My Spam analysis for February 25 - March 2, 2008
This article is about current email spam categories and percentages, based on rule sets created for and reported by the anti spam tool - MailWasher Pro.
I use MailWasher Pro to screen all of my various incoming POP email accounts, and for which I write my own custom spam filter rules. I give each rule a unique name so I can track the different types of spam I am deleting and reporting. The program has an interesting incoming email statistics window, that includes a pie chart breakdown of the various types of spam that are recognized and dealt with by the software. I thought I would start sharing my spam pie chart results with you all. This is the first installment, which I will try to update during, or at the end of the week. I post a new report each week, running from Monday through Sunday.
My analysis of this week's spam shows that fraudulent pharmaceuticals, mostly Viagra and male enhancement pills, dominated all spam categories. Most of the spam emails for pharmaceuticals have links to websites hosted in China, where fake and counterfeit drugs are produced. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets.
Due to my ongoing procedures I have merged some filters to simplify the reporting process, so the categories shown below may differ from the previous weeks' results. I have also created a special sender recognition filter, that when matched, assigns the status "BlackList" to those spam messages. This excludes lots of spam emails being categorized, since my blacklist rule is processed first. This saves processing power that is normally required by my custom filters.
My current statistics show that spam is now 53% of all my incoming email, for the week of February 25 through March 2, 2008. This is the same as last week. Without my custom MailWasher Pro filters identifying and automatically deleting most of this onslaught of spam, email would be essentially useless for me (if I had to sort out the spam manually). Thanks to those custom filters, which I work hard to keep updated, I only have to manually delete a handful of spam messages on a daily basis (which I then classify into filters). The machines sending this deluge of spam are all members of BotNets, with spam relays and remote command and control software surreptitiously installed, mostly by the Storm Worm or related Trojans. I see many identical spam messages in my statistics (sorted by subject), but sent from different places in the World, all with forged sender names, confirming that this is a World-wide Spam-demic."
MailWasher Pro spam category breakdown for February 25 through March 2, 2008.
| Blacklisted (by pattern matching): | 26.64% |
|---|---|
| Male enhancement spam: | 13.53% |
| Viagra and Viagra.com: | 2.42% |
| Other Pharmaceutical spam: | 11.10% |
| Other filters: | 21.26% |
| Counterfeit Watches and Shoes: | 18.36% |
| Casino spam: | 0% (3 emails) |
| Diploma spam: | 3.86% |
| HTML Tricks: | 4.83% |
| Spam sent to and from same email account: | 0% (4 emails) |
| Known Spam Subjects: | 0% (10 emails) |
These spam categories and their relative percentages shift a bit each week, as the BotMasters send new spam scripts to the zombie computers under their control. I will try to keep the percentages updated and merge miscellaneous categories as I am able to identify what they were spamvertising. Also, for over two months now, I have been blacklisting particular forged senders that match a pattern. The blacklisted category is quickly rising above all independent spam classifications, proving that my pattern matching is working. Many of the blacklisted spam messages are for counterfeit Viagra, illegal HGH, dubious male enhancement drugs, or pirated software.
If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Outlook, Outlook Express, Microsoft Mail, Thunderbird, Eudora, etc).
Take 10% Off 1 year of Trend Micro Internet Security 2010 - Use Coupon Code: trendsecurity
I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the four 'biggies" that typically block 26+% of all spam.
I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case.
My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:
MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message
MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message
MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message
MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message
MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message
Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:
[enabled],XdomainY@domain.tld,BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"
Wiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security. 
