Survey: 86 percent of spam from US

WASHINGTON – Just under 86 percent of spam sent to 1,000 enterprises between May and July came from U.S. spammers, according to a survey by CipherTrust Inc.

While U.S. IP (Internet Protocol) addresses made up only 28 percent of the spam-sending addresses in CipherTrust’s survey, those U.S. addresses sent out much more unsolicited commercial e-mail than spammers from other nations, according to the company. In contrast, nearly 29 percent of the IP addresses sending out spam during the three-month survey were in South Korea, while only 3 percent of the spam came from there.

The survey, which sampled about 5 million pieces of spam sent to 1,000 CipherTrust customers, runs counter to some other surveys and some critics of the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act, who suggested a U.S. law would have a limited effect because of the amount of spam that comes from outside the U.S. CAN-SPAM, which allows fines of up to US$6 million and up to five years of jail time for some fraudulent spamming activities, was signed into law by President George W. Bush in December.

CAN-SPAM sponsor Senator Ron Wyden, an Oregon Democrat, pushed for the law as a way to go after a small number of “kingpin” spammers, and Dmitri Alperovitch, a research engineer with CipherTrust, suggested that the survey shows that there is, indeed, a small number of U.S. spammers sending millions of pieces of spam.

“I was really very surprised by the numbers,” Alperovitch said. “(Kingpin spammers) have these very high-bandwidth computers, and they’re able to send out a large amount of spam.”

According to the survey, just under 3 percent of spam came from China and Hong Kong, just over 2 percent from Canada and about 1.5 percent from the Ukraine. Of the IP addresses sending spam, 23 percent were from China and Hong Kong, and another 4 percent were from Brazil.

In contrast, competing antispam vendor Commtouch Software Ltd. in April suggested 40 percent of spam came from outside the U.S. Commtouch’s survey, however, didn’t measure the total number of spam messages sent, but the number of spam “outbreaks,” and the company defined an outbreak as the bulk sending of one spam message.

During CipherTrust’s survey, Alperovitch also noticed another trend — an attempt by some spammers to make it harder for recipients to unsubscribe from spam messages. While CAN-SPAM requires that senders of commercial e-mail include an “Internet-based” opt-out mechanism, some spammers have included only postal addresses in their opt-out messages, requiring recipients to send paper mail to the spammers to opt out of future spam.

CipherTrust has supported efforts in Congress to attack spam, but enforcement and technology solutions are needed along with the law, said Jennifer Martin, CipherTrust’s manager of corporate communications. “The teeth that are in (the law) aren’t teeth enough,” she said.

More enforcement against large spammers is needed, added Alperovitch. “They don’t have the fear of God in them,” he said.