The location of spammers on a world map

September 8, 2009 – 4:12 pm
As part of some ongoing research into the behaviour of spammers we have started capturing the geographic location of spammers in a way that we can visualise it on a map. This map shows the source of spam attacks on our emailcloud network.

The map is drawn every hour by analysing the most recent 250,000 data points across our UK and US scan clusters. This data is analysed and stored in a database in Newcastle-upon-Tyne and IP’s are pinpointed on the map by using the GeoIP database. We save significant amounts of time by using memcached to cache IP lookups. Finally, we use the Google Charts API to draw the map
You can add this map to your website by inserting this into the html of the web page:
<iframe src ="http://www.emailcloud.com/geo/geo.php" width="600" height="430">
<p>Your browser does not support iframes.</p>
</iframe>
  • Share/Bookmark
  • Nice work, Ross. That's really interesting, and a very easy-to-understand way to present the information. Hans Rosling would be proud!

    Actually, that makes me wonder whether gapminder.org might be one way to show the change over time? It'd be simple, if maybe not quite as elegant as doing it yourselves. (I have a wonderful vision of the map colours animating to show the last few hours, a bit like the BBC weather maps!)
  • rosscooney
    excellent idea Rob! I have found this chart type:
    http://code.google.com/apis/visualization/docum...

    This is how Hans and the guys at gapminder.org draw their graphs. I will start to collect the correct data and map it out over the next few weeks.
  • Ross - building on Chris' point: maybe it's because Brazil has lots of hacked machines and they are acting as re-broadcast points for the spam?

    I.e. does this map say something about the overall level of security / patching on machines in this country? Or maybe operating systems?
  • rosscooney
    I am not sure. Almost all spam is sent using botnets or viruses, but significant amounts of spam is also relayed upon the networks of corrupt ISP's. We don't do enough analysis of the actual owners of IP's used to send spam. We are setting up an internal research project to find this data.
  • rosscooney
    Hi Chris, I have updated the post with more information on how we get the data, but the map is drawn every hour by analysing the most recent 250,000 data points across our UK and US scan clusters. This data is analysed and stored in a database in Newcastle-upon-Tyne and IP’s are pinpointed on the map by using the GeoIP database. We save significant amounts of time by using memcached to cache IP lookups. Finally, we use the Google Charts API to draw the map.

    We generate around 250,000 data points every two hours, so the map is useful as it can show the move of traffic across the world depending on time. For example, we see more spam from Brazil during the UK morning hours and a significant spike from India, China and Korea in the UK evenings. We have not been able to find a reason for this yet but we guess that it is related to work pasterns of the various spam teams.

    Our next goal is to find a way to show the changes over a 24, 48 and 168 hour period.
  • Fascinating stuff. It's much more distributed than I'd have thought it would be given the spam I get. Which address are you using to get the geolocation information? Could there be an open proxy in Brazil that's getting absolutely hammered by someone somewhere else in the world?
blog comments powered by Disqus
Spouting Shite is powered by WordPress. Entries (RSS) and Comments (RSS). Ross is a principle at Rozmic the people behind the emailcloud spam filtering service