Unwanted email, commonly referred to as spam, has been a longstanding internet nuisance and security issue. New research released today by IBM provides insight into the work habits of the largest spam operators, and as it turns out, the typical spam workweek is closely aligned with regular business hours.
Using six months of data, from December 2016 to June 2017, IBM’s analysis found that over 83 percent of all spam is sent on weekdays.
“Our X-Force research team in Kassel, Germany, runs one of the largest databases of spam research and honeypots,” Limor Kessem, executive security advisor at IBM Security, told eWEEK. “The data comes from 27 billion web pages and images analyzed per day, 13 million webpages crawled per day, and 20 million spam emails per day captured by our spam honeypots. Our data also includes collaboration feeds with other anti-spam organizations.”
The busiest day of the week for spam by volume is Tuesday, followed by Wednesday and Thursday. IBM’s analysis found that spam tends to start around 1 a.m. ET during the week and drops off around 4 p.m. ET. According to IBM X-Force, although spam does occur 24 hours a day, there is a decline in volume during overnight hours.
“In this particular research, we focused on the weekday and the hourly rates of spam,” Kessem said. “In general, there is always a monthly fluctuation in spam, depending on the total of campaigns launched by all actors combined for a given month, as well as seasonal trends like increased spam activity around tax time, the holidays or even timed with large sporting events like the Olympics.”
Although spam distribution today includes significant amounts of automation, Kessem noted that even with automation, spamming still requires ongoing attention from those who control botnets or other spam mailers. She added that the more sophisticated spam gangs, like Necurs, send spam in very short bouts, directing it to specific lists according to region and type of recipient.
“So, while some of the spam is quite indiscriminate and subsequently gets blocked by filters and security technology, the more malicious emails—ransomware, Trojans—are handled with extra caution and significant planning and human involvement prior to distribution of the spam to make sure they make it to as many potential victims as possible,” she said.
Spam botnets, which often comprise compromised victim machines that unknowingly are sending out spam, are a core element of the spam distribution model. Kessem noted that the percentage of spam from botnets varies all the time.
“In some months, we do see the lion’s share come from prominent botnets, like Necurs, and other times it can be more diverse,” Kessem said.
IBM’s analysis found that India is responsible for 30 percent of the spam it tracked from December 2016 to June 2017. Kessem said not all spam originating in India is aimed at U.S. targets. In contrast, spam sent from the United States and Canada only represented 7 percent of all spam observed by IBM X-Force.
“Spam, like phishing and malware, is indeed an old problem,” Kessem said. “With that, it has not been solved yet, in part because organizations and webmail providers are there to deliver mail and not block it.”
Although users and organizations have become more educated about spam and technology has evolved to filter spam, Kessem said spam is still the most popular way to deliver malicious content. From spear phishing to run-of-the-mill ransomware spam, attackers find creative ways to make recipients click, but also shuffle up the delivery vehicles, wrapping the malcode in extra layers.
“Spam is indeed an old threat, but one that always has new tricks up its sleeve to bypass controls and get to at least some recipients,” Kessem said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.