Global volumes of spam are increasing again two weeks after the shut down of a hosting company on 11 November that initially saw a 75% reduction in the volume of spam email.
The shutdown of California-based McColo, slashed spam volumes because some of the world's biggest spam-generating botnets were controlled from servers hosted by McColo, according to security researchers who had long urged the company's disconnection from the web.
According to researcher with IronPort Systems, a messaging security company owned by Cisco Systems, spam volumes are still down. IronPort, said yesterday (25 November) spam volume was approximately 72.7 billion messages, less than half of the 153 billion on November 11, but up from the 64.1 billion of November 13, two days after McColo went off the air.
"We're seeing small spikes in spam volumes relative to the post-McColo shutdown volumes," said Nick Edwards, a senior product manager at IronPort, in an email Tuesday explaining the uptick. "We believe the spammers are trying other botnets - those whose command-and-control infrastructure and front-end applications were not hosted by McColo."
They're not having much luck, Edwards added. "Spam volumes are still down significantly," he said. "While there was a temporary increase in spam volume [last] Friday and Saturday, spam volumes have not approached levels prior to the McColo shut down. The spammers are having a difficult time finding a botnet for lease that they can use effectively."
Researchers at rival MessageLabs - now part of Symantec - see the situation differently.
According to Matt Sergeant, a senior anti-spam technologist at the company, spam levels have bounced back to about two-thirds of what they were before McColo was yanked off the Internet. In fact, spam jumped to that volume only today.
Sergeant wasn't surprised by the lag time between McColo's shutdown and a return of spam. "The Asprox and Rustock botnets are back with a vengeance after having found new command and control [servers]," Sergeant said in an email.
"Cutwail never went away and it seems its owners have used the opportunity to increase output. Mega-D is also on the rise again."
Sergeant and Edwards, however, agreed that the notorious Srizbi botnet was finished.
"Srizbi, having once been responsible for 50 percent of all spam, is now completely defunct," said Sergeant, who added that sans that botnet, "spam levels won't return to what they had been."
Srizbi, which also goes by "Mailer Reactor," was among the world's biggest botnets. In April, noted botnet researcher Joe Stewart of SecureWorks estimated Srizbi as composed of 315,000 infected PCs. The McColo takedown, Stewart said last week, had cut off more than half a million compromised computers - aka "bots" - from their criminal controllers.