Editor’s note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which processes more than 3 billion email connections per day in the course of providing email security to more than 50,000 businesses and 18 million business users.
In 2009, the security community started seeing diminishing returns from the takedown of malicious ISPs. After the ISP 3FN was taken down, spam levels rebounded in less than a month, and after Real Host went down, spam volumes recovered after only two days. In response, the anti-spam community turned its attention toward taking botnets offline instead.
Toward the end of 2009, Mega-D, a top-10 botnet – responsible for infecting more than 250,000 computers worldwide – was severely crippled through a carefully orchestrated campaign designed to isolate the command-and-control servers spammers were using to support the botnet. In early 2010, security professionals, along with government agencies, successfully mounted a campaign against several more targets: major botnets such as Waledac, Mariposa, and Zeus were either shut down or had their operations significantly curtailed.
However, this recent spate of botnet takedowns has not had a dramatic impact on spam levels. Although spam and virus levels did fall below Q4’09 highs, reports from Google’s global analytics show that spam levels held relatively steady over the course of Q1’10.
This suggests that there’s no shortage of botnets out there for spammers to use. If one botnet goes offline, spammers simply buy, rent, or deploy another, making it difficult for the anti-spam community to make significant inroads in the fight against spam with individual botnet takedowns.
Spam by the numbers
Overall, spam volume fell 12% from Q4’09 to Q1’10, which follows a trend of quarterly decreases in overall spam levels that started after the surge in Q2’09. This may be attributed to some of the recent takedowns, but spam volume was still 6% higher this quarter than it was during the same period in 2009, and spam volume as a percentage of total email messages is holding steady.
Recently, our data centers showed a 30% increase in the size of individual spam messages (measured in bytes) that occurred toward the end of March, as shown below.
This spike points to a resurgence of image spam, similar to what we reported in Q2’09. This is likely due to the fact that reusing image templates makes it easier and faster for spammers to start new campaigns.
As always, spammers tend to make use of predictable topics – cheap pharmaceuticals, celebrity gossip, breaking news – to encourage user clicks. In January, spammers hastened to exploit the Haiti earthquake crisis, sending pleas for donations that appeared to have been sent by reputable charitable organizations, politicians, and celebrities.
The frequency and variety of post-earthquake spam illustrates an unpleasant reality: spammers will exploit any means – even tragedies – to accomplish their objectives.
Virus levels fall after Q4’09 surge
During 2009, spam with attached viruses increased tenfold, with levels rising from 0.3% of total spam in the first half of the year to 3.7% in the second. Postini filters blocked more than 100 million virus-bearing messages per day during the worst of the attack.
Since then, spam with attached viruses leveled off to around 1.1% in Q1’10, and dropped as low as 0.7% in March. It’s good news that virus levels are currently trending down – but Q1’10 levels are still 12-fold higher than they were in Q1’09.
In fact, this virus surge may be part of the reason that there hasn’t been a significant impact on spam volume after the recent takedown of major botnets. With a host of new machines now infected and part of a botnet, it is unlikely that there would be a dip in spam proliferation.
Benefits of security in the cloud
Although the botnets that distribute spam are mindless drones, the spammers that take advantage of these botnets are a highly active and adaptable group. This is evidenced by the varied techniques and tactics that they employ in an ongoing effort to evade spam filters and deliver messages to their targets.
2010 is likely to see more botnets taken offline, but the question remains – will that have a long-term impact on spam volumes overall? So far in 2010, the effect has been limited, and the security community may begin to turn to other tactics that yield a more substantial impact on global spam volumes.
As long as the threat is there, however, Google is committed to using the power of the cloud to protect your enterprise from spam and viruses. Outsourcing message security to Google enables you to leverage our technical expertise and massive infrastructure to keep spammers from your inbox.
For more details on Google Apps and all of the protection it includes, go here.