Last week, National Public Radio aired a story on my Pharma Wars series, which chronicles an epic battle between men who ran two competing cybercrime empires that used spam to pimp online pharmacy sites. As I was working with the NPR reporter on the story, I was struck by how much spam has decreased over the past couple of years.
Below is a graphic that’s based on spam data collected by Symantec‘s MessageLabs. It shows that global spam volumes fell and spiked fairly regularly, from highs of 6 trillion messages sent per month to just below 1 trillion. I produced this graph based on Symantec’s raw spam data.
Some of the points on the graph where spam volumes fall precipitously roughly coincide with major disruptive events, such as the disconnection of rogue ISPs McColo Corp. and 3FN, as well as targeted takedowns against major spam botnets, including Bredolab, Rustock and Grum. Obviously, this graph shows a correlation to those events, not a direct causation; there may well have been other events other than those mentioned that caused decreases in junk email volumes worldwide. Nevertheless, it is clear that the closure of the SpamIt affiliate program in the fall of 2010 marked the beginning of a steep and steady decline of spam volumes that persists to this day.
Of course, spam volumes are relative, depending on where you live and which providers you rely on for email and connections to the larger Internet. As I was putting together these charts, I also asked for spam data from Cloudmark, a San Francisco-based email security firm. Their data (shown in the graphs below) paint a very interesting picture of the difference in percentage of email that is spam coming from users of the top three email services: The spam percentages were Yahoo! (22%), Microsoft (11%) and Google (6%).
Here’s a graph of total Cloudmark spam volume data from the big three over time, with linear regression trend lines. As we can see, Google’s spam volume is pretty much flat over all (looks like they fought off an attack in September); Microsoft is trending slightly downwards; Yahoo! goes up and down, but more up than down.
Andrew Conway, Cloudmark’s lead software engineer, said one possible explanation for the big difference in Yahoo!’s spam levels is that the company experienced layoffs in December 2010 and April 2012.
“In the past five years they have had four CEOs plus two interim CEOs,” Conway said in an email interview. “That sort of reputation makes it hard to attract and keep top engineering or management talent. Also, when you are faced with having to cut costs, as Yahoo is, spam prevention does not generate any revenue. Cost centers get cut more than profit centers.”
Conway said spammers will follow the line of least resistance; as such, Yahoo only has to have fewer account creation security controls than the other Webmail providers to attract a lot more spam.
“We see spam coming both from bulk manufactured accounts and from genuine accounts that have been compromised,” he said. “Google has much better algorithms for preventing bulk account creation, and both of them are better than Yahoo at detecting and shutting down accounts that are used for spamming.”
A quick check at one dodgy site that sells access to bulk-created accounts at the top Webmail providers, for example, offers a basic lesson in supply and demand. That site sells 1,000 Yahoo Mail accounts for $35, or roughly 3.5 cents per verified account. Contrast that with the price of Gmail accounts, which is $150 for 500 accounts, or about 30 cents per account.
Yahoo missed this one:
From Canadian Pharmacy Fri Jan 11 20:36:03 2013
Return-Path:
X-Originating-IP: [151.56.216.153]
Message-Id:
From: “Canadian Pharmacy”
Subject: Canadian Pharmacy : Viagra + CIALIS !!
Date: Sat, 12 Jan 2013 05:36:03 +0100
@Brian: Full header available upon request.
> X-Originating-IP: [151.56.216.153]
This is not a Yahoo mailserver…
http://whois.domaintools.com/151.56.216.153
:
inetnum: 151.56.0.0 – 151.56.255.255
netname: IUNET-BNET56
descr: IUnet
descr: Via Lorenteggio 257
descr: Milano, I-20100
country: IT
… but an italian dialup range according to Spamhaus.org and the responsible provider:
“151.56.0.0/15 is listed on the Policy Block List (PBL)”
http://www.spamhaus.org/pbl/query/PBL177375
Good work, Brian. Liked the podcast (still waiting for the movie – at least make a sequel on discovery channel^^).
For some reasons extrapolations on “Global Spam Volumes” generally are biased (ISP’s filters improved etc). Message Labs’ extrapolation is reasonable – even if it is maybe factor 3-4 too low (check Cisco’s data on Senderbase.org which may be too high by some 20-30% eventually…) 😉
According to takedown coincidences: from internal analyses I remember spam volumes have had some big correlations to Microsoft’s patches, too, with direct correlations on a daily basis. (Beside I personally still bear little respect for their low efforts in customer security, training and support. */duck*)
Of course today Yahoo is a burden to all of us (and I personally didn’t succeed to get some of our spamtraps of Yahoo’s and Google’s groups with zero response from their abusedesks), but I’m more concerned about the growing number of spamfarms, snowshoes and rogue networks spreading out there on OVH and others, building good reputation with low volumes before hitting hard and moving on. BUT: if one says Yahoo, Microsoft and Google he should have a look at AOL and 1&1 as well, see the impressive diagram on:
“Yahoo is currently the worst Spam sender”
http://blog.malowa.de/2012/08/yahoo-is-currently-worst-spam-sender.html
YFTR: Additionally to Cloudmark’s assumptions some layoffs may have had correlations to leaked recipients data during last decade and addressees might have experienced increased traffic in spam and spammy newsletters out of the blue.
/just my 1+1 cents, yahoo!
Thank you. It help me understand.
Oh Brian… you should talk to Spamhaus in another 30 days, expect fun things to come.
Thanks for the article, very informative.
A statistics note: the linear regression on the Cloudmark spam graph does not make much sense as there is no particular reason why the trend should be linear. It can give a false sense of trending while the trending may not even be there.
Why are we still using an ancient protocol that not only allows but encourages spoofing and has no verification of sender?
If we want to reduce spam we really need to change email protocols globally.
The bigger issue with Yahoo besides the layoff and general lack of any leadership whatsoever is that they took the step over the last year to completely stop any inbound reporting of things like Nigerian scammers abusing Yahoo accounts.
Yahoo used to have a really responsive abuse team, and they would accept abuse reports via email or via some pretty straightforward abuse reporting forms specific to Nigerian abuse and other types of online criminality.
Starting in early 2012, they instead made sure that the net result of any attempt to even *find* where to report this activity to Yahoo abuse ended with instructions on how to flag these messages as spam, instead of any method whatsoever that would lead to someone at Yahoo shutting down the offending accounts.
The last of the forms that Yahoo had that *would* report this activity, they shut down in December 2012, making it pretty clear: Yahoo just doesn’t care to do anything about criminals who rampantly abuse Yahoo Mail in any way.
In many, many ways, I (and I know I’m not alone) really do wish that Yahoo would have been sold off when they were still worth buying, because whoever bought them would hopefully address this long-standing issue. Now I really just wish they would have gone bankrupt. Nobody is home at their abuse departments, if they even exist.
Assuming ex-Google, new CEO Marissa Meyer actually is in a position to turn that ship around, she (and her team) definitely need to address the damage this has done to Yahoo Mail’s reputation internationally. As only one example, Gmail’s spam filters routinely block all Yahoo Mail domains because (for example) “Mail from Yahoo.cn has been found to be fraudulent in nature.” This is what your spam filter will tell you when they do this. The domain itself is now seen as fraudulent.
Great report. Hopefully this volume will go down even further in 2013.
SiL / IKS / concerned citizen
test comment
Has SPAM really decreased? I think that there are a lot of different channels SPAM ist spread and not only email. Would be interesting if you’d compared those results with let’s say spam showing up at Facebook, Twitter, comments in blogs and bulletin boards and so on. Maybe that email spam isn’t that effective any longer and so they switched their platforms?
Spamit was known for high volumes of spam, multiple copies to a single email address several times a day. Knocking out that one sender would have had a major effect.
Right now, most of what I get is advanced fee fraud, malware/phishing, replica, and joe jobs. Pharma has dropped dramatically.
My account usually has little spam anyway; but has actually been worse lately! Funny thing is, on the junk account I used for zero day threats, they have actually reduced.
Go figure.
Perhaps the spammers have figured out how to do more with less. They’ve been smarter.
Yeah, I’m talking about email accounts without spam filters … though in my experience, it usually isn’t hard to filter for advanced fee fraud, since the spammers have poor English and tend to copy/paste other spammers’ templates.