Spam E-Mail On Holiday: Rustock Botnet Spam Hits Sudden Low

Spam e-mail volumes dropped to a new low over the holiday season, sinking to their lowest levels since the November 2008 shuttering of rogue ISP McColo, Symantec security researchers found.

According to Symantec MessageLabs Intelligence at Symantec Hosted Solutions, the overall amount of spam dropped from roughly 110 billion spam e-mails per day in late October to about 70 billion per day in late December to just more than 30 billion as of Jan. 1, 2011.

"Over the 2010 Christmas holiday, the level of spam in circulation has dropped drastically, Symantec MessageLabs Intelligence wrote in a blog post discussing the drop in spam e-mail over the holiday season. "For example, at the time of writing, the amount of spam hitting our spam honeypots is the lowest it has been since McColo, the rogue ISP, was shut down in November 2008."

But don't pop the bubbly just yet, cautioned Paul Wood, a senior analyst for Symantec MessageLabs Intelligence at Symantec Hosted Solutions. Spam typically takes some time off for holiday cheer.

Sponsored post

"We typically have seen a certain decline at the end of the year, at this time of year," Wood said. "And then it usually picks up."

Still, the decline in the amount of spam e-mail this holiday season was staggering, Wood said.

The sharp drop in spam e-mail amounts can be directly attributed to a massive reduction in the amount of spam activity from the Rustock botnet, which is responsible for nearly half of global spam and at its peak sent about 44 billion spam e-mails per day. During the holidays, Rustock botnet spam activity fell to about 0.5 percent of its normal output, meaning it was sending just 500 million spam e-mail messages daily, Wood said. Rustock is responsible mostly for pharmaceutical spam, which tries to lure people to malicious Web sites with the promise of cheap medications.

Adding to the decline is the apparent inactivity from other major botnets such as Lethic and Xarvester.

Wood explained that many spammers use botnets to generate monstrous amounts of spam; by the end of last year roughly 88 percent of all spam was sent by botnets.

Strange, though, is that there is currently no reason why these major botnets, especially Rustock, would stop spamming.

"At the moment, it does seem fairly unexplained," Wood said, adding that to his knowledge there have been no arrests, no takedowns and no technological disruptions that can be attributed to the dramatic drop in spam e-mail activity.

NEXT: Not The First Spam E-Mail Slowdown

Wood said the folks controlling the Rustock botnet and the others may have taken a break from their spamming activity and have used the botnets for other campaigns, such as click-through fraud, concocting a Distributed Denial of Service (DDoS) attack or some other attack designed for monetary gain.

"At present we don't know why these botnets have stopped spamming; perhaps the botnet herders have decided they need a holiday too?" Symantec MessageLabs Intelligence wrote. "Whilst this is an excellent gift over the holiday season for anyone who regularly uses e-mail, we would not expect the level of spam to stay this low for long. As we saw after the closure of McColo in 2008, and following further takedown attempts in subsequent years, botnets rarely stay quiet for very long. Even if these three botnets don't come back soon, we would expect other botnets, even new ones, to pick up where they have left off -- very soon."

The holiday spam e-mail slowdown is the second dramatic decrease in spam e-mail volumes over the past few months. In its "State of Spam and Phishing Report" released in November, Symantec reported that spam e-mail volumes had dropped drastically from summer to autumn in 2010. That decline was attributed mostly to the takedowns of the Zeus cybercrime ring, and the Bredolab botnet. At the time, Symantec said global spam volume had decreased by 22.5 percent from September to October and 47 percent from August to October.