Symantec study misses the point over Linux spam

The latest MessageLabs Intelligence Report from Symantec Hosted Services is filled with interesting and useful information regarding the current state of malware and e-mail borne threats as well as the trends over time. Of particular interest to me is the assertion in the report that “any given Linux machine is five times more likely to be sending spam than any given Windows machine.”

I am generally one of the first to point out that the security risks associated with the Windows operating system are often exaggerated, or at least that the relative threat level is a function of market share, and that if Linux or Mac OS X had 90 percent market share those systems would be at least as vulnerable, and at least as targeted by malicious attack as Windows is now. That said, saying that Linux is five times more likely to distribute spam than Windows seemed like skewed math for the sake of sensationalism.

I checked with other malware security experts to gather some additional insight on the issue of Linux as a purveyor of spam. What I found was a consensus regarding the root cause behind the metrics, and ultimately that Linux may, in fact, be an inordinate source of spam messages.

Tyler Reguly, lead research engineer for nCircle, told me “I actually find the report rather odd, and also question their methods for remote fingerprinting. If they were using passive fingerprinting on mail coming into their server, they wouldn’t necessarily have an accurate fingerprint of the host sending the mail. They could instead be fingerprinting a mail server with an open relay, or an ISP “smarthost”. They also acknowledged that much of the Linux attributed spam could be coming from direct marketing emails… these would most likely be mailed out through a proper mail server (which is quite likely to be running Linux).”

A security researcher from FireEye emailed to say “We wouldn’t be surprised if these Linux boxes just have TCP port 25 open and are being abused as open SMTP relays. The malware is doing this to hide the locations of the infected (Windows) machine. Modern malware is designed to maintain long term control over systems since the primary cost of building these malware infrastructures is the time and energy needed to “acquire” infected systems.”

Andrew Brandt, lead threat research analyst at Webroot, also found the report potentially suspect “The Spam Index feature in the report appears to overemphasise a problem which may have little to do with any inherent issue or vulnerability with a particular operating system. The spam index seems odd with no context; we don’t know whether there’s any kind of active infection on a machine running a particular operating system.”