Dip in ICSA Labs’ Spam May be Due to Rustock Takedown
March 22, 2011
By Jack Walsh

Several media outlets are reporting that the massive Rustock botnet, considered by many to be one of the world’s largest generators of spam, was taken down Wednesday, March 16 just before 11 AM EDT (3 PM GMT), resulting in a significant spam decrease.  

As you may know, ICSA Labs collects spam both for use in our daily anti-spam product effectiveness and false positive testing, as well as to report weekly spam trends.  To determine whether or not we are seeing evidence to support the reported findings, we compared spam from our primary collection honeypot on Monday and Tuesday for the last three weeks.  Here are our top findings: 

1.      While spam dropped, ICSA Labs is not seeing a massive disruption: On Tuesday, March 1, we received about 320K spam messages.  On Wednesday, March 2, we received 390K spam messages.  The following week we received about 400K spam messages on Tuesday, March 8 and 450K on Wednesday, March 9.  Last week we received about 330K spam messages on Tuesday, March 15 and 335K messages on Wednesday, March 16.  There is quite a bit of variance in the totals.  While one can see a drop on March 16 compared to weeks prior, it’s difficult to conclude, based on this data, that there has been a massive disruption in the spam received.  Other spam may be filling the void left behind by the downed botnet. 

2. ‘Duplipate’ spam decreased:  For the first time in a while, ICSA Labs was able to send 26K messages (about 90 percent of which are spam) through our anti-spam products in daily testing before the 10.5 hour long daily test for that day ended.  What’s interesting about that is that we typically hit our current 10.5 hour test time limit before we hit the 26K messages mark.  The reason we have been reaching the time limit before the 26K message mark is because our methodology detects and does not send duplicate spam messages through products.  What that means is that there must have been far fewer duplicate spam messages received in our spam honeypot on March 16 compared to usual, which may be attributable to the takedown. 

3. Does the media have the right date?  Duplicate spam messages were down on both March 15 and even further down March 16 compared to each of the two previous Tuesdays and Wednesdays.  Spam duplicates are actually down from about 200K a day on average to about 150K on average beginning around March 10 and down to about 100K or so in the days leading up to and including March 16.  Maybe it is just a coincidence that our duplicate spam messages are dramatically down both March 15 and March 16 but markedly lower than usual beginning March 10?  But all of this makes me wonder whether the media can be sure all the takedowns occurred on the same day.  Could it possibly have been a day earlier or even a process that took several days for the effects to be seen?   

Then again, maybe the date is correct since between March 15 and 16 there was a steep 30 percent drop in spam received from India and a 28 percent drop in spam received from Indonesia.  That may be related to a botnet takedown on March 16.  A final interesting tidbit is that between March 15 and 16, spam from Brazil, Russia, and the U.S. received by our honeypot actually increased.  Again that could be related to other spam filling the void left by the botnet takedown that I mentioned above. 

In summary, while there does appear to be a connection, we believe that more study is necessary to determine whether or not these changes in spam volumes, spam duplicates, and spam origins are the direct result of the Rustock botnet takedown.

 

Terms: botnet, Rustock

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.