Spam report: January 2007

Spam in mail traffic

2007 began with spammers asserting their position: even during the New Year holidays, the percentage of spam in mail traffic did not fall lower than 70%.

This once again confirms the views of Kaspersky Lab analysts that the seasonal fluctuations in spam volume linked to the advertising nature of spam may eventually plateau out and finally disappear. The reason is that the nature of spam is changing. More and more spam is becoming criminalized and is moving away from traditional advertising spam. Criminalized spam does not adhere to the laws of the advertising market. It therefore almost never exhibits fluctuations triggered by supply and demand in a specific period.

Spam volume: Jan 2007

Overall the situation in January remained stable. Spam reached a high of 83.3% of mail traffic on January 21, while the monthly low of 70.5% was recorded on January 19.

Spam categories

The top three categories of spam in January were:

• Personal finance (13.3% of all spam).
• Medicine, health products and services (12.2%) and electronic advertising services (12.0%).
• Education (10.3%).

Distribution of Russian Internet spam by topic: January 2007

Two different categories both placed second. The fact that the numbers for “electronic advertising services” are so high illustrates that spammers are actively looking for new clients.

Below is an examples of “medicine” spam. An example of financial spam can be seen in the Tricks of the Trade section:

Spam and malware combined

Throughout January, Kaspersky Lab analysts tracked a spam mailing that was being used to spread malware. Specifically, spammers were exploiting users’ interest in freebies and adult content (spam emails had subject lines such as “Group sex” and “generate card numbers,” etc.). The body of the email included a link to various sites that would attempt to download malicious code to victim machines. Another email with a link to a malicious website caught the attention of spam analysts: the advertising copy was written in English, followed by Russian text which allegedly provided an unsubscribe link. The link led to the site mentioned above.

Tricks of the trade

In January, spam with graphical attachments amounted to 33% of all spam. From a content point of view, these are the most varied type of spam mailing. Some contain simple images which can be easily detected by spam filters. Another type of graphical spam became well known to computer users towards the end of 2006; spam promoting the stocks of various companies (also referred to as financial spam). Such spam also uses images on a background which includes white noise, letters placed at different distances from a baseline and other tricks.

Spammers have clearly continued working on an engine which will generate similar mass mailings. As usual, their goal is to evade filters, many of which are able to detect this sort of graphical spam accurately. However, Kaspersky Lab analysts noted in late 2006 that the resources for this technology have been exhausted. This is why further experiments will result in text on a spam image being very difficult to read. Only true enthusiasts and the ultra curious will take the time to squint and try to figure out what the spammer is actually offering. Yet spam is only effective if it is read. Most likely, spammers will have to accept that they need to change their tactics.

Below are examples of some of the latest “pictures” used in spam:

Monthly summary

• Even on January 1^st, the percentage of spam in mail traffic did not fall lower than 70%. Throughout the month, this figure was between 70% and 80%.
• Financial spam took the lead, making up 13.3% of all spam.
• Graphical spam amounts to a third of all spam. This is a very high percentage, even though it is lower than in November – December 2006, when graphical spam accounted for 49% of all spam.