Arstechnica wrote an article this past weekend entitled Spam levels still low a year after Rustock botnet takedown.  From the article:

In March 2011, a Microsoft-led team targeted and decapitated the Rustock botnet, and a dramatic decrease in spam traffic was noticed almost immediately. It turns out that a full year later, spammers have not been able to fill the gaping hole left by Rustock's absence.

Just before the Rustock takedown, "spam levels were around the 150 billion mark daily," security vendor Commtouch said in a new analysis. "Spam levels dropped immediately after that takedown and have continued to decrease ever since. In the first quarter of 2012, an average of 94 billion spam emails were sent per day… There is no sign of a return to pre-Rustock spam levels."

Rustock was responsible for sending 30 billion spam e-mails a day, and thus its takedown alone can't account for the entire drop in spam volume. Commtouch said the sustained improvement was a combination of multiple botnet takedowns, as well as "increased prosecution of spammers and the source industries such as fake pharmaceuticals and replicas."

The article is more detailed that numerous things have contributed to the decline in spam since then.  However, the article misrepresents Rustock’s effect on the spam levels.  It’s completely true that Rustock was the largest botnet and sent the most spam (by total individual spam connections).  However, spam was falling even before that:

image

You can see starting in May 2010, spam hit a peak and has been declining ever since.  Taking out Rustock no doubt accelerated that but alone was not responsible for the decline in spam.

Commtouch’s report warns that abuse is still with us: botnets are growing and spammers are finding new ways to infect computers.  The problem has not gone away.

So what’s going on?

  • Email spam is definitely on the decline.  However, the spam has morphed from bucket loads of generic (no pun intended) spam to more targeted attacks.  We still see things like pharmaceuticals, fake degrees, and the like, but not as much.


  • Malicious, targeted spam is on the rise.  Because of the very successes at taking down botnets and disrupting spammers, spammers have gotten smaller in order to evade detection.  Their tired of attracting the attention of antispammers who have gotten their act together.  They’ve also started making more targeted spam campaigns that are designed to infect user’s computers rather than try to sell them something.  The result is spam that is more difficult to detect and more difficult to catch.


  • Snowshoe spammers are filling the gap.  Snowshoe spam is spam that looks quasi-legitimate, kind of like a newsletter, but is spam because of the techniques that the senders are using to evade detection.  They sell free iPads, iPods, TV tuner cards, secret shoppers, and other useless things.  These spammers send mail in fewer numbers but it’s just as annoying.


  • Other avenues are more popular.  When email was new and popular and the main way to communicate (1996 – 2009), spammers targeted it.  Now, more and more people are using mobile phones and social networks to communicate.  Spammers have followed them.  They are still interested in selling fake pharmaceuticals to end users, but now they are creating fake accounts on Facebook, Pinterest and Twitter instead of sending spam over SMTP.  Spammers are only reacting to societal trends.


That is what accounts for the decline in spam since the Rustock takedown, and it’s corresponding lack of re-emergence since then.