“Of course, this is one competition in which getting promoted into the Premier Division of spam senders is a cause for disappointment, not jubilation,” said Sophos researcher Paul Ducklin, in a blog announcing the results. “And, just like in your favorite football league, the majority of the high-flyers stayed put at the top.”
The US is what he terms the Manchester United of the bunch, finding itself near the top more often than not when it comes to the extent to which a country's computers are used for delivering spam. In the second quarter, it retained its No. 1 position in the “league” with 13.8%. Other countries include Belarus, China, India, Taiwan and Spain.
Meanwhile, only three countries exited the “Dirty Dozen” of spam nations this quarter (France, Peru and South Korea), but didn't drop any lower than the Serie B of spam (places 13–24 on the table). Likewise, the three countries that took their place in the top flight all came up from the 13–24 range (Ukraine, Kazakhstan and Argentina).
“With more than a billion people each and a thirstily-increasing demand for internet access in both countries, where else would you expect to see China and India except in the Dirty Dozen?”, Ducklin said. “And with more than 300 million people and the lion's share of the world's internet connectivity, where else would you expect to see the USA than leading the pack outright?”
However, adjusting for proportion to each country's population, a different story emerges.
“Half of the volume-based culprits are gone, and countries that would usually fly under the radar when measured on spamming volume alone – like Luxembourg and Singapore – suddenly burst onto the scene,” Ducklin wrote. Per capita, Belarus, Kazakhstan and Uruguay are the top three – with the US, China and India dropping off the rankings.
And this, he said, brings up a critical point about how spam is promulgated. “This doesn't mean that usually law-abiding Singapore has turned into a seething swamp of spam-related cybercriminality”, he noted. Rather, high-ranked countries almost certainly have a much-higher-than-average number of unprotected computers that are actively infected with malware.
That’s because most spam is actually sent indirectly and via bots and zombies, meaning that the actual location of the culprits is masked. Malware-infected computers push out a range of nefarious things: Phishing emails lure victims into entering passwords via mock-ups of a real site, such as a bank or webmail account; malware links redirect browsers to hacked websites; malware deliveries use false pretenses, such as fake invoices, to trick victims into opening infected attachments; and identity theft, investment scams and advance fee fraud round out the tactics.
“If the crooks behind this sort of cybercrime were to use their own computers, they'd never be able to send the volume of spam they'd like”, he said. “And if a cybercriminal can secretly tell your computer to send spam to 1,000 people you've never heard of – leaving you to argue with your ISP why you shouldn't be thrown off line for antisocial behavior – then ask yourself this: 'What else could he get up to on my account?'"
Also, using their own computers would lead law enforcement to their digital doorsteps, he added.
So, when these innocent users' computers are infected with malware that regularly calls home to download instructions on what to do next, the country that user is based in takes the bad spam rap – even if the actual perpetrators are operating from elsewhere.
“In short, the Spammiership League Tables are meant as a light-hearted way of reminding us all of one very serious aspect of computer security: namely that if you put yourself in harm's way, you'll probably end up harming lots of other people, too,” Ducklin concluded. “In other words, getting serious about computer security is the easiest sort of altruism: by protecting yourself, you help to protect everyone else at the same time.”