Symantec Global internet Security threat report
Appendix E—Phishing, Underground Economy Servers, and Spam Trends Methodologies
phishing and spam attack trends in this report are based on the analysis of data captured through the Symantec probe network, a system of more than 2.5 million decoy accounts, MessageLabs intelligence, and other Symantec technologies in more than 86 countries from around the globe. Five billion email connections, as well as over one billion Web requests are scanned per day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors and more than 50 million consumers.
the Symantec probe network data is used to track the growth in new phishing activity. it should be noted that different monitoring organizations use different methods to track phishing attempts. Some groups may identify and count unique phishing messages based solely on specific content items such as subject headers or UrLs. these varied methods can often lead to differences in the number of phishing attempts reported by different organizations.
Symantec Brightmail AntiSpam data is also used to gauge the growth in phishing attempts as well as the percentage of internet mail determined to be phishing attempts. Data returned includes messages processed, messages filtered, and filter-specific data.
Symantec has classified different filters so that spam statistics and phishing statistics can be determined separately. Symantec Brightmail AntiSpam field data includes data reported back from customer installations providing feedback from antispam filters as well as overall mail volume being processed.
Symantec Brightmail AntiSpam only gathers data at the SMtp layer and not the network layer, where DnS block lists typically operate because SMtp -layer spam filtering is more accurate than network-layer filtering and is able to block spam missed at the network layer. network layer-filtering takes place before email reaches the enterprise mail server. As a result, data from the SMtp layer is a more accurate reflection of the impact of spam on the mail server itself.
Due to the numerous variables influencing a company’s spam activity, Symantec focuses on identifying spam activity and growth projections with Symantec Brightmail AntiSpam field data from enterprise customer installations having more than 1,000 total messages per day. this normalization yields a more accurate summary of internet spam trends by ruling out problematic and laboratory test servers that produce smaller sample sets.
this section will provide more detail on specific methodologies used to produce the data and statistics in this report. While most methodologies are adequately explained in the analysis section of the report, the following investigations warrant additional detail.
Phishing activity by sector
the phishing data in this report are aggregated from a combination of sources including Symantec’s sensors, strategic partners, customers and security solutions. phishing sites are categorized according to the brand being phished and its sector. After phishing data are received, Symantec spoof detection technology is used to verify that the website is a spoof site.