WASHINGTON -- Just under 86 percent of spam sent to 1000 enterprises between May and July came from U.S. spammers, contrary to assumptions that most spammers are outside the reach of U.S. law, according to a survey by CipherTrust.
While U.S. IP addresses make up only 28 percent of the spam-sending addresses in CipherTrust's survey, those U.S. addresses sent out much more unsolicited commercial e-mail than spammers from other nations, according to the company. In contrast, nearly 29 percent of the IP addresses sending out spam during the three-month survey were in South Korea, while only 3 percent of the spam came from there.
Sources of Spam
The survey, which sampled about 5 million pieces of spam sent to 1000 CipherTrust customers, runs counter to some other surveys and some critics of the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. They had suggested a U.S. law would have little effect on spam because most spam comes from outside the U.S. CAN-SPAM, which allows fines of up to $6 million and up to five years of jail time for some fraudulent spamming activities, was signed into law by President George W. Bush in December.
CAN-SPAM sponsor Senator Ron Wyden, an Oregon Democrat, pushed for the law as a way to go after a small number of "kingpin" spammers. Dmitri Alperovitch, a research engineer with CipherTrust, suggests the survey shows there is, indeed, a small number of U.S. spammers sending millions of pieces of spam.
"I was really very surprised by the numbers," Alperovitch says. Kingpin spammers "have these very high-bandwidth computers, and they're able to send out a large amount of spam," he notes.
According to the survey, just under 3 percent of spam came from China and Hong Kong, just over 2 percent from Canada, and about 1.5 percent from the Ukraine. Of the IP addresses sending spam, 23 percent were from China and Hong Kong, and another 4 percent were from Brazil.
In contrast, competing antispam vendor Commtouch Software in April suggested that 40 percent of spam came from outside the U.S. Commtouch's survey, however, didn't measure the total number of spam messages sent, but the number of spam "outbreaks." The company defined an outbreak as the bulk distribution of a single message.
During CipherTrust's survey, Alperovitch also noticed another trend--an attempt by some spammers to make it harder for recipients to unsubscribe from spam messages. While CAN-SPAM requires that senders of commercial e-mail include an "Internet-based" opt-out mechanism, some spammers include only postal addresses in their opt-out messages, requiring recipients to send paper mail to the spammers to opt out of future spam.
CipherTrust has supported efforts in Congress to attack spam, but enforcement and technology solutions are needed along with the law, says Jennifer Martin, CipherTrust's manager of corporate communications.
"The teeth that are in [the law] aren't teeth enough," she says.
More enforcement against large spammers is needed, adds Alperovitch. "They don't have the fear of God in them," he says.