Spam - Back Up to 50% Capacity

Posted by Carsten Hagemann on December 05, 2008 at 12:48 PM EST.

It’s been almost four weeks since the McColo takedown.  In the weeks immediately following, we saw a substantial decrease in spam as noted in our previous blog post (http://blogs.iss.net/archive/mccolo.html).  Back then, spam was reduced to a mere 25% of its previous volume.

Over the past few days, however, spam volume has been picking up the pace.  It has now reached 50% of the volume before the takedown (doubling since the last blog post), which is also equivalent to the volume we saw at the beginning of the year.

The mix of spam we’re seeing is different, too.  There has been a notable increase in small, HTML-based mail with minimal or no text and an embedded picture URL. This increase isn’t due to all spammers substantially changing the type of spam they send, it’s due to one botnet, Srizbi, that appears to be recovering faster than the others.  The increase of this particular botnet has been noted by others (http://www.heise-online.co.uk/news/Botnet-rises-again--/112118).

This spammer also appears to be more concerned about the size of their spam messages, because they’ve gone down from 3.5k to 2.5k on average, possibly due to a new constraint of limited bandwidth.

In any case, it’s obvious that the spammers are recovering, and it probably won’t be long before they are back in full force.