The Rustock Takedown and Global Spam Volumes
Posted by Ralf Iffert and Tom Cross on March 21, 2011 at 11:50 PM EDT.
Last week there was widespread media coverage of a successful effort by Microsoft and US Marshals to take down the command and control capabilities of the Rustock botnet. At the time some sources announced a significant drop in spam volumes related to that event. Although X-Force noticed a 35% drop in spam volume on March 16th, spam volumes can fluctuate within a large range on a day to day basis and so this reduction in the volume did not initially appear to be outside of the normal amount of fluctuation that occurs.
Now that several days have passed, this drop seems more significant, as the spam volume has stayed down between 35 and 40% versus its previous average volumes for several consecutive days. It appears that the Rustock takedown likely had a sustained impact on the total volume of spam. It is worth noting, however, that this reduction is only about half as big as the drop that occurred over Christmas, when spammers appeared to have gone on holiday.
It is interesting to look at the constellation of different countries that are sending spam and see how their respective rankings have changed between early and late March.
Most notably, in early March computers in the United States were the second most common source of Spam on the Internet. Now the USA ranks 15th. The volume of spam coming out of the USA has dropped by 74%. We have also seen significant reductions in other countries as well. The following chart shows the reduction per country.
The most affected countries were the US, Israel, and UK, declining by 74, 66, and 54 percent. Least affected countries were Vietnam and South Korea, declining by only about 2 percent in each case.
It will be interesting to see:
• if and how fast the spam volume recovers
• if and how fast the spam originated from computers in the US recovers
To learn more about how spam and phishing attacks might be changing, stay tuned for the 2010 end-of-year X-Force Trend & Risk Report coming out soon. This report will include some interesting data demonstrating a sharp drop in Waledac command and control activity following a Microsoft initiated shutdown of that botnet early last year.