'

From Russia with (objective) spam stats

It's not every day that I get the chance to speak with a representative from the Russian Association of Electronic Communications (RAEC). Here are the key findings from their study, and the summary points based on my conversation with RAEC's head of PR, Dmitry Zakharov.

It's not every day that I get the chance to speak with a representative from the Russian Association of Electronic Communications (RAEC).

Especially, with one who's publicly admitting that based on their recently released study, not only are seven of world's top ten spammers Russians, but also, that the world's number one spammer is a Russian who lives in Moscow.

Here are the key findings from their study, and the summary points based on my conversation with RAEC's head of PR, Dmitry Zakharov.

  • Seven of the top 10 spammers are Russian
  • The world’s biggest spammer is Russian, lives in Moscow and controls the biggest spam network selling pharmaceuticals over the Internet
  • Russian spammers earned 3.74 billion rubles ($127 million) in 2009
  • The Russian economy lost 14.1 billion rubles ($479 million) in reduced working hours in 2009
  • One-fifth of all Russian Internet advertisements is spam
  • US-based servers are responsible for 17.3 of worldwide spam, ahead of any other country
  • 16.4 percent of Russian spam originates from servers based in the US
  • Some 83 percent of spam messages are sent by ‘botnets’, armies of zombie computers, based at home and in the office
  • Adverts for harmful, counterfeit Viagra are responsible for 73.7 percent of spam worldwide

So far, so good, in the sense that 50% of the problem is always solved by admitting it first.

What their research aims to emphasize on, is that whereas the world's top spammers are Russians, they are abusing U.S based infrastructure (Research: 76% of phishing sites hosted on compromised servers) for their malicious operations, which depending on the nature of their malicious operations, will also utilize the network infrastructures of many other countries to accomplish their tasks using botnets.

The true value of the conversation lies within the conversation we had beyond the findings in their press release. Here are the highlights of it:

  • Spammers make more money, than they are fined with - According to RAEC's study based on publicly obtainable data of fines against EU based spammers, in 2009 the fines (€2.85 million) represented slightly more than 1% of their profits (€218 million). The same situation is often seen in different markets, where the companies engaging in illegal activities are in fact making so much money, that they can afford to pay the fines imposed on them. However, despite the obvious need of higher fines for spammers, from my perspective, imposing those fines on a participant within an affiliate network, in situations where you cannot get to the masterminds of it, undermines its effectiveness.

  • Russian cybercriminals are ahead of the legal framework - With anti-spam legislation in Russia virtually non-existent, it's no surprise that so many people are operating in the open, without any feeling of prosecution. However, another paradox we talked about, was the fact that some Russian spammers and cybercriminals in general, operate their campaigns outside Russian, in countries with developed anti-spam and anti-cybercrime laws. Yet, they are still at large.

  • The world's top spammers are Russian citizens, relying on U.S based infrastructure for their operations - Whether it's the systematic abuse of legitimate email providers (Gmail, Yahoo and Hotmail systematically abused by spammers), or compromised web sites, numerous independent studies continue emphasizing on this fact. For instance, the recent PhishTank's stats for February, 2010, and MarkMonitor's Brandjacking Index for 2009, both, point out that the U.S is hosting the majority of phishing sites. What does this mean? It means that from a pragmatic perspective, given the active legal framework, resources and technical capabilities, spam and phishing shouldn't be the kind of problem it currently is. That's, of course, in a perfect world.
  • Spam and cybercrime in general are not a country-specific problem, but an international one - Although this is a fact and we both agreed on, another fact cannot be disputed - Eastern European based cybercriminals going after financial data, make Chinese cybercriminals look like cartoon heroes on their way to steal your virtual goods.
  • Go after the people, not the ISPs, as a form of public statement - The fact that there are people known as "spam kings" or "spam czars" means that they've been in operation for years. Moreover, based on the scale of their spam operations, and the money they make, a logical move on their behalf would be to keep a very low profile, and take basic operational security measures in place. That's not the case, making it easier to go after them.
  • Try to get to the top of the affiliate network chain, instead of prosecuting/fining a participant in the affiliate network - Who's getting prosecuted for spamming at the end of the day? It's usually not the one who should be. The next time you hear that a spammer has been arrested, is being sued, and possibly even fined, ask yourself the following - is this guy the one running an affiliate network with hundreds of thousands of spammers participating in it, the supplier of the counterfeit pharmaceuticals, or is he basically one of the thousands of participants in the network?

Several of my questions, however, remained unanswered. For instance - Why are some of the Russian affiliate networks for spam already celebrating their 5th or 8th anniversaries?

The lack of answer to this question is the result of a cybercrime ecosystem that was allowed to scale internationally throughout the years, ultimately leading to today's situation, where spam services as now a commodity sometimes offered as a bonus for doing business with an illegal enterprise.

What do you think? Would the socially-oriented ambitions of the private sector, get undermined by the lack of active cooperation with law enforcement, next to the overall lack of political will to solve the problem internationally? Or is RAEC's research a light in the tunnel, following the recent tightening of the procedures for registering a .ru domain?

Does it take an internationally successful identity theft ring (Russia arrests three over $9m RBS WorldPay scam), for Russian law enforcement to start taking actions?

TalkBack.