Spam Volume Jumps 35 Percent In November

"There's been a huge increase in spam volume," says David Mayer, a product manager at IronPort Systems, "from 31 billion spams a day on average in October 2005 to 63 billion in October 2006. But in November, we saw two surges that averaged 85 billion messages a day, one from Nov. 13 to 22, the other from Nov. 26 to 28.

"The October-to-November increase is higher than any other month we've measured," Mayer says.

Like other anti-spam vendors, IronPort puts the blame on a surge in botnet use, the increased use of image-based spam, and a rapid rise in the number of URLs registered by spammers. That combination, along with profit-driven innovation, has dramatically changed the spam landscape in 2006, said IronPort, which released its annual trend report earlier this week.

But other trends are at work, says Mayer, including spammers picking up hacker techniques and applying them to the junk mail business.

Spammers are using malware development tactics such as trying out new strains of spam in limited quantities to gauge how effective they are against filters, then sending out huge quantities only when they're sure a good number will slip through defenses.

"They're doing test runs to see what the returns are," says Mayer, "and to see how many messages bounce back from invalid addresses. Only then will they send out the [spam] blast."

Scammers have been able to turn up the spam volume because of the seemingly limitless number of systems vulnerable to hijack, using an individual bot for only hours to send out large quantities of spam, then discarding that PC to move on to another. The volume, along with the constant tweaking they give to their messages, means that at times traditional rule- or blacklist-based anti-spam defenses can be overwhelmed.

In mid-November, for instance, IronPort monitored a new, large-scale spam attack that dropped filter efficacy by more than 10 percentage points, letting millions of messages through to in-boxes.

"It's a reaction gap," says Mayer. "It takes time for vendors to respond and come up with appropriate rules, but with their distributed [botnet] networks, spammers can send a huge attack in a matter of hours. It takes time for anti-spam solutions to catch up with the attack."

IronPort's appliances, Mayer added, can close that gap: the company can update rules as often as 12 times an hour, and if necessary -- because of a completely unknown form of spam, for example -- update the core scanning engine remotely as well. "Anti-spam needs to be very responsive," he says.

Even though December spam volumes have stayed at November's numbers, Mayer expects that 2007 will be a tough one for anti-spam vendors and end users alike. "There's a realistic probability that volumes will increase," Mayer says. "It's a game of economics; there's a lot of money to be made and [thus] a lot of innovation on their part.

"It's going to be a long battle."

IronPort's "2007 Internet Security Trends Report" can be downloaded as a PDF file from the company's Web site.