Spam levels fluctuate as crooks try to revive botnets

While spam initially slid off a digital cliff, two weeks later it's unclear whether spammers have resumed their usual practices.

Two weeks after a hosting firm's shutdown sent global spam volumes plummeting, some researchers continue to claim that junk mail rates remain dramatically down, while others say spam has already bounced back.

The shutdown of California-based McColo, a company that hosted a staggering variety of cybercriminal activity, on Nov. 11 cut spam by as much as 75 percent in the first few days after its upstream Internet providers pulled the plug. The shutdown slashed spam volumes because some of the planet's biggest spam-sending botnets were controlled from servers hosted by McColo, according to security researchers who had long urged the company's disconnection from the Web.

While spam initially slid off a digital cliff, two weeks later it's unclear whether spammers have resumed their usual practices.

A researcher with IronPort Systems, a messaging security company owned by Cisco Systems, today said that spam is still down, if not out. According to IronPort, Tuesday's spam volume was approximately 72.7 billion messages, less than half of the 153 billion on Nov. 11, but up from the 64.1 billion of Nov. 13, two days after McColo went off the air.

"We're seeing small spikes in spam volumes relative to the post-McColo shutdown volumes," said Nick Edwards, a senior product manager at IronPort, in an e-mail Tuesday explaining the uptick. "We believe the spammers are trying other botnets -- those whose command-and-control infrastructure and front-end applications were not hosted by McColo."

They're not having much luck, Edwards added. "Spam volumes are still down significantly," he said. "While there was a temporary increase in spam volume [last] Friday and Saturday, spam volumes have not approached levels prior to the McColo shut down. The spammers are having a difficult time finding a botnet for lease that they can use effectively."

Researchers at rival MessageLabs Group -- now part of Symantec -- see the situation differently.

According to Matt Sergeant, a senior anti-spam technologist at the company, spam levels have bounced back to about two-thirds of what they were before McColo was yanked off the Internet. In fact, spam jumped to that volume only today.

Sergeant wasn't surprised by the lag time between McColo's shutdown and a return of spam. "The Asprox and Rustock botnets are back with a vengeance after having found new command and control [servers]," Sergeant said in an e-mail. "Cutwail never went away and it seems its owners have used the opportunity to increase output. Mega-D is also on the rise again."

Sergeant and Edwards, however, agreed on one thing: The Srizbi botnet looks gone for good.

"Srizbi, having once been responsible for 50% of all spam, is now completely defunct," said Sergeant, who added that sans that botnet, "spam levels won't return to what they had been."

Edwards confirmed that Srizbi was still offline. "And we have confirmation that McColo traffic has not been re-hosted somewhere else," he added. "The backers of both are still scrambling." McColo was still unavailable as of mid-afternoon Tuesday.

Srizbi, which also goes by "Mailer Reactor," was among the world's biggest botnets. In April, noted botnet researcher Joe Stewart of SecureWorks estimated Srizbi as composed of 315,000 infected PCs. The McColo takedown, Stewart said last week, had cut off more than half a million compromised computers -- aka "bots" -- from their criminal controllers.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags spammccolo

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Brand Post

Imou: At home with security

Modern living is all about functionality and security for everybody from the very young to the very old. With Imou anybody can enjoy smart life – the solution is at their fingertips.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?