WASHINGTON (08/11/2004) - Just under 86 percent of spam sent to 1,000 enterprises between May and July came from U.S. spammers, according to a survey by CipherTrust Inc.

While U.S. IP (Internet Protocol) addresses made up only 28 percent of the spam-sending
addresses in CipherTrust's survey, those U.S. addresses sent out much more unsolicited
commercial e-mail than spammers from other nations, according to the company. In contrast,
nearly 29 percent of the IP addresses sending out spam during the three-month survey were in
South Korea, while only 3 percent of the spam came from there.

The survey, which sampled about 5 million pieces of spam sent to 1,000 CipherTrust customers,
runs counter to some other surveys and some critics of the Controlling the Assault of
Non-Solicited Pornography and Marketing (CAN-SPAM) Act, who suggested a U.S. law would have a
limited effect because of the amount of spam that comes from outside the U.S. CAN-SPAM, which
allows fines of up to US$6 million and up to five years of jail time for some fraudulent
spamming activities, was signed into law by President George W. Bush in December.

CAN-SPAM sponsor Senator Ron Wyden, an Oregon Democrat, pushed for the law as a way to go
after a small number of "kingpin" spammers, and Dmitri Alperovitch, a research engineer with
CipherTrust, suggested that the survey shows that there is, indeed, a small number of U.S.
spammers sending millions of pieces of spam.

"I was really very surprised by the numbers," Alperovitch said. "(Kingpin spammers) have
these very high-bandwidth computers, and they're able to send out a large amount of spam."

According to the survey, just under 3 percent of spam came from China and Hong Kong, just
over 2 percent from Canada and about 1.5 percent from the Ukraine. Of the IP addresses
sending spam, 23 percent were from China and Hong Kong, and another 4 percent were from
Brazil.

In contrast, competing antispam vendor Commtouch Software Ltd. in April suggested 40 percent
of spam came from outside the U.S. Commtouch's survey, however, didn't measure the total
number of spam messages sent, but the number of spam "outbreaks," and the company defined an
outbreak as the bulk sending of one spam message.

During CipherTrust's survey, Alperovitch also noticed another trend -- an attempt by some
spammers to make it harder for recipients to unsubscribe from spam messages. While CAN-SPAM
requires that senders of commercial e-mail include an "Internet-based" opt-out mechanism,
some spammers have included only postal addresses in their opt-out messages, requiring
recipients to send paper mail to the spammers to opt out of future spam.

CipherTrust has supported efforts in Congress to attack spam, but enforcement and technology
solutions are needed along with the law, said Jennifer Martin, CipherTrust's manager of
corporate communications. "The teeth that are in (the law) aren't teeth enough," she said.

More enforcement against large spammers is needed, added Alperovitch. "They don't have the
fear of God in them," he said.

Grant Gross

Posted August 11, 2004 11:51 PM | TrackBack (1)