If you haven’t noticed lately, spam levels around the world have started dropping especially in October after a couple of events occurred.  The first is a Russian crackdown on alleged spam king Igor Gusev, thought to be involved in the operations of SpamIt.com.  SpamIt mysteriously shut down in late September, perhaps because Gusev caught wind of law enforcement starting to take notice of him.

From the New York Times:

MOSCOW — You may not have noticed, but since late last month, the world supply of Viagra ads and other e-mail spam has dropped by an estimated one-fifth. With 200 billion spam messages in circulation each day, there is still plenty to go around.  But police officials in Russia, a major spam exporter, say they are trying to do their part to stem the flow. On Tuesday, police officials here announced a criminal investigation of a suspected spam kingpin, Igor A. Gusev. They said he had probably fled the country.

Moscow police authorities said Mr. Gusev, 31, was a central figure in the operations of SpamIt.com, which paid spammers to promote online pharmacies, sometimes quite lewdly. SpamIt.com suddenly stopped operating on Sept. 27. With less financial incentive to send their junk mail, spammers curtailed their activity by an estimated 50 billion messages a day.  Why the site closed was unclear until Tuesday, when Moscow police officials met with reporters to discuss the Gusev case. The officials’ actions were a departure from Russia’s usual laissez faire approach to online crime.

Mr. Gusev’s lawyer, Vadim A. Kolosov, said in a telephone interview that his client was not the owner of SpamIt.com and had never sent spam e-mail, but declined to respond to specific questions.  The drop-off in spam since SpamIt.com went down had been noted by companies in the United States that monitor the Internet. “We’ve seen a sustained drop in global volumes,” Henry Stern, a senior security analyst at Cisco Systems, said in a telephone interview from San Francisco. The company pinpointed the closure of Mr. Gusev’s site as the cause for this easing up.

Why, after years of ignoring spammers, Russian authorities have now acted has left online security experts puzzled.  SpamIt.com had operated in a gray area of Russian law, cybersecurity researchers said. They said it had paid commissions to other parties that had directed traffic to various sites operating under the name Canadian Pharmacy, using a Russian online settlement system. Mr. Gusev has denied in blog posts that he promoted spam.

The spammers, meanwhile, operated entirely in the shadows, using networks of computers that had been remotely infected with viruses, known as botnets, and turning them into relay stations for sending e-mail from anywhere in the world.  Some American security experts have said that the spamming operation in Russia appears to have been protected by Russian authorities — whether for reasons of corruption, national pride or state security.

Because most victims of online crime, and the targets of unwanted spam advertising, are in Europe and the United States, Russian police have typically seen little incentive to prosecute online crime, analysts say.

But recently, President Dmitri A. Medvedev of Russia has been seeking to expand and legitimize the domestic Russian Internet industry – and move it away from its reputation as a playground for hackers, pornographers and authors of darkly ingenious viruses.

Computer security researchers are puzzled, to say the least.  Why the crackdown on at this time after years of turning either actively encouraging cybercrime, or at least intentionally turning a blind eye?  Or at the very least, not bothering to pursue cyber crime cases? On July 5, 2010, Loucif Kharouni of Trend Micro discovered a ZeuS/Zbot variant that targets several banks around the world, including Russian banks:

While conducting research, I encountered a curious-looking new ZeuS/ZBOT sample (detected as TSPY_ZBOT.ZCZ) using a very old toolkit version. I retrieved the sample two days ago. After some debugging/reversing, I found out that this specific sample targeted several banks around the globe, including Russian banks.

This is the first time I’ve seen ZeuS target Russian banks given that online banking is not so popular in Russia. I can recall a few ZeuS/ZBOT samples targeting Yandex services, but I definitely can’t recall anyone targeting MDM Bank or other online Russian banking systems.

So, it could be that when malware authors were targeting western banks and citizens, Russian police had little incentive to go after cybercriminals.  The prevailing theory is that in eastern Europe and Russia, defrauding westerners is not seen as a crime or even all that unethical, it’s just something you do.  You wake up, make yourself some coffee, steal some money from a westerner, write some more malware code, test it out, and call it a day.  But so long as the money is flowing into the country and not actually harming your own citizens, police have better things to do.  Consider your own home: if your neighbor’s sink is overrunning you might care a little bit but not all that much to go out of your way.  You’d probably phone him up and tell him, but you’re not going to lose that much sleep.  Of course, if you live in an apartment and your neighbor’s apartment is above yours, suddenly his leaky sink becomes your problem.  If that leaky sink spills too much water it will soak through the ceiling and start damaging your own living conditions.  It behooves you to assist your neighbor.

This could be a situation of “If it’s not in my backyard, I’ve got more important things to do.”  Now, ZeuS is targeting bank’s in Russia’s back yard.  Suddenly, that leaky faucet across the street is leaking above their own roof.  This changes the equation for Russian law enforcement because it is doing actual harm to its own citizens and industry.  Now maybe it makes economical sense for Russia to crack down on botnet operators.

Or, maybe Gusev, the alleged owner of SpamIt, ran afoul of authorities and didn’t pay them off (fell behind on some debts) and they are looking to prosecute as a means for settling the score.  It could be a simple as that and the ZeuS/Gusev connections are actually unconnected.