In-Depth

IT Losing the War Against Spam

Spam now accounts for close to 90 percent of all e-mail traffic.

• By Stephen Swoyer
• 03/16/2010

The latest on the spam front is a familiar story: even after some recent botnet shutdown successes, spam volumes continue to rise -- even as the ratio of legitimate to junk e-mail traffic continues to narrow.

During the month of February, for example, spam levels increased by 5 percent. According to messaging security specialist MessageLabs, a subsidiary of Symantec Corp., spam now accounts for close to 90 percent of all e-mail traffic. In some locales, that percentage is even higher.

Nearly all indicators were up: the prevalence of e-mail-borne viruses, for example, crept up by 0.02 percent in February (on a month-over-month basis), even as the prevalence of phishing attacks crept up slightly more (0.04 percent, month over month). The number and variety of malicious Web sites -- as identified by MessageLabs' blacklisting service -- surged in February, increasing by a staggering 184 percent. Meanwhile, nearly one-sixth (13.3 percent) of last month's malware attacks were the result of new malware competitors; this, too, showed an increase (of 1.2 percent) over January's tally.

Two things didn't increase, however: the size of the average spam message and the total number of new malicious domains. Spam has been shrinking in size for some time, but this is actually a double-edged sword, according to MessageLabs. "With a reduction in the average file size of a spam e-mail, botnets are able to send a greater volume of spam per minute," the report says.

A Botnet by Any Other Name

The chief culprits behind the surge in spam volumes are botnets.

Two such networks -- Grum and Rustock -- helped power spikes in spam activity during the month of February. Grum was the most notorious, according to MessageLabs: on a few occasions last month, it operated at about 150 percent of its 2009 capacity. Depending on how and when you measure it, Grum could have accounted for as much as one quarter of February's spam tally.

Grum's overproduction is a relatively new phenomenon. For the whole of 2009, it produced spam at a constant rate; over the last three weeks of February, it out-produced all other botnets, according to MessageLabs.

"[We saw] relatively little change in spam volume emanating from the Grum botnet over the last 12 months," write researchers in MessageLab's February, 2010 "State of Spam" report. Starting February 5, Grum's output increased by 51 percent, however. "Typically, spam from Grum accounts for approximately 17 percent of all spam, but during the recent spam surges, spam from Grum was responsible for 26 percent of all spam," the MessageLab report notes.

What's to account for Grum's surge? One possibility is that spammers hit pay dirt last month and went back to the well. The researcher points to both a general increase in pharmaceutical spam -- which now accounts for two-thirds of all spam -- and to a spike in Canadian pharma spam, which it says was the product of the Grum botnet.

If the market for spam is in any sense customer-driven, pharma spam might actually be a hit. "[W]e don't know for sure, the spammers may have been trying to clear this particular spam run more quickly, or had perhaps discovered that this spam run was working very well, and so issued instructions to send more. It's also possible that resources elsewhere in the Grum botnet had been freed from other activities and so Grum was able to allocate more of its resources to spamming," the report indicates.

The sobering upshot, MessageLabs concludes, is that spam levels will likely increase in March.