Spam bots back from the holiday season

Posted by Ralf Iffert on January 13, 2011 at 6:53 AM EST.

Over the Christmas holiday season – starting December, 25th, 2010 – there was a steep world-wide decline of spam volume. We were not the only ones who recognized this significant drop. However, since Monday, January 10th, 2011, spam levels reached nearly the old volume seen before Christmas.

As reported elsewhere, the Rustock botnet was down during the last two and a half weeks. Let’s have a more country-specific look at this issue.

The United States significantly lost ground during these two and a half weeks, but recovered completely within the last two days as shown in the following table.

The following chart shows the reduction per country.

 
The most affected countries were the US, Canada, and UK, declining by more than 90 percent. However, it is still an interesting mystery.

•  Why was a successful botnet offline for more than two weeks?
•  How did it revive itself?
•  Why might this have happened during the Christmas holiday season?

Besides the idea about “spammers are on holiday” some other attempts to explain the drop are:

•  Spammers wait until the IPs of infected bots are removed from DNSBL lists
•  There was a major bug in the last release of the botnet software
•  Spammers just turned off the botnet for fun to see if it made the news

But this is completely speculative. Other – more Christmas-related and not botnet-related  conjectures are:

•  A significant amount of spam is produced by computers in companies – many of them are shut down at the end of the year for Christmas and New Year’s
•  Computers at home are replaced by new ones (as a Christmas gift) and start without botnet infection

To learn more on how spam and phishing attacks might be changing, stay tuned for the 2010 end-of-year X-Force Trend & Risk Report coming soon!