The findings were published in Symantec’s MessageLabs Intelligence Report for April, published on Friday. The company used a technique called ‘passive fingerprinting’ to identify the operating system of a spam-sending machine, then calculated the ratio of spam from a given operating system compared with its market share.
Linux systems originated 5.14 percent of spam, compared with 92.65 percent for Microsoft Windows systems. But Linux only has 1.03 percent of the operating system market share, as opposed to 91.58 percent for Windows, according to Symantec. (For the market share figures, Symantec used research from Net Applications.)
“By calculating a ratio of spam from a given operating system compared to the market share, we can get a ‘spam index’, which shows — relative to its market share — the likelihood that a particular computer is sending spam, based on its operating system,” Symantec said in the report.
The resulting calculation gave Linux a “spam index” of 4.99, compared with an index of 1.01 for Windows.
“In the current spam climate, this index shows that relative to its market share, any given Linux machine is five times more likely to be sending spam than any given Windows machine,” the company said.
The figures do not necessarily show that Linux is being disproportionately targeted by spammers, or that it is less secure than Windows, but rather seem to be related to the fact that Linux is disporportionately used to run email relay systems, according to Symantec.
In some cases, the problem seems to be that such relays have been set up without following basic anti-spam precautions, according to Mat Nisbet, a malware data analyst with Symantec.
Nisbet said he investigated the originating IP addresses of a random selection of spam from Linux systems. In most cases, he found the spam came from a machine running an open-source mail transfer agent such as Postfix or Sendmail that had been left open to relaying email from third parties.
“This suggests that one reason there is so much spam from Linux could be that many companies that have implemented their own mail servers and are using open-source software to keep down costs have not realised that leaving port 25 open to the internet also leaves them open to abuse,” Nisbet said in a Friday blog post.
Organisations looking to use Linux as a mail server need to make sure they know how to set it up securely, he added.
“Make sure that the systems are correctly set up to restrict access on port 25 to only authorised users (for example, attached to the local network, or through VPN),” he wrote.
Another factor that could be skewing the statistics is that some ISPs force all their users’ mail to go through their own hosts, which are often run on Linux systems, Nisbet said.
“This means that a lot of botnet traffic which we would normally identify as something else, instead appears to be coming from Linux,” he wrote.