Spam levels fluctuate as crooks try to revive botnets
Some researchers say spam still down, others see it bouncing back
Computerworld - Two weeks after a hosting firm's shutdown sent global spam volumes plummeting, some researchers continue to claim that junk mail rates remain dramatically down, while others say spam has already bounced back.
The shutdown of California-based McColo Corp., a company that hosted a staggering variety of cybercriminal activity, on Nov. 11 cut spam by as much as 75% in the first few days after its upstream Internet providers pulled the plug. The shutdown slashed spam volumes because some of the planet's biggest spam-sending botnets were controlled from servers hosted by McColo, according to security researchers who had long urged the company's disconnection from the Web.
While spam initially slid off a digital cliff, two weeks later it's unclear whether spammers have resumed their usual practices.
A researcher at IronPort Systems Inc., a messaging security company owned by Cisco Systems Inc., today said that spam is still down, if not out. According to IronPort, Tuesday's spam volume was approximately 72.7 billion messages, less than half of the 153 billion on Nov. 11, but up from the 64.1 billion of Nov. 13, two days after McColo went off the air.
"We're seeing small spikes in spam volumes relative to the post-McColo shutdown volumes," said Nick Edwards, a senior product manager at IronPort, in an e-mail Tuesday explaining the uptick. "We believe the spammers are trying other botnets -- those whose command-and-control infrastructure and front-end applications were not hosted by McColo."
They're not having much luck, Edwards added. "Spam volumes are still down significantly," he said. "While there was a temporary increase in spam volume [last] Friday and Saturday, spam volumes have not approached levels prior to the McColo shutdown. The spammers are having a difficult time finding a botnet for lease that they can use effectively."
Researchers at rival MessageLabs Ltd. -- now part of Symantec Corp. -- see the situation differently.
According to Matt Sergeant, a senior antispam technologist at the company, spam levels have bounced back to about two-thirds of what they were before McColo was yanked off the Internet. In fact, spam jumped to that volume only today.
Sergeant wasn't surprised by the lag time between McColo's shutdown and a return of spam. "The Asprox and Rustock botnets are back with a vengeance after having found new command and control [servers]," Sergeant said in an e-mail. "Cutwail never went away and it seems its owners have used the opportunity to increase output. Mega-D is also on the rise again."
Sergeant and Edwards, however, agreed on one thing: The Srizbi botnet looks gone for good.
"Srizbi, having once been responsible for 50% of all spam, is now completely defunct," said Sergeant, who added that without that botnet, "spam levels won't return to what they had been."
Edwards confirmed that Srizbi was still offline. "And we have confirmation that McColo traffic has not been re-hosted somewhere else," he added. "The backers of both are still scrambling." McColo was still unavailable as of midafternoon Tuesday.
Srizbi, which also goes by "Mailer Reactor," was among the world's biggest botnets. In April, noted botnet researcher Joe Stewart of SecureWorks Inc. estimated Srizbi as composed of 315,000 infected PCs. The McColo takedown, Stewart said last week, had cut off more than half a million compromised computers -- a.k.a. "bots" -- from their criminal controllers.
- Massive botnet returns from the dead, starts spamming
- Spam levels fluctuate as crooks try to revive botnets
- Spam is silenced, but where are the feds?
- Dodgy ISP McColo briefly comes online, updates botnet
- McColo shutdown forces botnets to relocate
- Hosting firm takedown bags 500,000 bots
- Spam plummets after Calif. hosting service shuttered
- McColo takedown: Internet vigilantism or online Neighborhood Watch?
- IT Blogwatch: McColo is McShut McDown
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Malware and Vulnerabilities White Papers | Webcasts