MessageLabs

Last week the May edition of Symantec’s Messagelabs Intelligence monthly report published. The report states that the proportion of spam emails that include some form of URL or hyperlink has grown by one percentage point since 2009, from 91 percent in 2009 to 92 percent for 2010, to date. While that may not sound like much of an increase, the report reveals that it translates to nine out of 10 spam emails.

An interesting data point is about the domains used to form the hyperlinks: many are actually legitimate. The report distinguishes between disposable domains, those that are used within a few days for specific spam tactics and then abandoned, and the legitimate ones.

“Domains belonging to well-known Web sites tend to be recycled and used continuously compared with ‘disposable’ domains which are used for a short period of time and never seen again,” says MessageLabs Intelligence Senior Analyst Paul Wood. “Perhaps this is because there is some work involved in acquiring them: the legitimate domains require CAPTCHAs to be solved to create the large numbers of accounts that are then used by spammers.”

The report states: “Of the most frequently occurring domains found in spam URLs, the top four are legitimate and belong to major well-known Web sites used for social networking, blogging, file-sharing and other forms of user-generated content.” These account for 5 percent of all domains found in spam URLs. The bulk of the spam URLs (95 percent) were of the disposable variety.

Known botnets are serving up the spam, using a combination of the legitimate and disposable with a heavier emphasis on the disposable domains, with the exception of Storm. The Storm botnet, which had been silenced for a time, has returned and is, according to the report, the only botnet that uses legitimate domains in greater number (65 percent) than it uses disposable domains.

MessageLabs’ analysts did some Autonomous System Numbers (ASN) sleuthing. (AS numbers are important because the ASN uniquely identifies each network on the Internet.) According to the report: “Where an AS number could be determined for a particular IP address, MessageLabs Intelligence identified that as few as five ASNs were responsible for hosting content for 42 percent of the disposable spam domains scrutinized during May. These were located in the following countries: United States (17 percent of all domains), China (13 percent), Ukraine (8 percent) and France (4 percent).

The whole report, which offers more information, as well as a variety of other findings, is available for download.

=

Eye on Messaging is written by Stephanie Jordan, editor in chief of Messaging News. If you have story ideas or news to share, email her: sjordan [at] messagingnews [dot] com