Spam insights from Project Honeypot

Project Honeypot just published a report of their experience in processing 1 billion spam messages.  Highlights for the impatient:

  • For the past 5 years, spam “bots have grown at a compound annual growth rate of more than 378%. In other words, the number of bots has nearly quadrupled ever year.”
  • The top 5 countries which host bots are: China (11.4%), Brazil (9.2%), United States (7.5%), Turkey (6.3%), and Germany (6.0%).
  • Top 5 countries with the best ratio of security professionals to spam sources: Finland, Canada, Belgium, Australia (yay!), and the Netherlands.
  • The corresponding bottom 5: China, Azerbaijan, South Korea, Colombia, and Macedonia.
  • Top Spam harvesting countries: United States, Spain, the Netherlands, United Arab Emirates, and Hong Kong.
  • Fraud is rising as a cause for spamming:

    On the other hand “Fraud” spammers — those committing phishing or so-called “419” advanced fee scams — tend to send to and discard harvested addresses almost immediately. The increased average speed of spammers appears to be mostly attributable to the rise in spam as a vehicle for fraud rather than an increasing efficiency among traditional product spammers.

    As an anecdote to reinforce this, on one site i administer, i set up a dedicated subdomain which was purely designed to catch spam.  I placed some addresses in that domain on a web page, and within 1 day they had been harvested and 1 spam had been sent to each email address.  No email to that subdomain has been seen since.

Check out Project Honeynet’s full analysis.


More grist for the "long passwords" mill

For a long time, i’ve told my clients and friends that the best way to make a password is to write a short sentence or phrase. A recent study linked from Slashdot IT reinforces this. The executive summary: if you make your password 13 or more characters long, as long as it’s not a single dictionary word, it’s likely to be pretty safe from anyone who’s got less than US$10 million to spend on the problem, assuming current market prices for cloud computing CPU time.

Without going through all of my previous advice, the simple rule for passwords is: think of something you relate to your password, or just something that you think about a lot, and then write a complete phrase or sentence about it. Of course, none of this will save you from a wrench password attack.


"Just say no!" to e-cards

Richard Bliss recently blogged at Novell and on his personal blog with some great advice: don’t click on e-cards from your friends, and think about asking them not to send them at all, since the risks of clicking on e-cards vastly outweigh the benefits. Here’s another thought: real money spent on real cards, envelopes, and stamps shows that you’ve actually made an investment in reminding your friends and family of your regard for them. It’s much better for your online security, too! (Of course, one could argue that it is less environmentally friendly, but you can find cards and envelopes made from recycled materials.)