Spam sources cluster in 'Bad Neighborhoods,' report says
Fewer than two dozen "bad neighborhoods" on the Internet are responsible for almost 50 percent of the world's spam, according to a research report [PDF] released last week.
Of the countries where spamming hosts were found, 20 percent were in India, said the study of more than 42,000 ISPs worldwide.
India is followed by Vietnam and Brazil, both with a 7 percent share of spamming IP addresses.
"These findings advance the state of the art by showing that malicious hosts are concentrated not only in certain portions of the IP address space, but more clearly at higher aggregation levels, such as ISPs and countries," wrote the author of the report, Giovane Cesar Moreira Moura, a researcher at the University of Twente in the Netherlands.
Crime clusters identified online
Moura suggests that just as crime clusters in geographical centers, the Internet experiences centers of malicious activity.
"In the real world, locations having higher crime rates than the average are sometimes called bad neighborhoods," he wrote. "In such places, it is statistically more likely that a crime will occur compared to other locations."
"The same principle holds for Internet Bad Neighborhoods: it is more likely that malicious activities are originated from such networks than from other networks," he added.
Bad Neighborhood theory is typically used to create blacklists. In the real world, that sometimes can generate a hornet's nest of controversy. Last year, for example, Microsoft received a patent on a GPS application—nicknamed the "avoid-ghetto" patent—to suggest pedestrian routes that avoid undesirable locations, such as high crime areas.
"On the Internet, the main usage of the Bad Neighborhood concept is to protect network targets, by being able to statistically predict attacks from unforeseen IP addresses," Moura said. Whenever a new message arrives, the algorithm checks whether neighbor IP addresses of the sender have been previously blacklisted, he said. The probability of a message being spam increases if neighboring IP addresses are also spammers.
ISPs can benefit from BadHood analysis because they don't have to poke around inside an email message to look for telltale signs of spam, Moura added. That can reduce the demands on their processing resources and could boost overall system performance.
Strategy to fight spam
The researcher also found a discrepancy in the distribution of phishing sites compared to spam sites. Spam sites are distributed all over the world—although concentrated in Southern Asia—while phishing sites are concentrated in the United States and other developed countries.
Most spamming hosts are part of an army of “hijacked” malicious hosts, typically at home, schools and businesses, Moura said. Their availability at any particular time is not guaranteed. Phishing hosts, on the other hand, are required by criminals to have a much higher availability than spam bots.
A phishing site needs to be accessible most of the time, so more people can be deceived.
If a website is down, the criminal misses a business opportunity, he noted, while an outage of a single spam bot has a minimal impact on the overall spam capacity of the botnet.
"Therefore, phishing websites are more likely to be hosted on reliable infrastructures, typically data centers/cloud providers, which, in turn, are mostly located in developed nations, mainly in the United States," he wrote.