The United States sends out more spam than any other country in the world, according to a report published Monday by security firm Sophos.
During the second quarter of 2009, 15.6 percent of the globe's junk mail traffic was relayed from the United States, followed by Brazil, which was responsible for 11.1 percent, and Turkey, at 5.2 percent. The top three rankings did not change from the first quarter.
Typically, the relaying PCs were part of large botnets designed to deliver unwanted emails on behalf of spammers located elsewhere, the report said. That is, the spam usually did not originate in the United States, but could be traced to compromised U.S. machines that actually sent it out.
In any case, the numbers on spam volume do not tell the whole story.
“Another way to look at it is by looking at the number of infected computers that are relaying spam,” Dmitry Samosseiko, head of anti-spam operations at SophosCanada, told SCMagazineUS.com on Monday. “If you look at it this way, the United States is no longer the leader. It's Brazil. In other words, measured by the number of infected computers, the United States is not the top country.”
The difference is that in the United States, every computer that is compromised and sending out spam is much more efficient, he explained. Broadband is more widely available here than in other countries – dial-up computers cannot send as much spam in the same amount of time.
The rankings of all the countries in the Sophos study, which is published quarterly, are shown here.
Since the last report, published in April, the most notable change was China, which dropped from No. 3 to No. 7, or from eight percent down to four. This is not surprising, Samosseiko said.
“What normally happens is when you expose the internet to a population, initially they get online, but do not really pay much attention to security -- and become part of a large botnet,” he said. “As the users mature and get better educated, they secure their computers better.”
Annoying as spam is, the compromised computers in the United States could be used to mount other kinds of attacks as well, according to another Sophos researcher.
“Spam is not the only output from these compromised PCs,” Graham Cluley, senior technology consultant at Sophos, said in a blog post. “They can also be used to spread malware, steal identities and launch distributed denial-of-service attacks -- all without the knowledge of the computer owner who doesn't even realize that their computer is infected.”
“So much attention is given by the-powers-that-be to the threat of cyberterrorists and rogue states launching attacks,” he added. “But the fact is that it could be your sister-in-law Sandra who is helping the spammers without her knowledge, because her home PC is not properly defended.”