Press Release

LinkedIn Facebook Twitter RSS

Symantec Announces May 2010 MessageLabs Intelligence Report

URLs in spam increase; New African internet attracts spam botnets

MOUNTAIN VIEW, Calif. – May 26, 2010 – Symantec Corp. (Nasdaq: SYMC) today announced the publication of its May 2010 MessageLabs Intelligence Report. Analysis reveals that nine out of ten spam emails now contain a URL link in the message. In May, five percent of all domains found in spam URLs belonged to genuine web sites. Of the most frequently used domain names contained in spam URLS, the top four belong to well-known web sites used for social networking, blogging, file sharing and host other forms of user-generated content.

"Domains belonging to well-known web sites tend to be recycled and used continuously compared with 'disposable' domains which are used for a short period of time and never seen again," said MessageLabs Intelligence Senior Analyst, Paul Wood. "Perhaps this is because there is some work involved in acquiring them: the legitimate domains require CAPTCHAs to be solved to create the large numbers of accounts that are then used by spammers."

While Rustock is the botnet that uses the greatest number of disposable domains, Storm, which has recently returned to the spamming scene, is the only botnet that uses genuine domains in greater number than disposable domains. Sixty-five percent of spam from the Storm botnet uses a legitimate domain, many of which are for URL shortening services. Disposable domains are often used quickly after being first registered; and on average, 50 percent are used within nine days, before spammers switch to newer domains.

Also in May, MessageLabs Intelligence analyzed the growth of spam and botnets in some of the countries along the eastern coast of Africa, namely those which received greater broadband connectivity in July 2009. The proportion of global spam that comes from Africa overall has increased to 3 percent of global spam in May 2010 from just under two percent in April 2009, reflecting an extra 1.2 billion spam emails being sent from Africa daily compared to one year ago.

While historically countries not in the eastern portion of the continent have sent the majority of spam from Africa, this output has shifted east over the past year. The proportion of spam coming from the rest of Africa has decreased from 86 percent to 80 percent while that coming from countries located in the eastern region has increased from 13 percent to 19 percent. This rise originated most notably from Kenya, Rwanda and Uganda where spam output has increased to 7.2, 6.3 and 5.7 times respectively the amount that was being sent one year ago.

"Historically, broadband adoption has been a tipping point for spammers to acquire more bots," Wood said. "The new undersea fiber optic cable along the east coast of Africa has enabled rapid growth in the number of users obtaining high speed connections to the internet creating a great opportunity for attackers to infect new machines and create new bots."

Finally in May, MessageLabs Intelligence intercepted a malware attack featuring the theme of the soccer World Cup competition due to begin in June 2010. Composed in Portuguese and featuring the branding of one of the event sponsors, the email was sent from an IP address in Macau, China.

"Once downloaded and activated, the malware produces files that generate pop-up messages and in the background collects information on what other machines are on the same network enabling the attacker further access to the compromised computer," Wood said.

Other Report Highlights:

  • Spam: In May 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 90 percent (1 in 1.11 emails), an increase of 0.3 percentage points since April.
  • Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 211.6 emails (0.473 percent) in May, an increase of 0.18 percentage points since April. In May 22.6 percent of email-borne malware contained links to malicious websites, a decrease of 6.3 percentage points since April.
  • Endpoint Threats: MessageLabs Intelligence can now analyze additional threats against endpoint devices such as laptops, PCs and servers and the trends surrounding them following the launch of our new Hosted Endpoint Protection service. Malware may penetrate an organization in many ways, including drive-by attacks from compromised websites, Trojan horses and worms that spread by copying themselves to removable drives. For example, “AutoRun” is a feature of Windows that allows an executable to be run when a removable drive is connected to a computer. The most frequently blocked malware for the last month was the Sality.AE virus, which spreads by infecting executable files and attempts to download potentially malicious files from the Internet.
  • Phishing: In May, phishing activity was 1 in 237.1 emails (0.42 percent) an increase of 0.2 percentage points since April. When judged as a proportion of all email-borne threats such as viruses and Trojans, the proportion of phishing emails had increased by 10.3 percentage points to 80.6 percent of all email-borne malware and phishing threats combined.
  • Web security: Analysis of web security activity shows that 12.4 percent of all web-based malware intercepted was new in May, an increase of 1.5 percentage points since April. MessageLabs Intelligence also identified an average of 1,770 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, an increase of 5.6 percent since April.

Geographical Trends:

  • Spam levels in Hungary rose to 95.4 percent in May positioning it as the most spammed country.
  • In the US, 90.5 percent of email was spam and 89.4 percent in Canada. Spam levels in the UK were 89.6 percent.
  • In the Netherlands, spam accounted for 91.1 percent of email traffic, while spam levels reached 89.5 percent in Australia and 91.8 percent in Germany.
  • Spam levels in Hong Kong reached 91.5 percent and spam levels in Japan were at 87.7 percent.
  • Virus activity in Taiwan was 1 in 59.8 emails, keeping it as the most targeted for email-borne malware in May.
  • Virus levels for the US were 1 in 339.7 and 1 in 230.9 for Canada. In Germany, virus levels were 1 in 160.9, 1 in 610.5 for the Netherlands, 1 in 343.2 for Australia, 1 in 203.4 for Hong Kong, 1 in 218.2 for Japan and 1 in 464.7 for Singapore.
  • UK remained the most active country for phishing attacks in May with 1 in 121.8 emails.

Vertical Trends:

  • In May, the most spammed industry sector with a spam rate of 95.1 percent remained the Engineering sector.
  • Spam levels for the Education sector were 91.0 percent, 90.8 percent for the Chemical & Pharmaceutical sector, 90.7 percent for IT Services, 90.7 percent for Retail, 89.2 percent for Public Sector and 88.5 percent for Finance.
  • In May, the Public Sector remained the most targeted industry for malware with 1 in 74.2 emails being blocked as malicious.
  • Virus levels for the Chemical & Pharmaceutical sector were 1 in 262.7, 1 in 187.5 for the IT Services sector, 1 in 347.2 for Retail, 1 in 109.2 for Education and 1 in 272.9 for Finance.

The May 2010 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available at

Symantec’s MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.

About Symantec

Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at

Note to Editors: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at All prices noted are in U.S. dollars and are valid only in the United States.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.