The anti-spam team over in the Proofpoint Attack Response Center shared some statistics with me about spam trends in Q2 (April through June) of 2010 that I thought I would relate here.

First, the spam team provided a breakdown of the top 10 spam-sending countries for Q2 and you can see a graphical view of that at right (click the image for a larger view).

This data, compiled from spam messages that hit Proofpoint's spam "honeypots" (email addresses and email servers that attract and collect spam email messages), shows that the US was the top spam sending nation during the second quarter. Brazil and India took the #2 and #3 positions—unsurprisingly as the recently released Proofpoint/Commtouch Q2 Internet Threats Trend Report showed those two nations as the top hotspots for botnet infestation.

Another interesting trend observed during Q2 is that, in general, malicious email messages continued to become more difficult to detect—that is, spammers continued to innovate and use more complex obfuscation techniques. The percentage of messages containing an obvious spam URL destination, for example, fell by more than half. Similarly, image-based spam messages declined by more than a third and messages with virus-infected attachments fell by more than a quarter.

Since overall spam levels didn't decline during the quarter, what's taking the place of those easier-to-detect spam messages?

Proofpoint anti-spam engineer Scott Panzer tells me that "spoof" messages (the type commonly used in phishing attacks) have been generally on the rise and that Proofpoint's anti-spam technology catches these using more predictive approaches. (For a great deal of information on the unique, machine learning techniques that Proofpoint uses to stop spam, see our whitepaper about Proofpoint MLX.)

Proofpoint customers weren't affected by the increasing complexity of spam messages during the quarter, however, as Proofpoint's anti-spam effectiveness actually increased from an average of 99.93% during Q1 to 99.94% during Q2. As noted in Gartner's latest Magic Quadrant for Secure Email Gateways, Proofpoint is one of the few email security vendors that publicly publishes its ongoing anti-spam effectiveness. You can view Proofpoint's spam detection accuracy for the last 190 days by visiting:

http://www.proofpoint.com/products/livespamstats.php

A couple of recent video interviews featuring Proofpoint execs hit the web recently:

Proofpoint CEO Gary Steele talks with SC Magazine reporter Angela Moscaritolo about recent merger and acquisition activity in the IT security space. Gary talks about the need for security vendors to make their solutions available as SaaS – and the difficulty of building such functionality “from scratch” – as one of the key drivers. You can watch the full video here:

SC Magazine: Mergers and acquisitions: Interview with Gary Steele, CEO of Proofpoint

Proofpoint's director of channel marketing, Dave Crilley, discusses the value propositions for IT security solutions "in the cloud" and addresses some of the issues that the reseller channel faces in selling SaaS solutions in this interview with ChannelWeb's senior security editor, Stefanie Hoffman. You can watch the full video here:

CRN ChannelWeb: Proofpoint Clears The Air On Security-As-A-Service

[Update July 23, 2010: The Ministry of Defense responds to these disclosures of mobile device losses in eWeek Europe's coverage of the story. Interesting reading. Find the entire story, including the MoD's response here: MoD Loses 340 Laptops in Two Years. Among other comments, an MoD spokesperson told eWeek:

“Yes the figures are high, but it should be remembered that the figures come from a two year period between June 2008 and May 2010. A lot of encryption technologies was brought in later in this period, and procedures such as how laptops are booked in and out, have they been encrypted, have been tightened up.”]

Proofpoint's public relations and research partner in the UK, LEWIS PR, issued an announcement today reporting findings from a UK Freedom of Information request about the frequency of equipment and data losses from lost or stolen equipment.

One of the most shocking findings? Britain's Ministry of Defense lost - or had stolen - 340 laptops in the past two years and less than half of those devices used encryption to protect the data they stored. The cost of the equipment is estimated at more than half a million UK pounds.

And it's not just laptops that went missing: Hundreds of CDs, DVDs, memory sticks, hard drives and mobile phones also were lost.

The full release has info on many more UK government agencies that were hit by extensive mobile device losses or thefts. As I've mentioned here repeatedly, these types of losses are quite frequent. For example, Proofpoint's 2009 annual research on data loss risks showed that more than 20% of large US enterprises investigated the exposure of confidential, sensitive or private information via a lost or stolen mobile device or storage media in the previous 12 months. And while I'm still analyzing the data, the 2010 statistics show an increase over previous years.

This news has been widely reported in the UK IT press today, including SC Magazine, where I'm quoted as saying of these losses:

"While the value of the lost and stolen equipment is staggering, the potential losses of private information about and belonging to UK citizens, classified government information and other non-public information could easily be several times greater. That only 20 per cent of the devices lost from the MoD were protected by encryption is shocking. Organisations of all types need to be aware that, after leaks via email, lost and stolen mobile devices are one of the top sources of data breaches.”

The latest email and Internet threat trends report from Proofpoint and our partner Commtouch is now available. As always, this is an interesting read with a lot of great information on the latest attack techniques, social media spoofs, phishing trends, outbound spam and botnet/zombie infections and much more.

You can download a PDF copy by visiting our registration page here:

Proofpoint/Commtouch Q2 Internet Threats Trend Report

Some of the highlights from this quarter's Internet threats trend report include:

Spam levels averaged 82% of all email traffic throughout the quarter—equating to an average of around 179 billion spam messages per day.

Pharmacy spam remained the most common spam theme, accounting for 64% of all spam.

An average of 307,000 zombies (compromised machines that are part of a botnet) were activated daily to inflict malicious activity, representing a slight increase over the prior quarter.

India has surpassed Brazil for the title of the country with the most zombies (13 percent of the world's total).

Virus TDSS.17 was the most widely distributed email-borne virus, but the Mal/Bredo malware had the most variants - over 1800 (more than double the variants of Q1).

Pornography remains the Web site category most infected with malware.

For details and a lot more (including a little bit of humor, like the "Top 10 Most Ridiculous Spam Subjects"), read the full report.

[Updated July 6, 2010: Complete multi-part interview is now online.]

Proofpoint CEO Gary Steele (pictured at left) recently spoke with entrepreneurship blogger and Forbes writer, Sramana Mitra at length about his background, Proofpoint's business and trends around email security, SaaS and other topics related to the enterprise markets that Proofpoint serves.

The first part of Mitra's multi-part interview is now posted at sramanamitra.com. In segment one of "Rolling Up Email Security SaaS," Gary talks about his early background, education and how he made the leap from the engineering world to high-tech marketing to CEO and how he came to join Proofpoint in its pre-funding days.

Read the interview here: "Rolling Up Email Security SaaS, Part 1," Gary Steele in conversation with Sramana Mitra. Even though I know Gary pretty well, I learned a few things about him by reading this and look forward to the rest of the series.

Update 7/6/2010: The rest of this series is now online at Sramana Mitra's site. I've put direct links to all six parts below, along with short notes about the topics covered:

Part 1: Gary Steele's background and early career:
http://www.sramanamitra.com/2010/06/30/rolling-up-email-security-saas-gary-steele-ceo-of-proofpoint-part-1/

Part 2: How Gary came to Proofpoint and the company’s early development:
http://www.sramanamitra.com/2010/07/01/rolling-up-email-security-saas-gary-steele-ceo-of-proofpoint-part-2/

Part 3: Proofpoint’s first customer successes and the early days of the cloud:
http://www.sramanamitra.com/2010/07/02/rolling-up-email-security-saas-gary-steele-ceo-of-proofpoint-part-3/

Part 4: On competition and customer satisfaction:
http://www.sramanamitra.com/2010/07/03/rolling-up-email-security-saas-gary-steele-ceo-of-proofpoint-part-4/

Part 5: Ramping Proofpoint’s business and email security, DLP and email archiving product development, acquisitions:
http://www.sramanamitra.com/2010/07/04/rolling-up-email-security-saas-gary-steele-ceo-of-proofpoint-part-5/

Part 6: On future prospects for Proofpoint:
http://www.sramanamitra.com/2010/07/05/rolling-up-email-security-saas-gary-steele-ceo-of-proofpoint-part-6/

Is privacy the new black? Certainly seems that way with a constant stream of news about privacy snafus, data loss/exposure incidents and increasing scrutiny of data privacy policies at all levels.

A couple of the latest sightings:  Yesterday, the FTC issued a decision based on its investigation of Twitter's security practices (text of the FTC's decision on Twitter here), which came under scrutiny after several high-profile compromises of that social media service.

E-commerce Times has a good summary of the situation today, including some commentary from yours truly about what this ruling means for all types of online services, especially those with a messaging component. I also suggest that some of the FTC's prescription for Twitter is generally good advice when it comes to password security. Rather than repeat all of that stuff here, I refer you to Katherine Noyes's excellent article over at ecommercetimes.com for the whole story:

E-Commerce Times: FTC Puts Social Nets on Notice with Twitter Smackdown

On a related tip, I see that the always excellent Healthcare Info Security has posted a new podcast with IT lumiary Guy Kawasaki talking about social media strategies, including security concerns. Taking a bit of a contrarian view, Guy says that security and privacy concerns about social media are, "massively overblown."

Healthcare Info Security podcast: Guy Kawasaki on the Power of Social Media

I get where Guy's coming from - he's really commenting on some individuals over-sensitivity to targeted marketing campaigns and the difference between regulated info like personal healthcare and financial information and info that might be considered "private", but doesn't so much represent something risky or exploitable.

But at the same time, enterprises (especially in regulated industries) need to mindful of the fact that - just as with email - it's fairly easy to run afoul of data protection and privacy regulations over social media.

Regular readers know that I've got a whole raft of facts about that (if you've never seen those before, you can find many of those here in the blog, or download my latest report at http://www.proofpoint.com/outbound.)