which means they fall into the first three columns in the graph depending on the type of message (e.g., messages with one HTML link, or messages with large colorful images). Larger messages (20 KB or more) are mostly messages with pictures attached.

Compared to the end of last year, the overall picture of size distribution has changed significantly – the amount of 1-5 KB messages and messages larger than 50 KB has increased, while the quantity of 5-10 KB and 20-50 KB messages has decreased. This may be linked to two contradictory trends. On the one hand, spammers are trying to make messages smaller to send them to as many users as possible at short notice. On the other hand, they are doing their best to make their messages look good to attract potential customers.

The rapid development of the Russian spam market

Back in 2004-2005, Russian spammers were still learning from their Western ‘colleagues’, applying their technologies and advertising techniques. Now they conduct themselves just as professionally and aggressively. Spam on the Russian internet is generated mostly by -Russian-language spammers, which is reflected by the prevalence of Russian-language spam messages and the botnet activity used to send out spam to Russian users.

Distribution of Russian Internet spam by language

The amount of Russian-language spam on the Russian internet is increasing. Two years ago it accounted for 60%; now it is nearly 80%.

Interestingly, it appears that Russian spammers also have a hand in the remaining 21% or so. They have recently been expanding their e-mail address databases used for distributing spam. A few years ago Russian spammers were limited to sending spam to different cities across Russia and sometimes to the Ukraine and Kazakhstan. Now, they regularly offer to send spam to Europe and the US. This means that their services are available both to Russian businessmen who want to sell their goods or services abroad, as well as foreign customers. It is also becoming more common to see Russian spam services offering worldwide deliveries. Russian e-mail addresses also appear to be included in these mailings, meaning Russian users receive English-language spam from Russian spammers. Indirect proof of this is the daily activity of botnets that work according to Moscow time and more conventional types of English-language spam (e.g., adverts for Viagra) with the Russian-language heading written in Latin letters.

Spam sources on the Russian internet

The geographical location of the sources distributing spam on the Russian internet is unsurprising. The leaders are Russia and the US, followed by European and Latin-American countries. Interestingly, China as a spam source continues to lose ground and by the end of the first six months was at the same level as Ukraine.


The pie chart below shows a breakdown of infected machines by country in the first six months of 2008.

It is worth pointing out that the US is not in the top five ranking of infected machines, despite being the second most common source of spam, while China is ranked fourth. The reason for this may be down to differences between those countries in terms of legislation or the ability to detect and neutralize botnets – spam and spammers are combated much more vigorously in the US than in China.

Theoretically, botnets sending out spam can be managed from any country worldwide, regardless of where the infected machines are located. Spam on the Russian internet distributed via botnets is mostly Russian-language spam. Botnet activity at various times of the day is also indicative of where spam is coming from.

Botnet activity over 24 hours

The diagram above shows the behavior of three botnets examined by Kaspersky Lab analysts. Only 13% of the infected machines are located in Russia, but the daily activity of the botnets is linked to Moscow time – there is an obvious increase in botnet activity at around 10 a.m. and a decrease at about 5-6 p.m. This suggests that the people managing the botnets work in the Moscow time zone.

Spam by category

The following categories of spam were the most widespread in the first six months of 2008:

  • Medications and health goods and products – 27.45%
  • Education – 13.86%
  • Fake designer goods -10.68%
  • Travel and tourism – 8.45%
  • E-advertising services – 4.33%

To regular readers of our spam reports, the top five will look familiar except for the Fake designer goods category. Advertisements for fake designer goods (mostly replicas of Rolex watches and Vertu telephones) appeared some time ago, but this year their quantity has grown to such an extent that they were introduced as a separate category.

After gaining its new status in March 2008, this spam category took over third place and has remained there ever since. The appearance of this category can be blamed on activity by Russian-language spammers; English-language messages of this sort have been common for some time, but it was the advent of Russian-language messages in this category that contributed to its rise.

Interestingly, the Computer fraud category, one of the leaders in the first half of 2007, dropped out of the top five altogether and shows little sign of making a comeback. It averaged just 2.54% in the first half of the year, never exceeding 3%. In 2007 the figure for this category averaged 6.9% for the year and 8.6% over the first six months; in 2006 it reached 14.3%. Unfortunately, the decline of this category does not mean there is less criminal activity on the internet. It is more likely that attacks by scammers have become more targeted, with an emphasis on the quality not the quantity of messages.

In the first half of 2008, spammers paid a lot of attention to the quality of self-advertising. The percentage of adverts offering spammer services fell to 4.3% compared to 7.2% in 2007. However, the quality of such adverts improved considerably, with a repertoire that included imitating personal correspondence, references to popular international events (e.g. Euro 2008) and even messages that were designed to look more enticing. In a bid to attract more customers and improve their image, spammers offered to help search for missing persons. It would appear that spammers consider their activity to be perfectly legal, despite the fact that it is forbidden in almost every country, including Russia.

Spammer methods and tricks

In the first six months of 2008 spammers made several attempts to perfect some old methods of bypassing spam filters. The main emphasis was on distorting text with background ‘noise’. By using HTML tags, spammers tried to ensure that messages included “noisy” text which could still be read by the recipient.

HTML code has long been used by spammers to bypass spam filters. For example, it allows the color of certain parts of a text to be changed to create unique messages, or to reduce the size of messages making them less visible (in this case a message can be read by recipients, but filters cannot detect it because it is constantly changing). Spammers also made use of ‘white text’ which was the same color as the background, although filters have now adapted to block messages with this type of text. Spammers have now come up with new methods of using specific features of mail clients.

January saw the appearance of spam with pseudo HTML tags. Random selections of characters placed within less-than and greater-than symbols are inserted into a message. This insertion is detected by a mail client as an incorrectly written tag and it is not displayed when the message is opened.

Message in HTML format Message as seen by recipient
ÞÌèíè-èãðóø<x>êè íà
Ìèíè-èãðóøêè íà

In February, spammers began to insert commentary tags into message texts. The mail client does not show these tags to the user either. A randomly chosen text is placed inside the tag and the spam filter assumes each message in the mailing is unique.

In the example below the fraudsters not only added randomly chosen text to the commentary tags but also hid the legitimate link (in blue in the left-hand column) from users with the help of HTML code. What the recipients see is a link to the popular greetings service, but it actually directs them to a different site altogether – most probably one containing a malicious program.

Message in HTML format Message as seen by recipient

Âàì ïðèøëà âèðòóàëüíàÿ îòêðûòêà.
Äëÿ åå ïîëóÞåíèÿ çàéäèòå íà ñàéò

<a href=”****&“>****

è íàæìèòå íà ññûëêó ‘ïîëóÞèòü îòêðûòêó’

Ñëóæáà ðàññûëêè îòêðûòîê POSTCARD.RU

Âàì ïðèøëà âèðòóàëüíàÿ îòêðûòêà.
Äëÿ åå ïîëóÞåíèÿ çàéäèòå íà ñàéò****è íàæìèòå íà ññûëêó ‘ïîëóÞèòü
Ñëóæáà ðàññûëêè îòêðûòîê

You received an e-card.
To get it, go to the website****

and click on ‘get my e-card’
E-card service POSTCARD.RU

In April spammers introduced the new ploy of randomly encoding characters in UTF-8. Mail clients display text with this type of code as normal, and the recipient has no problem reading the text, but spam filters treat each message as though it is unique and counters designed to record the number of such messages won’t work.

Message in HTML format Message as seen by recipient
Ýêñëþçèâíûå ôóò=1;îëêè îò: Íàøà Ð=#x430;øà, Êàìåäè êë&#=430;á è Íèíàâèæó &=x434;îì2 ê ïðàçäíèêàì íà www.mnogoma&=101; Ýêñëþçèâíûå ôóòáîëêè îò: Íàøà Ðàøà,
Êàìåäè êëàá è Íèíàâèæó Äîì2
ê ïðàçäíèêàì íà www.õõõ


Recently we have witnessed the formation of the Russian spam market. The services it offers are, like all developed markets, specialized. Different people are responsible for various tasks, such as developing the spamming software, gathering addresses for spammer databases, dealing with customers who make orders, preparing spam adverts, and sending out mass mailings. The era of the lone spammer has come to an end.

Most Russian spammers are based in Moscow and St. Petersburg. The spheres of influence have already been split between the major players and it appears that a market of regular spam customers has formed. The spammers are trying to attract new clients by offering them better quality adverts. It is obvious that not only programmers are responsible for the message formats but also marketing specialists and designers.

Unfortunately, these professionals are all engaged in illegal activity because spamming in Russia, and in many other countries, is against the law. At the same time spammers are actively cooperating with other cybercriminals, such as internet scammers and virus writers. Cooperation of this kind adds a more dangerous edge to spam.

What can we expect for the next six months? It is most likely that spammers will continue to experiment with HTML code and there is the possibility that they will try to resurrect some of their old methods and tricks. There is little doubt that the autumn will see an increase in the quantity of spam in mail traffic – after a seasonal lull, spammer activity is sure to increase.

Spam evolution: January-June 2008

Your email address will not be published. Required fields are marked *



How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox