BLOG

Spam volumes in 2010

I started hearing various people comment about lower spam volumes sometime in mid December. This isn’t that unusual, spam volumes are highly variable and someone is always noticing that their spam load is going up or going down. The problem is extrapolating larger trends from a small selection of email addresses. There’s too much variation between email addresses and even domains to make any realistic assumptions about global spam volumes from mail coming into a particular address or domain. And that variation is before you even consider that spam filters prevent much of the spam from actually reaching people.

Graph showing a steady drop in email in 2nd half of 2010

Spam volumes between June 2008 and December 2010


There are organizations, though, that have access to extremely large groups of addresses they use to track spam. Those numbers tend to be more representative of the actual spam volumes and are very good for tracking trends.
The news seems good. During the second half of 2010 there was a consistent and steady decline in the amount of spam received by the Senderbase network. In fact, December levels went below 100 million emails.
CBL graph of flows for 2010

Spam volumes from January 2010 through December 2010


Email flows for Q4 2010

Spammers took the week off.


The CBL also publishes numbers and shows a steady decline in volumes during 2010.
Related to the inquiries I started hearing in December, there was a clear dropoff (spammers going on Chrismas vacation?) in volume at the end of December. It’s harder to see in that graph, but is clearly demonstrated if we look at the CBL graph for Q4. There is a precipitous drop around Christmas. The traffic volumes reflect some of the drops seen when major botnets are taken offline, however there were no reports of arrests or takedowns around that time. It’s unclear if this decrease will be sustained or not.
An article posted yesterday by Threatpost about increased activity from the Storm botnet indicates that botnets aren’t necessarily dead yet. It also indicates old botnets may be evolving yet again.
There are a lot of possible reasons that volumes are down, from vacations to arrests through to spammers finding more effective ways to get their messages out. Anecdotally, a lot of spammers are moving to social media networks, especially twitter. This may work better for spammers, who rely on immediacy rather than a consistent or coherent message.

3 comments

  1. Justin Coffey says

    What might be interesting to note is that during this same period we saw an *increase* in open rates at major ISPs like hotmail and yahoo.
    Are less busy inboxes giving recipients more time to read wanted (we did not see a corresponding spike in unsub or complaint rates) emails?
    Can anyone else corroborate this experience?

  2. Denny Watson says

    The Christmas day drop that you are seeing is most likely the result of the rustock botnet no longer sending spam. See http://krebsonsecurity.com/2011/01/taking-stock-of-rustock/ from my own rustock specific trap the number are mildly interestesting but show the same;
    Date: total rustock emails
    20101220: 407064
    20101221: 361514
    20101222: 417992
    20101223: 415941
    20101224: 335103
    20101225: 68990
    20101226: 47
    20101227: 60
    20101228: 125
    20101229: 131
    20101230: 52
    20101231: 0
    I haven’t seen a rustock email so far in 2011. I’m guessing that remaining trickle was the result of poor updates by some of the compromised machines. At some point rustock might start sending again, resulting in sudden jump in overall spam.

  3. Al says

    That explains what I’m seeing here, too. Spam volumes are a good 60% off. I’m not savvy enough to denote Rustock-vs-some other bot (yet?) though.

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.