You hear all sorts of statistics these days about the level of threat faced by companies, and the Infosecurity show is bound to see these rolled out by vendors at every opportunity. But which ones deserve to be taken seriously?

Proving there is a threat is easy; working out the scale of this is another thing altogether. We decided to research the latest reliable figures we could get our hands on for each type of security threat. We’re not claiming these as definitive but we’ve tried to use independent organisations wherever possible, or commercial ones we’re prepared to trust.

In the first of the series, we do a quick assessment of what has become the big security problem of the day, spam. There was a time when its effects were mainly as a nuisance – many persist even now in seeing spam in those narrow terms. But it has for some time been the main means by which more serious attacks are initiated – e-mail-attached worms, phishing, invitations to Trojan-spreading websites - so it counts as company security enemy number one. The problem with e-mail is that it is a neat way of getting round traditional perimeter security devices such as firewalls which were not designed to interrogate this type of application traffic.

Where does spam come from?
Anti-virus vendor Sophos recently published some interesting statistics on the country of origin of spam. They call these countries the “dirty dozen”, but it’s really the top three, the US, South Korea and China which are the notable names. These countries have been in the top three for some time now, though the contribution of the US has recently been dropping a bit in relative terms.

1. United States (35.7 percent)
2. South Korea (24.9 percent)
3. China and Hong Kong (9.7 percent)
4. France (3.1 percent)
5. Spain (2.7 percent)
6. Canada (2.6 percent)
7. Japan (2.1 percent)
8. Brazil (1.9 percent)
9. United Kingdom (1.5 percent)
10. Germany (1.2 percent)
11. Australia (1.2 percent)
12. Poland (1.2 percent)

According to Sophos, 50 percent of this spam is sent from “zombie” PCs, computers being used as relays without their owners knowing about it.

How much spam is there?
Estimates on total e-mail volumes vary, but we’ll take IDC’s 2004 statistic of 30 billion messages passing over the Internet each day as a good starting point. If that sounds like an implausibly high amount of useful communication, there is a simple explanation – most e-mail traffic is not legitimate.

The most quoted statistics on the amount of rogue e-mail come from vendors as they’re the ones with a motivation to collect information on the topic, usually by analysing their own user base. A representative sample of spam volumes between January and March 2005 (quoting the percentage of spam of total e-mail volume), offered the following data.

- Postini (82 percent)
- Spamhaus (75 percent)
- Tumbleweed (70 percent)
- Symantec-Brightmail (68 percent)
- MessageLabs (83 percent)

Some variation there but if we take an average from this representative survey we get spam rates of about 75 percent or all e-mail. This might edge up in the coming year as detection improves, and if spam continues to increase.

A significant volume of e-mails passing through the average ISP server – up to 30 percent - are likely to be directory harvest attacks (DHAs), a technique for getting real addresses by figuring out which e-mails don’t bounce. These are the fuel for further spam growth. It is reckoned that a sizable number of such attacks succeed.

Tumbleweed has an interesting take take on the spam phenomenon by classifying it as part of the larger phenomenon of “dark traffic”, basically any non-legitimate e-mail-related traffic. Other examples would include DHA attacks, malformed SMTP packets, and e-mail DoS attacks. The company says the volume of inbound traffic falling into this category is around 70 percent.

How much is phishing spam?
This is a tricky one as different agencies describe e-mail criminality in different ways. Some separate out phishing spam, others use broader terms such as “fraud” to describe the issue, but that includes other types of cyber-crime such as straight e-mail scams.

First port of call is the anti-phishing working group (APWG). The latest available report states that in February there were just over 13,000 unique phishing e-mails, hailing from 2,600 websites. In that month, 64 different brands were hijacked as lures for the phishing out of a total of 164 brands since the APWG started reporting in November 2003.

As with e-mail, the top location of for hosting a phishing site was the US (37 percent), followed by China/Hong Kong/Taiwan (28 percent), and Korea (11 percent).

The amount of spam made up of phishing e-mails is lower than one would assume from the recent publicity on the topic. Symantec puts the absolute number of phishing e-mails at around 4.5 million per day (33 million per week), which equates to fractions of a percent of the total spam volume. CipherTrust puts the percentage as high as one percent, while puts the figure at just over half of one percent. These figures are representative so we can assume the volume is less than one percent for sure. This ignores the effects of phishing which are, of course, out of proportion to the amount of traffic.

How successful is phishing?
Gartner conducted a phone poll of 5,000 people in the US in 2004 and came up with the figure $2 billion a year lost to banking scams, including online fraud and phishing. Since this includes a variety of bank and card scams, phishing will account for only a fraction that total. In the UK, Association for Payment Clearing Services (APACS) estimated 2004 banking fraud at £500 million ($950 million), £12 million ($22 million) of which was from online fraud, including, presumably, phishing. Banks don’t discuss the issue openly so it is hard to go much beyond these figures.

In summary:
- Most spam originates in the US, though China is catching up.
- Spam accounts for 75 percent of all e-mail, and is growing slowly for now.
- Other types of attack such as DHA help drive spam.
- Phishing accounts for less than one percent of all spam.
- Phishing’s financial rewards have been modest so far, but the phenomenon has undermined faith in the security of many institutions.
- A large but unknown portion of the Internet’s e-mail systems spend their time processing traffic that is utterly useless or, worse, malevolent.