Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 5 October 2009

A Day in the Life of Spam

Posted on 15:07 by Unknown
Its been quite a while since I did a "Day in the Life of Spam", but with some recent ups and downs in the trends, I thought it would be worth taking a look again.

For this study, I chose one group of trap addresses for the UAB Spam Data Mine, and decided to try to categorize every email received on October 4, 2009. These particular trap accounts received 10,583 spam emails that day. So how did they break out?

5854 emails or 55.3% = Pharmaceutical products
2303 emails or 21.7% = Watches and other counterfeit goods
1044 emails or 9.8% = Malware distribution
512 emails or 4.8% = Illegal software "OEM" software downloads
397 emails or 3.8% = Fake diplomas or instant degrees
69 emails or 0.6% = Work at home scams
66 emails or 0.6% = Russian language emails
30 emails or 0.3% = Casino spam
28 emails or 0.26% = "Giveaways gotchas" (gift cards, plane tickets,
cell phones, laptops that are called "free" but aren't)
28 emails or 0.26% = Chinese/Japanese emails

200 emails or 1.9% = miscellaneous things other than categories above
insurance, credit reports, DISH Network, ink & toner,
language learning, government grants, dating services,
GI bill info, teeth whitening, government auctions,
ab circle, timeshares, florida rental properties,
colo detox, etc.

Digging in deeper, Canadian Pharmacy dominated the pharmacy category, with what
seems to be at least 19 different spam campaigns, all pushing Canadian Pharmacy
affiliated websites. Compared to other affiliate pill programs, they win hands down:

5358 emails = Canadian Pharmacy
260 emails = Maximum Gentleman penis enlargement
107 emails = Canadian Health Care
61 emails = Online Pharmacy
32 emails = My Canadian Pharmacy
16 emails = Canadian Health & Care Mall
12 emails = Canadian Family Pharmacy
8 emails = Acai Berry

The big changes that stand out especially are that the famous "Russian Brides" spam has almost vanished entirely. Gone also is the Acai Berry spam, which was at one point nearly 15% of all of our spam email messages. 419 scams are disappearing as well, with only 7 emails out of the 10,500+ examined for this "Day in the Life" peek.

When we look at the URLs advertised just in those 5,358 Canadian Pharmacy emails, we find 7,056 unique URLs hosted on 348 domains, of which 234 are ".cn" domains:

aobypwto.cn
aohumwto.cn
bavulov.cn
biyahaj.cn
bjelunep.cn
bobobuk.cn
bohetoj.cn
botazux.cn
bsobidar.cn
bsozefew.cn
busegis.cn
buwaneg.cn
cabavov.cn
cedwoyep.cn
cixivic.cn
cmeqoher.cn
cnahehas.cn
cpiliguk.cn
cqolodar.cn
csimigek.cn
cucodag.cn
cujozas.cn
cuyilec.cn
czavoyig.cn
dadodeg.cn
dahonif.cn
darohus.cn
dbixumaq.cn
ddayatot.cn
dejoviw.cn
dhajeqiy.cn
dijajiv.cn
dilonef.cn
disaniv.cn
dnojisud.cn
doboget.cn
docuyiv.cn
dojiqur.cn
dtusukir.cn
dzayowis.cn
dzolufay.cn
fasosup.cn
fceqinaf.cn
fducilox.cn
fehavux.cn
fejunab.cn
fibujes.cn
ficimap.cn
finahoz.cn
fohiyub.cn
fovihag.cn
fpupewat.cn
fsoresok.cn
fxocefew.cn
gakarid.cn
gbukagef.cn
gebosor.cn
ggefalom.cn
girucav.cn
glimesaf.cn
gmogacof.cn
gmonigec.cn
gobahod.cn
gpevehig.cn
gzevohaq.cn
hakobiz.cn
havarul.cn
hbejivix.cn
hgodakej.cn
hkawutet.cn
hocacap.cn
holoyin.cn
huvayov.cn
hxeqotet.cn
hyunohep.cn
jagegop.cn
jimigok.cn
jiquwac.cn
jirohup.cn
jjunopov.cn
jjunopov.cn
jpatoxih.cn
jranoxug.cn
jvafohit.cn
jvoqidev.cn
jxubocot.cn
kepomat.cn
kkamugag.cn
kovupaj.cn
krecahol.cn
kufanuv.cn
kyejixey.cn
lamadul.cn
lbihakag.cn
lbogupey.cn
lemecij.cn
loganuw.cn
lqihedax.cn
ltexujis.cn
lufogay.cn
luladuz.cn
lwofepib.cn
lwofexiv.cn
lxolemaj.cn
lyarazok.cn
lyuvuced.cn
mahalam.cn
mbajihiz.cn
mivutim.cn
mobivis.cn
moqeqez.cn
mtejuxad.cn
muhazec.cn
myibaqum.cn
nagozuc.cn
nahojut.cn
napojox.cn
nhofewih.cn
niduqab.cn
njihivax.cn
nnifikaj.cn
nocigoj.cn
nosadoc.cn
nqewonih.cn
nropemij.cn
pajikub.cn
pawucit.cn
pazoxif.cn
pevular.cn
pirebav.cn
pkipuyom.cn
pqezosem.cn
puhoquj.cn
puwuwug.cn
qahomeh.cn
qdiwoxaq.cn
qelaquk.cn
qfudocik.cn
qivokex.cn
qiyejas.cn
qoconug.cn
qokutuq.cn
qonanih.cn
qoxifuw.cn
qqisuluw.cn
qtufetag.cn
qudehiv.cn
qzonumeg.cn
rasafas.cn
rewelay.cn
rfozinud.cn
rgekepum.cn
rgekepum.cn
rizexez.cn
rjuyunex.cn
rmenisul.cn
rqasesoy.cn
rwobucem.cn
scelamoq.cn
shetepoc.cn
sirepil.cn
sjowemor.cn
socowuv.cn
sodajud.cn
somorez.cn
soqunup.cn
sorufar.cn
sovuzoq.cn
spojoxiq.cn
tatapum.cn
tawamof.cn
tdiceruk.cn
tfenuhah.cn
thidafak.cn
thodurux.cn
tnawulod.cn
tnikixep.cn
tvufisux.cn
vapabog.cn
vibariq.cn
vivuxab.cn
viyezis.cn
vludihum.cn
vobenog.cn
vohuren.cn
vopaguz.cn
voxaziq.cn
vqamiwur.cn
vriyigip.cn
vvobipad.cn
wabifoy.cn
wbakilit.cn
wbohovuh.cn
wgesirok.cn
wicigeh.cn
wiyisuh.cn
wnexejip.cn
wonefaq.cn
worldvld.cn
wovewab.cn
wuqumud.cn
xehevug.cn
xexugan.cn
xifepuj.cn
xipames.cn
xozowoj.cn
xquwavuk.cn
xuyokir.cn
ycaqoped.cn
ycetuvow.cn
yfolobow.cn
ygemuhop.cn
yinicuv.cn
yipenov.cn
ylafarum.cn
yororom.cn
yujacub.cn
yvukudey.cn
yzigawim.cn
zajeqav.cn
zapoyuf.cn
zcixefat.cn
zecemiz.cn
zfumulik.cn
zicorem.cn
zkodibay.cn
zlesanus.cn
zovoliz.cn
zowimij.cn
zrugaviv.cn
zsomiyon.cn
ztokusut.cn
zuguvov.cn
zupabuv.cn

Another 84 are ".com" domains:

12n3.com
150m.com
adabisnis.com
adorewow.com
adsnote.com
aftermelody.com
angerpeople.com
awaredear.com
barracudacentral.com
betterspoke.com
boldcover.com
cefjedhoha.com
chordspend.com
clickboothlnk.com
cncd-tex.com
coatfew.com
codetwo.com
comfyrace.com
confluencehr.com
connectionends.com
couldfloor.com
creamyglass.com
createsend2.com
entervanish.com
expertreason.com
fallsautumn.com
frankoferosscom.com
gate2service.com
giftedstood.com
gisdany.com
google.com
gotmoral.com
groupfinger.com
havebasic.com
hecreamy.com
helpleave.com
hesheet.com
hoawukfue.com
ihrodinpe.com
images-amazon.com
iomega.com
kezlink.com
livejournal.com
magicrange.com
metalartmaster.com
microsoft.com
mightysing.com
miturl.com
nbcmediacenter.com
onbisnis.com
passport.com
periodtwo.com
pharmacyonlineoffernow.com
posesea.com
proudnoble.com
quietcotton.com
qupdumvov.com
razoncollins.com
renownchief.com
restcalm.com
restthere.com
shegentle.com
shrtn.com
sidecatch.com
smooththan.com
soilbear.com
sonbottom.com
spreadtwenty.com
stoodstudy.com
stringmunchy.com
suchpull.com
t35.com
talkjoyful.com
thebraintree.com
tinytwitt.com
trucktingle.com
waitname.com
webmd.com
weightboxtime.com
whiledesire.com
winsportbike.com
yahoo.com (abused in the form of newly created "yahoo groups")
zestquart.com
Email ThisBlogThis!Share to XShare to Facebook
Posted in spam | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ▼  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ▼  October (16)
      • Facebook Safety & Million Member Facebook Groups
      • FACEBOOK PHISH! Users Beware!
      • Fake FDIC spam campaign spreads Zeus malware
      • FBI and SOCA make a media splash at RSA Europe
      • Phishing For Love: Banking Insiders
      • TowerNet CapitalOne: Avalanche returns after 15 mo...
      • Zipped Malware Attachments in Spam: Here comes Con...
      • Hacked Newspaper loads Google News with malware sites
      • Targeted URLs in spam . . .OWA Settings update
      • IRS Zeus via Geocities
      • A weekend of Old News
      • The FBI's Biggest Domestic Phishing Bust Ever
      • Microsoft "Your e-mail will be blocked" phish
      • A Day in the Life of Spam
      • Cyber Security Awareness Month: Day Two
      • Cyber Security Awareness Month: Day One
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile