Spam remains down

After last week's sudden shutdown of the McColo network, which hosted a number of botnet command and control servers, spam remains way down, as you can see reflected in the Spam Volume Index from our spam statistics page:

The Srizbi, Rustock and Mega-D botnets have ground to a halt, again reflected in their downward trends in our Spam by Spambot graph below.  Note: the graph contains last weeks complete data and incorporates Srizbi, Rustock and Mega-D spam from earlier in the week when McColo was still up. Next week, assuming the current situation stays the same, the lines will plummet further.  As these botnets have dropped away, others botnets have proportionally risen in the mix, notably Pushdo, Bobax and Grum.

The impact of Srizbi dropping out is huge.  The folks at FireEye recently produced data suggesting the number of Srizbi bots is at least 450,000.  In our labs, we have seen individual Srizbi bots send up to 24,000 spam messages per hour.  Any way you do the math, you get a big number.  Conservatively, we think Srizbi, when it was going, was capable of some 60-80 billion spams per day.  As you can see in the above graph Srizbi was responsible for 30-50% of spam that we track.

Despite the victory last week, we expect the botnets to bounce back in some form.  Earlier in the year we saw Mega-D recover from a 'busted' control server which saw it out of action for 10 days.  Srizbi too, could recover. There are signs that Srizbi's fallback mechanism may be cleverer than we first thought.

Over the longer term, the botnet operators will learn from this incident and probably evolve their control systems. They may adopt a more resilient peer-to-peer or layered model where control servers are harder to access and spread among many hosts.  However it develops, the key challenge for all in the security community is to keep exposing and maintaining the pressure on these botnets.  As last week's events show, it can have a positive impact on spam.