Spam Bounces Back After Takedown

Just a few months after the shutdown of a Web hosting company responsible for an estimated 75 percent of the Internet’s mind-boggling daily spam tally, the numbers are right back up where they were, according to a report from Postini, which provides e-mail security to 15 million users of Google’s enterprise services.

And it’s growing faster than ever. Spammers seem to be diversifying their distribution strategies to dodge attempts to thwart them.

McColo Corp., a San Jose, Calif.-based Web hosting company, was notorious among security experts for the numerous and hyperactive spammers on its client list. At the height of its activity, Google Enterprise was intercepting up to 100 spam messages a day for each Google business e-mail user, and 60 to 70 on an average day. After McColo’s Internet service providers pulled the plug in November, responding to pressure from Washington Post computer security blogger Brian Krebs those numbers plunged to around 25 a day, but they’ve been creeping up ever since and are now into the 60s. Overall spam growth is the highest it’s ever been, increasing 1.2 percent a day in the first quarter of 2009 (compared with 1 percent a day in the first quarter of 2008, which was a record at the time).

“It’s difficult to ascertain exactly how spammers have rebuilt in the wake of McColo, but data suggests they’re adopting new strategies to avoid a McColo-type takedown from occurring again,” commented Amanda Kleha, of the Google security and archiving team, in the report. “Specifically, the recent upward trajectory of spam could indicate that spammers are building botnets that are more robust but send less volume — or at least that they haven’t enabled their botnets to run at full capacity because they’re wary of exposing a new ISP as a target.”

Greater volume isn’t the only worrisome development. The report also noted a spike in spam messages carrying viruses, with a ninefold jump between February and March. Things were even worse in this arena last summer, Kleha notes, but the trend is worth watching. The “blended threat” — an e-mail that sends users to a Web site that infects their computers — has been particularly popular, especially through e-cards. Valentine’s Day saw a flurry of this type of activity.

Kleha says the most significant new variety of infectious spam is location-based: a message with breaking news of some horrific event in the big city nearest to the recipient’s home area (based on IP address). The link leads to a page with a fraudulent news story and an embedded video that downloads a virus.

Virus-laden spam used to spike every Sunday, possibly to take advantage of corporate system downtime, but the most recent Google stats show that they’re spread throughout the week with no obvious pattern. “One possible explanation is that spammers switched tactics because they weren’t seeing the success they’d hoped for from the focused attacks,” Kleha notes.

Related reading