Spam volumes have declined up to 45% from June to December 2010
I publish a weekly report on my personal analysis of spam volume and categories, on this blog. Over the last quarter of 2010 there has been a very significant drop in the volume of mail classified as spam. In fact, since spam peaked at 70% of my incoming mail for the week of June 14 through 20, 2010, it declined 45 percent over the last week of December, 2010, through January 2, 2011.
Prologue
Other security companies and writers have also been curious about why this huge decline has occurred. Now, we may have found some believable answers to that question. There is a threefold answer that I believe will explain this phenomena: Botnet command and control server shutdowns, arrests of Bot Masters and the closure of a spam affiliate program.
First of all, virtually all spam is sent through compromised (Windows) computers that have been infected with Bot programs that cause them to become spam relays. The actual spammers buy the use of Botnets, which are owned and maintained by seasoned cyber criminals, many of whom reside in the former USSR. These (Russian, Ukrainian, Latvian, etc,) "Bot Herders" have until recently enjoyed total immunity from prosecution by means of payoffs and by flying under the "radar" of local authorities. That began to change in the Fall of 2010.
Since October, 2010, there have been a number of high profile arrests made of the individuals behind the major Botnets and the purveyors of the files that are used to infect PCs. Some of the World's most prolific spammers and Bot Masters are either in jail, or under indictment in the USA, Spain, The Ukraine, Russia and Great Britain.
Additionally, after much input from security companies and International Police agencies, Visa, MasterCard and PayPal have ceased processing payments for sales of illegal pharmaceuticals and commissions to affiliates of several spam networks, like "Spamit," forcing them to go out of business. Spamit, a Russian crime operation, was the promoter of the now defunct (and fake) "Canadian Pharmacy" websites. Spamit paid large commissions to thousands of minor and major affiliates who rented the use of Botnets to send spam runs for the Canadian Pharmacy, and others with similar names. Spamit shut down operations in October, 2010. Spam for the "Canadian" Pharmacies still continued to account for a large percentage of all spam that month. This was due to the fact that individual spammers had already paid to use Botnets to send spam for those pharmacy sites and the spam templates were already dispensed to the zombie computers in those Botnets.
As the affiliates began to realize that they would not be paid any commissions for sales to gullible people, the volume of Canadian Pharmacy dropped, until it ceased to exist, around December, 2010.
The next important factor in the decline of spam in last quarter of 2010 was the shift in purpose of the Rustock Botnet; the largest surviving Botnet at this time. Until the closure of Spamit and the resulting decline of paying spammers who leased its use, Rustock was responsible for up to 1/2 of all the spam messages sent during 2010. Since the demise of Spamit, Rustock has all but stopped being used for spamming and has now shifted its focus into the field of advertising click fraud. While this was going on for most of 2010, it appears to be the current sole purpose of the remaining active Rustock Bots.
Another factor in the decline of spam was that in October, 2010, authorities in the Netherlands took down several servers associated with the Bredolab botnet. This Botnet was used not only to send huge amounts of spam, but was also the main means of dispensing and controlling the Zeus key-logging Trojan. Much of the spam sent by Bredolab zombies contained attachments, which were in actuality copies of the Zeus installer. Amazingly, it appears that there was one individual running the main Zeus campaign; a Ukrainian man who had a flair for fast sports cars, US casinos and car shows. He was in transit from the Ukraine to Las Vegas, to attend a car show in November, 2010, not knowing that a warrant had been issued for his arrest. He was taken into custody upon his arrival in the USA and now sits in prison, awaiting trial for the damages caused by his Zeus bank account stealing operation.
Additionally, there was a forced closure of the command and control servers and disinfection of the member zombies in the Pushdo / Cutwail botnet, responsible for 10% of the World's spam, in the 3rd quarter of 2010.
Summary
The combination of actions taken by authorities across several continents to shutdown command and control servers used by major Botnets, coupled with disinfection of many of the zombies operating as spam relays, and the arrest of several owner/operators of some of the spam Botnets, has resulted in a marked decline in the overall volume of spam, during the last quarter of 2010. Spam volumes are still down, during the first half of the first week of 2011. Hopefully, that will remain the case for a long time to come.
Epilogue
Although the volume of spam has declined, it is not dead. I have been writing and will continue to update spam detection filters for the anti-spam program, MailWasher Pro. This program has been in circulation for a decade now and is currently at version 2011. If you are still plagued by spam and are looking for a reasonably priced solution to detecting and deleting it before it is downloaded to your desktop email clients, please try using MailWasher Pro. It is free to try for 30 days. My description page explains many of its features and how to use them. My personally developed and published spam filters are kept up to date to meet current spam tricks and threats.
The latest threat to be added to my spam filters is the now-circulating fake e-card spam that leads to browser exploit attacks that install a new version of the Storm or Waledac Bot. So, stay aware of the threats posed by spam email and protect your computers with the best anti-spam solutions you can afford.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.