Malicious spam soars to new level

According to a new survey, almost 30 percent of all spam now comes loaded with some kind of link to malware, marking a dramatic increase in the last few months.

If you are thinking of buying replica watches or performance-enhancing pills over the Internet, then be very careful – you could be getting more than you bargained for.

According to new figures from email security firm Marshal Inc, around 30 percent of all spam now comes loaded with some kind of link to malware, marking a dramatic increase in the last few months.

According to Marshal's vice president of products, Bradley Anstis, the operators of botnets are facing an increasingly competitive environment, with the going rate for spammers to send a million spam messages now down to as little as US$5 to $10.

"Service revenues from the botnets are down. So now if they're sending an email message out, they feel they might as well throw some malware in there as well in order to extend their botnet," Anstis says. This type of message usually includes the URL of an infected website, which the recipient of the message is invited to visit.

In its latest half-yearly report on the state of spam, Marshal reports that spam volumes doubled in the year ending June 30 2008, and product spam – which pushes merchandise like replica watches and fake designer accessories - rose significantly, challenging the supremacy of health-related 'pills' spam

Anstis says the whole botnet infrastructure changed last year. "Before…the spammers had their own T1 lines and pumped out their messages. Now they hire capacity from the botnet herders," he says.

The biggest botnets are now run as professional businesses offering service-level agreements and 24-hour support lines. "But you won't find them in the phone book," he says. "You need first to be vetted. They are paranoid about getting busted open by the authorities. The process happens through online forums, where clients have to prove their worth before they can be admitted."

According to Marshal, the bulk of the business rests with a few people. The company found that 75 percent of spam came from just three botnets, and the top seven spamming botnets were responsible for 90 percent of all spam.

Despite the general perception that response rates on product spam are low, Marshal discovered recently, in an online poll of 622 Internet users, that 29.1 per cent of respondents admitted to buying products in response to a spam message. The most commonly purchased items included sexual enhancement pills, software, pornography and luxury items, such as watches, jewellery and clothing.

Most of the malicious spam messages take a different tack, however, and try to send the user to an infected website. Such messages contain subject lines like "Homeless man wins lottery," "Angelina Jolie dies in plane crash," or most recently, "Journalists shot in Georgia".

Once the user goes to the site, the spambot code can be downloaded on to their machine, from where it can make contact with a control server. It then downloads a spam template and a list of email addresses and begins sending out messages without the user's knowledge.

Anstis blames the ISPs for much of the continued success of the spammers. "They are basically making money out of spam, which is pretty frustrating for us. ISPs should be doing more," he says. "ISPs don't all play to the same rulebook. For instance, where we see phishing websites or spoof websites, it can take days to get them taken down."

The anti-spam group, the Spamhaus Project, agrees. On its website (www,, the group does not mince its words: "Spam continues to plague the Internet because a small number of large Internet Service Providers sell service knowingly to professional spammers for profit, or do nothing to prevent spammers operating from their networks."

The Spamhaus group then goes on to name the top 10 worst culprits. The list of providers is headed by iPlan Inc. of Argentina. France Telecom Inc. was recognized fifth, and the UK-based SkyVision Inc. took the 10th position.

Read more on Application security and coding requirements