Today we are seeing another high volume spam campaign. It is very similar to the one I wrote about yesterday:
My guess is that this is the same spammer that was doing it yesterday. After getting blocked he just updated his campaign: he rotated his spamming IPs, compromised URLs and message content.
My sources indicate that this is the darkmailer botnet. Looking back over my historical data, darkmailer sends in waves. The past couple of days have seen an increase in activity after a “quiet” period of a couple of weeks. This would lend credence to my theory of a spammer renting the botnet since most spammers don’t do it continuously but instead rent the equipment for a period of time. My stats also indicate that most of the spamming IPs over the past couple of days originate in China. This is unusual for a botnet these days because the most commonly occurring botnets are in the US, Russia, India and south east Asia (and parts of Europe). China used to be a spam source but has cleaned up its act significantly.