Monday, April 25, 2011

Contagio data - targeted email senders by country / source

 It is what it is.  Analysis of email headers from emails sent to one targeted domain (Nov, 2009 - April 2011). Headers were analyzed to find IP addresses of the sending mail servers. Some of them are compromised, some belong to/leased by attackers. Only Gmail does not allow tracing the senders IP. It is shame, I wish they listed the sender IP addresses.

I can post more detailed statistics, if you are interested, drop me a line.
My dataset is small and not great for industry averages but I still think it is a good representative of the of the situation.

Please note this is based on Contagio data only, which includes targeted messages with malicious attachments meant to compromise networks, steal data (so called APT stuff) and does not include regular spam, banking trojans, and mass mailed malware.

8 comments:

  1. where indonesia?

    ReplyDelete
  2. Your findings are not too much different than my mail servers logs tend to indicate at any given point in time. Gmail has grown considerably!

    Sure hate to see the US on the list, but honestly, many computers with high speed connections and un-tech savy owners == and ideal recipe for it.

    ReplyDelete
  3. since when was GMAIL a country?!

    ReplyDelete
  4. I changed it to country / source, is it a little less confusing now?

    ReplyDelete
  5. Thanks for this interesting post. Are these the mail sending servers or their command and control servers? The latter categorie is far more interesting in terms of incriminating countries or ISPs.

    I do not miss Indonesia particularly, but Eastern Europe and former sovjet republics all the more. They do have a reputation for phishing (although mostly targetted against banks)

    ReplyDelete
  6. These are mail sending servers. I can post C&C servers sometime later. APT targeted mail from Russian and Eastern Europe mail servers is rare - I have fewer than 10. I don't cover banking trojan stats here but they are interesting in general.

    ReplyDelete
  7. Can you tell me how you determine that a phishing message was sent to a single domain, and not to domains you don't have visibility into as well?

    ReplyDelete
  8. I don't determine actually, I count by one recipient. Same message possibly was sent to hundreds of people in many companies but this does not affect my stats.

    ReplyDelete