This week I have read many articles talking about one thing: spam from China has greatly reduced. Regularly in the top five just two years ago, China is now ranked at number 18 on IronPort's list of spam-producing countries, and at number 20 according to Sophos. For China, a country with internet population bigger than population of the United States, this is no simple feat. In comparison, the U.S. is still the top-spamming country, according to Sophos.
In fact, IronPort's "finding" has lagged by more than a year. Other groups already pointed out similiar facts long ago, for example:
What has caused spam from China to drop did not set out to do so. It was really an effort to solve the botnet problem within China. China government put two orders (or are they regulations? Both were written in Simplified Chinese.), "Notification Guidelines for Internet Security Incidents" and "Detection and Response Mechanism against Trojans and Botnets", into effect in June 2009. This builds the framework for all parties involved to work together to track and dismantle botnets. As we all know, 80% of global spam are sent by botnets. So when China gradually cleans up those malware-infected computers (I hope my notification to CNCERT is being put to good use in the process), spammers also lose their spam-sending machines in China. The spam reduction we see today is just a nice by-product of China's botnet mitigation effort.
While still high on my botnet chart, as someone who detects botnets every day, I can say that China has come a long way in botnet mitigation, which eventually leads to its spam reduction. The Chinese way of botnet mitigation (a formalized incident response mechanism), like the mitigation framework I proposed before, might not be for everyone, but eliminating malware-infected computers is absolutely the right way to cut down global spam, for the present.
In fact, IronPort's "finding" has lagged by more than a year. Other groups already pointed out similiar facts long ago, for example:
- ICSA Labs reported that "spam originating in China plummeted 65%" (Jan 04, 2010)
- Sophos reported that "China dramatically disappears from list of worse spam-relaying nations for the first time" (Apr 28, 2010)
What has caused spam from China to drop did not set out to do so. It was really an effort to solve the botnet problem within China. China government put two orders (or are they regulations? Both were written in Simplified Chinese.), "Notification Guidelines for Internet Security Incidents" and "Detection and Response Mechanism against Trojans and Botnets", into effect in June 2009. This builds the framework for all parties involved to work together to track and dismantle botnets. As we all know, 80% of global spam are sent by botnets. So when China gradually cleans up those malware-infected computers (I hope my notification to CNCERT is being put to good use in the process), spammers also lose their spam-sending machines in China. The spam reduction we see today is just a nice by-product of China's botnet mitigation effort.
While still high on my botnet chart, as someone who detects botnets every day, I can say that China has come a long way in botnet mitigation, which eventually leads to its spam reduction. The Chinese way of botnet mitigation (a formalized incident response mechanism), like the mitigation framework I proposed before, might not be for everyone, but eliminating malware-infected computers is absolutely the right way to cut down global spam, for the present.
Chih-Cherng Chin:
ReplyDeleteNot sure if our ICSA Labs blog alerts you. In case it does not I just today saw, posted, and replied to your question/comment. As a reminder it is at https://www.icsalabs.com/blogs/whatever-happened-china
Take care,