Our research indicates that, unlike the bots used to send spam, the machines used for harvesting tend to be more permanent, stable, and closely connected to the actual spammer's location. So where are the spammers actually located? We think the list below gives the most accurate approximation.

Where Harvesters Are
#1	United States
#2	Spain
#3	Netherlands
#4	United Arab Emirates
#5	Hong Kong
#6	Romania
#7	Great Britain
#8	China
#9	South Africa
#10	Germany

How Do They Operate?

On average, spammers today are faster than they've ever been before. The chart below indicates the average time from harvesting an email address from a web page to when the spammer sends the first email to that address.

We have found that speed is tied to the content of the message. "Product" spammers -- those selling an actual product of some kind, whether it be fake pharmaceuticals, college degrees, or mortgage loans -- tend to operate on a slower cycle, spending approximately a month gathering email addresses and then targeting those addresses with a set of spam campaigns. Product spammers tend to hold on to email addresses longer and send on average several messages a week to each address on their list.

On the other hand "Fraud" spammers -- those committing phishing or so-called "419" advanced fee scams -- tend to send to and discard harvested addresses almost immediately. The increased average speed of spammers appears to be mostly attributable to the rise in spam as a vehicle for fraud rather than an increasing efficiency among traditional product spammers.

One intriguing insight our data provides is that bad guys take vacations too. For example, there is a 21% decrease in spam on Christmas Day and a 32% decrease on New Year's Day. Monday is the biggest day of the week for spam, while Saturday receives only about 60% of the volume of Monday's messages.

The chart below shows the time of day spammers are most likely to send their messages. All times in the chart are set to the East Coast timezone of the United States (GMT -0500).

Whom Do They Target?

Spammers are a creative bunch and we have seen a wide variety of offers show up in the one billion messages we have received. Among products sold through spam, pharmaceuticals remain the most popular. To give you a sense, we've seen the word "Viagra" spelled at least 956 different ways in order to try and trick spam filters (e.g., VIAGRA, V1AGRA, V1@GR@, V!AGRA, VIA6RA, etc.).

While spammers will often alter their messages to look different, some are remarkably consistent. The table below shows the top message FROM/SUBJECT line pairs over the last five years. We have also included our estimate of how many of each message was sent Internet-wide.

To give you some sense, assuming an average message storage requirement of 4KB, over the last 5 years the total storage requirement imposed on the Internet by just the spammers sending the top-20 spam campaigns was over 2.5 petabytes.

Beyond the product spam, fraudulent spam increasingly dominates our spam stream. The chart below shows the relative distribution of the most phished organizations online.

While banks and financial institutions still make up a majority of the phishing scams circulated via spam, social networks are increasingly targeted. In 2008, there were virtually no Facebook phishing message. Today Facebook is the second most phished organization online and, if current trends continue, is on track to take the top spot in 2010.

The Future of Spam

The good news for email users is that filtering technologies have done a terrific job keeping most of the volume of spam messages out of their inboxes. Behind the scenes, however, the volume of email spam continues to grow at a blistering pace. While spam may strike the average user as a minor annoyance, the real risk it continues to pose is providing a viable business model to finance the construction of bot networks. Our research indicates that these bots are increasingly multi-purposed into vectors for new types of attacks ranging from annoyances like comment spam to real threats like denial of service attacks (DDoS).

For example, if you run a blog you are aware of the comment spam attacks your site faces every day. This new breed of spammers uses the forms on websites to post advertisements and links to pages they are paid to promote. Project Honey Pot has been tracking their behavior for two years and has witnessed its gowth in volume and sophistication.

Where Comment Spammers Are
#1	United States
#2	China
#3	Brazil
#4	Japan
#5	Russia
#6	South Korea
#7	Ukraine
#8	Poland
#9	Germany
#10	Hong Kong

Looking at the data patterns, comment spam in 2009 resembles email spam when Project Honey Pot began in 2004. While comment spammers today are tending to use a relatively limited set of machines to post their messages, if this new breed of spammers follows the email spammers' lead to massive adoption of bot networks then it will pose a significant threat to websites everywhere.

To counter these increasing threats, web administrators need to continue to share data about attacks they see on their own sites through efforts such as Project Honey Pot. Over the next year, we will be launching a number of new initiatives to increase the protection we offer. In the meantime, if you run a website, we encourage you to become a member of Project Honey Pot today and encourage others to do so as well. Only by working together do we stand a chance to face the challenges that lie ahead.

Finally, thanks to all the current Project Honey Pot members as well as the organizations that have helped us build our infrastructure.