The CS Monitor has an article up (I was directed to it via All Spammed Up) where they review Symantec’s latest security report and the main trends of the past year.  From the article:

Targeted cyberattacks – the kind used to burrow deep into corporate computer networks and steal their proprietary secrets – rose sharply in 2011, according to a new report. But it also found that the broad tidal wave of e-mailed spam fell substantially this year.

Granted, spam still accounted for 70.5 percent of the 48 billion e-mail messages sent each day. But overall spam levels this year hit a three-year low – well below the 90 percent rate reported in 2010 by Symantec, a computer security company in Mountain View, Calif.

Declines in spam overall are due in part to some success in closing down rogue Internet service providers and shutting down notorious "botnets" – networks of enslaved computers used by criminals to send waves of bogus spam e-mail.

Although there were relatively few "targeted e-mail attacks," those increased the most, writes Paul Wood, Symantec senior researcher, in the report. An example of a generic targeted attack is an e-mail advertising half-price “green fees” that might appeal to a golfer. The attacker's goal is to get the recipient to click on and open a document – a contaminated PDF file. That, in turn, might install a piece of malicious software that steals his bank account information.

It’s true that spam has declined during the past year.  I can take this a step further and illustrate what’s going on:

  • Spam from botnets has declined over the past year, while snowhoe spam has skyrocketed (see here for my discussion on snowshoe spam).  While the article in CS Monitor briefly touches upon some major botnet takedowns this year, the botnet takedowns do not account for the drop in botnet spam directly.

    I keep track of botnets and while it’s true that they briefly disrupt spam, many times the effect is not even noticeable because there are others to pick up the slack.  Instead, what has happened is that spammers have turned from botnet spam to other activities where they instead send fewer messages in an attempt to evade filtering.  Why do they do this?  Because large botnets attract the attention of antispam folks and law enforcement. Thus, the takedown of botnets have not disrupted the spammers’ method of distribution (by taking down their infrastructure) but rather their behavior (by moving away from botnet spam).

    Snowshoe spam has increased because it does not have the same vulnerabilities as botnet spam:  botnet spam has to be sent to a lot of users whereas snowshoe spam needs to be sent to much less.  And it looks quasi-legitimate which makes it more difficult for filters to detect, whereas most botnet spam is pretty easy to filter.  Thus, the spammers have moved onto types of spam that are more difficult to filter because they have a smaller footprint.

    I estimate that snowshoe spam is roughly 10-15% of our inbound mail but constitutes 80% of our spam complaints.

  • Targeted attacks have increased this year.  These types of attacks cannot be sent in large volumes because there are only so many people to target.  You pick and choose who you want to go after but because of this, you only choose the people who might be vulnerable.  Fewer targets means fewer spam messages, which means lower volume of spam across the board.

  • Symantec also talks about Advanced Persistent Threats (APTs) as the most visible new threat, but this is not the reason for a decrease in spam.  The reason is that the people who spam (individuals or small crime syndicates) are not the same people behind APTs (foreign governments).  Governments were not actively out there spamming people before and then decided to switch to APTs.  Rather, they got into the game alongside the other spammers.

Those are the main reasons for the decline in spam this year.  In next month’s issue of Virus Bulletin, I’ll have the top ten Spam, Malware and Cybersecurity Stories of 2010.  What will make my list?  Stay tuned!