Report: Spam now 90 percent of all e-mail

Spam now accounts for 90.4 percent of all e-mail, according to a report released Monday from security vendor Symantec. This means that 1 out of every 1.1 e-mails is junk. The report also notes that spam shot up 5.1 percent just from April to May.

Spam on the rise.

(Credit: MessageLabs)

Symantec's May 2009 MessageLabs Intelligence report reveals other disturbing trends, as well. Rather than just hijack disreputable Web sites, cybercriminals now favor older and well-established domains to host their malware. The report says 84.6 percent of all domains blocked for malicious content are more than a year old. One type of domain now especially vulnerable to threats is social networking, since most of the sites' content is created by users.

"Spammers using better-known and thus more widely trusted Web sites to host malware is reminiscent of the spammers who rely on well-known Web mail and social networking environments to host spam content," said Paul Wood, Symantec's MessageLabs Intelligence senior analyst. "The trustworthy older domains can be compromised through SQL injection attacks while newer sites are more likely to be flagged as suspicious--a temporary site set up with the sole purpose of distributing spam and malware--and thus faster to get shut down."

Where you live also determines when you're spammed, says the report. For people in the U.S., spam hits its peak between 9 a.m. and 10 a.m. and then drops overnight. Europeans get a solid stream of spam throughout the day, while users in Asia-Pacific countries find most spam waiting for them in the morning. One reason for this trend, says the report, is that most spammers are at their busiest during U.S. working hours.

The popular CAPTCHA program, which asks the user to type in a series of random characters, is no longer proving as effective as once hoped. Many Web sites have relied on CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) to ensure that accounts are created by actual human beings.

But criminals have now succeeded in generating profiles with random names, apparently by using automated CAPTCHA breakers. The report notes that some major Web sites are now exploring other ways to block automated accounts, such as using photographic images that a user must analyze.

Spam levels had dropped for a short while last year after the closure of several malware-hosting Internet providers. But spammers have since bounced back from those losses by rebuilding their networks.

Symantec's MessageLabs Intelligence gathers research on spam and other malware from global data centers that track e-mails and Web pages. Symantec releases a new intelligence report each month.

[myles taylor]

That's pretty sad. We really need to come up with a way to stop all this spam. At what point does this become a priority? 99%? That means that massive amounts of traffic on the web are being used up by spam which raises costs for everyone. I think 50% is outrageous. We have to come up with a whole new word for 90%.

[fredtheviking]

Well, I doubt it is from a lack of trying. The best solution I heard of, was the ideal of metered email. Service providers would only need to charge 1/100th of a penny for it to be effective. Most spammers need only one out of 10 million emails to catch someone for an email campaign to be profitable. But at the cost of 1/100th of a penny per email. It would $20,000 to sent 200 million emails and the spammers business model would be broken.

At the very least the quality of spam would be better and could still be filtered out of your email box, with little cost to you. It would cost you a dollar to sent 1,000 emails or an single email to 1,000 people. This would have other benefits, like the end of those stupid chain emails... well maybe not.

[Dalkorian]

Metered email won't work for a number of reasons. Consider that a lot of spam is sent from compromised machines, average Joe's and Jane's who don't realize they're infected yet. You want to "help" them by billing them thousands of dollars for spamming the world?

Wouldn't a better answer be to temporarily shut off their internet access and inform them of the problem? Encourage them to fix the problem (clean the malware off the machine) and help them get back online, rather than promote court battles over unexpected "price increases"?

Unfortunately, this is a tough nut to crack. What's the difference between a spammer and a home business that sends out newsletters only to those who registered to receive it? Both users can send out thousands of messages a day. One is legitimate, the other is not.

[SergeM256]

What about ISP sending reminder to a user - "you have sent 10,000 e-mails last month'. It would alert user that something is wrong with his computer or e-mail account.

[dacopper]

The problem is the SMTP protocol itself. It's over 30 years old and inadequacy ancient in our times. The HELO/EHLO request/response that SMTP utilizes is open text and so simplistic, you can use a telnet client to send your e-mails (http://searchexchange.techtarget.com/generic/0,295582,sid43_gci1280938,00.html). It checks neither on existence of a source e-mail address, nor on the destination so e-mail spoofing is a matter of typing in somebody else's address in the From: field. NOBODY uses telnet anymore. It was retired as hopelessly unsecured about 10 years ago. And here it is, the most used protocol in the world, after HTTP of course, that still utilizes same open-text stateless principles. It's impossible to fight spam unless a more secure mail protocol comes around.

[i_am_still_wade]

I reduced my incoming spam to almost 0 by blocking all e-mail address marked as sent from me to me from my website's e-mail address. A few still come in, but junk mail filters get rid of those.

We do need to get off SMTP - SIMPLE mail transport protocol. I don't know why someone has invented a replacement other than IMAP, but IMAP isn't a replacement just an alternative.

[loki_racer]

Wait....wait.....wait.

This data doesn't show that 90% of all email is spam. It shows that 90% of all emails scanned by Symantec is spam.

I worked as a computer tech of the lowest level and can say that without a doubt, users of Symantec products generally have a much lower understanding of the intertubes than other computer users.

[Maccess]

LOL. One of the first things I do with a new computer is delete the bundled Symantec products and replace them with something else that doesn't bog down the computer as much.

[gertruded]

Come on, the only reason that we have spam is that the elite make money off of it. It is all about money and those in control are making money.

The wealthy attack us in so many ways to make their profits.

[biffhenerson]

Perhaps the death penalty or life in prison for low life spamers. Seriously, its not difficult to differentiate a site that is blasting out email day after day from any other site. Not sure why internet service providers arn't doing more. They should detect and halt in a few minutes. Since no one else will step up and do anything, I guess obama will have to throw money at this one too.

[Dalkorian]

First off, consider that most spam is sent out from compromised machines using forged headers - it's not so easy to track it back to the "low life spammer", but very easy to punish the victim whose machine has been compromised. Secondly, the ISP's don't have much financial incentive to do anything about it - spammers pay them money just like any other customer. Actually spammers pay them more, registering multiple accounts to roll into when the current account is discovered and shut down. The ISP's put in enough effort to make appearances, but aren't really interested in solving the problem for us.

Just wait for some bozo to pass an email tax type of idea (1/100 of a cent per email) and see how hard the ISP's fight spam then.

[DavyBoyWonder]

Curious how the rate dropped at about the same time the economy tanked, but has since rebounded. Is this an indication the economy is on it way up, or that spammers are a lot better a retargetting their spams?

[Seaspray0]

Concidence. One of the major spam networks was busted at about the same time the economy tanked.

[cvaldes1831]

Ninety percent is a pretty low estimate; that number has been tossed around for several years.

<a href="http://news.cnet.com/8301-13505_3-9831556-16.html">Way back in December 2007</a>, Barracuda Networks said spam was 90-95% (reported by Matt Asay), and in December of 2008, <a href="http://www.barracudanetworks.com/ns/news_and_events/index.php?nid=322">they predicted over 95%</a>.

<a href="http://bits.blogs.nytimes.com/2009/03/31/spam-back-to-94-of-all-e-mail/">This blog entry</a> refers to Google's Postini division saying that spam was back up to 94% in March 2009, returning to the same levels as October of last year.

So 90% sounds like 2006 or 2005 numbers.

[rtuinenburg]

Why don't you report how many spam emails actually land in people's inbox's, I might get one every few days.

[karpenterskids]

I easily get 20 on a regular basis...and I don't even throw my email out there that much.

[SergeM256]

Since I got a new provider and new e-mail address about a year ago I got one or two spam e-mail - for a year! If you use your e-mail carefully, you may avoid spam. On my old e-mail address that I had for about 10 years I would get about 2-3 spams daily. Don't give it away unless you have to, register only on reputable web sites. Spam filters are useless, often time they flag legitimate e-mail as spam - I wouldn't trust filter to automatically delete e-mail.

[dacopper]

You get so few spam e-mails because of your ISP's or company's spam filters that are pretty effective nowadays. Being an ex-sysadmin, I can testify that per each legitimate e-mail, there're several more that are spam. Looking at weekly spam filter report with fancy diagrams and pie charts, numbers close to 90% sound about correct.

[kingsnoofer]

The spammers wouldn't even be doing it if there weren't millions of people responding and buying their products or falling for their scams. Until that stops the spam will continue. Spamming is probably the number one money maker as an industry in the world.

[SergeM256]

I don't think there are "millions of people" responding to spam. Research shows only one out of about 10 millions spam e-mails result in a purchase. Perhaps, there are only a few hundred people (nationwide!) responding to spam, and millions have to suffer because of actions of these few.
I would never give my credit card number to a business that uses spam for promotion - chances are they only collect credit card numbers and never send any merchandise. Legitimate business would never use spam.

[Otto Holland]

Sad but true. I host a domain on Yahoo small business and every second I receive spam emails. There are several domains that collect money for hosting but are very lazy to monitor and stop spam. Yahoo is by far the lowest quality in the USA. My company use "Postini" a company bought by Google just about a year or so ago and I never receive spam emails. I log-in as an administrator and have complete access to assist users; I see a ton of spam, yet hardly any gets through to the user inbox.

In addition, I use Microsoft email filters on my Exchange server and almost zero spam gets through; case in point is that the service used is at fault for allowing spam through their system.

[cjudith]

I use YAHOO on line for my personal email. It's Spam filter works great. It's extremely rare for any Spam to make it to my inbox. I don't know what all the fus is about. I think it's much safer to have an account on line. I simply don't use Outlook or Outlook Express.

YEA YAHOO!

[Seaspray0]

If you are using a mail program that allows content from the internet to be downloaded automatically, then you will get lots of spam. One favorite trick of spammers is to include a specific web link taylored for each user (usually no more than a single pixel). If that weblink gets marked as accessed, the spammer knows he's got a valid email address. Once I switched to a program that no longer allows automatic internet content to be downloaded, my amount of spam has dropped by a factor of 10 of several months.

[combres55]

Clearly from this report, spammers can outsmart filters. If spam keeps getting worse, then you can conclude that filtering emails based on content is not fixing the spam problem.

There has not been any significant headway in fighting spam since the beginning of email. The technology has always been to improve something that does not work: Filtering.

There are a handful of small companies and technologies that are trying to fix spam once and for all, some are www.sendio.com (enterprise) , www.spamarrest.com (consumer), and DKIM and SPF.

You can eliminate spam completely only by thinking about the problem differently. Think about using contacts, instead of content. If you can verify only people who you WANT to communicate with, then you will never get spam. Contact checking is the very best solution and approaches the whole spam problem differently.

[edtmark]

It's not suprising. I can't remember the last time I received a personal e-mail. Outside of a few newsletters and facebook notifications, I get NO e-mail other than spam.

[dennisl59]

Maybe the "new" Cyberspace Czar can do something about this?

[todd3617]

I think that 5% of my personal email is spam. I have several email addresses, when I sign up for something online, I use an email address so that all the junk mail can be sent there. I don't use Outlook or any program like that. I used webbased mail if at all possible so that if a virus is sent to me, it doesn't actually get into my computer. All this talk about spam doesn't bother me.

[c|net Reader]

"1 out of every 1.1 e-mails is junk." Why so obscure and awkward? How about "90 out of every hundred" or "904 of every thousand?"

[Austin_Mike]

Gmail spam filtering = FTW!

Seriously though -- it's really not all that hard to avoid spam in the first place. I get a few in my gmail spam box, but never has one gotten through to my actual inbox. Google has the best damn spam filters there are.

At the office I run Vircom ModusGate appliances to protect my Exchange environment. Rarely do any spam emails make it through (and I've never had one make it through to my specific email account).

Spam and it's success can 99.99999% of the time be attributed to end-user stupidity. Period.

[Jim1900]

Spam has gone down for me the last few years. Probably my ISP's filtering has improved. But I also use MailWasher to check my email on the server before it ever gets to my PC. It is easy and fast to tell what is legitimate and what is not. Only the good stuff gets to my Inbox, and no webugs or images get through. I get maybe one spam every other day now.

[RayGauthier]

The idea of an email "tax" may have merit, with some adjustments:

How about allowing the first 1,000 messages, both IN and OUT-bound per month to be free, or at least included in the base cost of the service

How about ISPs providing customers with a monthly report on the number of email messages the customer sent/received? That way people can determine if their systems have been botted and take appropriate action.

[cjudith]

I don't get it! I have an online email account and I rarely get more than one or at the most two spam a day. It goes into a spam folder not in my Inbox. Maybe once every six weeks or more I find one in my Inbox. What's great is not having to worry about it.
Years ago when I had an msn POP account, pretty much all I got was Spam.

[jeffreyjhardy]

Cool blog post on advanced spam protection technique and using them all to achieve " five 9s" protection:
http://www.smartertools.com/blog/archive/2009/07/10/taking-email-to-five-nines-spam-protection-why-commtouch-with-smartermail.aspx

Be well,