In-Depth

Spam Takes a Holiday

Talk about post-Christmas letdowns: spam volumes tanked after December 25th. What happened -- and can it last?

• By Stephen Swoyer
• 01/18/2011

One thing that security watchers didn't expect was a big drop in spam over the holiday season. That's just what took place, however, as a big botnet suddenly -- and inexplicably -- went quiet.

According to messaging security specialist MessageLabs Inc. (a subsidiary of Symantec Corp.), spam volumes crashed after Christmas.

"At the time of writing, the amount of spam hitting our spam honeypots is the lowest it has been since McColo, the rogue ISP, was shut down in November 2008," wrote spokesperson Paul Wood on his Symantec blog.

The shuttering of McColo helped depress spam volumes for several months.

In this case, Wood explains, the quiescence of the Rustock botnet -- which experts say once generated almost half (at least 40 percent or more) of all spam -- accounts for a good chunk of the decline in spam volumes.

Therein lies the mystery.

McColo, after all, was forcibly shuttered. The rub, Wood explains, is that no one knows just why Rustock has gone dark.

"The main cause of this drop is due to a huge reduction in output from the Rustock botnet, by far the most dominant spam botnet of 2010. Since [December 25], Rustock seems to have all but shut down, with the amount of spam coming from it consistently accounting for below 0.5% of all spam worldwide," he pointed out.

"Further contributing to the massive reduction in spam levels is the apparent mollification of two other major botnets, Lethic and Xarvester. MessageLabs Intelligence has seen virtually nothing from Lethic since December 28, and Xarvester December 31."

Even in early December, Rustock was still the undisputed king of spamming: it generated more than 44 billion spam messages a day, according to a December report from Symantec. Rustock was followed by the Grum and Cutwail botnets, both generating about as much spam in January of 2010 as they did last December, according to MessageLabs.

It's a rule of thumb never to look a gift horse in the mouth, but Wood and Symantec seem perplexed by the disappearance of Rustock.

"[W]e don't know why these botnets have stopped spamming," Wood explained, suggesting -- somewhat tongue-in-cheek -- that "perhaps the botnet herders have decided they need a holiday too."

Symantec doesn't expect Rustock to stay dormant for long, however. Its activity actually waxed and waned throughout the month of December -- e.g., weekly spikes were followed by periods of near-inactivity -- and neither Symantec nor other security researchers can point to any tangible cause (such as the shuttering of a pernicious ISP) that might explain Rustock's quiescence. Wood's advice? Enjoy it while it lasts.

"[W]e would not expect the level of spam to stay this low for long. As we saw after the closure of McColo in 2008, and following further takedown attempts in subsequent years, botnets rarely stay quiet for very long," he concluded. "Even if these three botnets don't come back soon, we would expect other botnets, even new ones, to pick-up where they have left off -- very soon."