At Trustwave SpiderLabs we keep a close eye on spam trends. We keep and publish a bunch of statistics relating to spam, and last week people were asking me where these were as the old M86 website is phased out. We now have a new location here, which is also linked off the left hand navigation of this blog under 'Research Stats'.
The stats are currently highlighting a few interesting things. Firstly, the volume of spam continues to decline, which is great news. In fact the last two weeks has seen a large drop in the spam hitting our traps, and as a result our Spam Volume Index has dropped to an all-time low. The index measures changes in the volume of spam sent to a representative bundle of domains that we monitor. We began the index in 2007 and set it equal to 1000. It now stands at just 308.
There are various reasons for the longer term decline. Spam affiliate programs closing (Spamit.com), botnets disabled (Rustock), botnet operators apprehended (Mega-D), infighting between spamming rivals and other botnets going strangely quiet (Festi). The easy life of spamming is perhaps not so attractive anymore. Oh dear, how sad, never mind.
However the reason for last week's big decline is output from Lethic, one of the largest and long-running spamming botnets, has slowed to a dribble. We don't know why as yet, we haven't heard of any takedown or disruption events. The graph below shows Lethic losing its top spot to Grum (it's a proportional graph, so if one botnet drops out like Lethic, other botnets rise). Lethic runs multiple control servers, and one of the Lethic samples in our lab is still finding its control server and spamming. So its not completely dead.
We have seen these sorts of 'intermissions' from Lethic before, perhaps the botnet operators are reorganizing themselves, building new infrastructure, or hell, they may even be on summer vacation partying with their spam affiliate friends on a yacht in the Greek Islands. Complete speculation of course, only time will tell.
Another thing this week's spam stats show is that there is still a lot of spammed malware about, about 11% of the spam we saw last week came with a nasty little attachment. It's the usual range of stuff fake UPS notifications, speeding violations, and fake photos. The vast bulk of it originates from the Cutwail variants, and the attached malware are downloaders that download other malware, such as Cridex, a banking trojan.
So, all in all, it's mostly good news on the spam front, although it wouldn't surprise me to see Lethic pop back up again. And a little more pressure on some of the remaining big players like Cutwail and Grum certainly wouldn't go amiss if we are ever going to enjoy a largely junk-free inbox again.
