Spam evolution: January – March 2007

Percentage of spam in mail traffic

In the first quarter of 2007, the share of spam on the Russian Internet remained stable and amounted to
70% – 80% of all mail traffic. The lowest percentage recorded this quarter was 69.8% on February 7^th, and a peak of 86% was noted on February 11^th.

Spam volume: Jan – March 2007

The first three months of 2007 showed us that seasonal fluctuations in the volume of spam triggered by the advertising nature of the mailings is gradually plateauing out and may even become a thing of the past. Unlike previous years, during the first quarter no major declines in spam volume were noted in connection with the January or spring holidays (such as 8^th March, International Women’s Day), nor was there any significant increase directly related to the holidays. The reason for this stability lies with the changing nature of spam. More and more spam is becoming criminalized and is slowly moving away from traditional advertising. The Criminalized spam is not subject to laws on advertising, and is not very susceptible to fluctuations linked to supply and demand over any given period of time.

A breakdown of spam by category

The following categories of spam took the lead in the first quarter of the year:

1. Education (15.2% of all spam).
2. Medications and health goods and services (14%).
3. Personal finance (10.7%).
4. E-advertising services (9%), a tie with Computers and the Internet (9%).

Distribution of Russian Internet spam by topic: Jan – March 2007

Russian Internet statistics show that there is currently more Education-themed spam than any other category (15.2%). The percentage of this particular category gradually rose over the past three months before taking the lead (January – 10.3%; February – 16.2%; March – 18.6%). Education spam contains offers for diplomas and certificates in addition to advertising seminars, training courses and other classes. In the first quarter of 2007, the most frequently advertised training courses and seminars included those covering annual accounting reports, tax reports, tax audits and other themes related to companies’ annual reporting.

The traditionally large category Medications and health goods and services, features aggressive mass mailings with graphical technologies that advertise inexpensive medicines (Viagra, Cialis, etc.).

Fourth place was a tie between two different spam categories. As usual, E-advertising services accounted for a relatively large share of all spam, an indication that spammers are continuing their search for new clients.

The share of the Personal Finance category fell from 13.3% in January down to 6.9% in March:

Volume of Personal Finance spam: Jan – March 2007

This category of spam is usually designed to create artificial demand for advertising campaigns by driving prices up so that certain investors in the know can make a profit. The majority of financial spam contains graphics. There has been a decrease in financial spam because its effectiveness has fallen; this is partly due to saturation point having been reached, and also due to successful filtration of graphical spam by spam filters from a range of manufacturers (for more details, see the March 2007 report).

Spam category trends: January – March 2007

In the first quarter of 2007, Russian-language real estate spam emerged as another major spam category, with advertisements for realtor services, apartment rental offers, etc. This kind of spam is specific to the Russian Internet and has been around for a relatively long time. However, real estate spam has only recently come to make up a stable percentage of all spam (roughly 2% – 4%). The March 2007 spam report has more details about real estate spam.

Spam which advertises spammer services is starting to change. Now spammers are offering to send spam to addresses contained in dedicated databases (e.g. the “Business Moscow” database, and databases of both private individuals and legal entities). The largest database offered of Russian Internet addresses contains over 14 million entries.

The harvesting of addresses and compiling of databases is clearly a separate sector of the spam industry. Databases are prepared independently from spam mailings. In the first quarter of 2007, Kaspersky spam analysts received spam offering to compile a targeted address database for spamming purposes: “We’ll prepare an Internet-based database of your potential clients for you.” This message also stated that the specific area of business interest and locations of potential clients would be taken into account (i.e. the client can indicate a list of specialized forums from which addresses should be harvested).

A phishing attempt against a Russian bank was also recorded in the first quarter of the year. This is rare; more often, phishers target Western banks where most clients use online services to access their accounts. Alfa Bank was the target of the attack that took place around February 20^th, 2007. The phishers essentially copied news released by Alfa Bank about the bank’s improved security system. At first glance, it looked as though the link in the phishing email led to the Alfa Bank website. But actually, the link took users to a malicious user’s website (in the co.kr domain) where users were asked to enter their personal data. Alfa Bank reacted promptly to this attempt to defraud the bank’s clients and published a warning to its users on its official website.

Tricks of the trade

Between January and March, spammers again showed they were attempting to update the technology used for spam graphics. In February they made a clear attempt to resurrect animated graphics.

Spammers tried some other approaches as well, such as using a range of rare font styles:

Nevertheless, the attempts to diversify graphical spam were not particularly successful, and the volume of graphical spam began decreasing gradually. In January this type of spam represented 33% of all spam, sliding to 27.4% in February and slipped further in March to 25.7%.

In terms of content, graphical spam, which uses animations or specific methods to produce “loud” backgrounds and other features, frequently contains offers for medicines, software and promotions for various stocks. This type of spam is usually in English, although there are some exceptions. A Russian-language mass mailing advertising services for adjusting computer settings and installing software featured an animated gif with random ‘noise’ in the background behind the actual advertising text.

Summary: Recent trends

1. The percentage of spam on the Russian Internet remained stable within the range of 70 – 80% of all email.
2. The volume of ‘personal finance’ spam has fallen.
3. The share of graphical spam seems to be heading for a decline.