Malicious Spam Spikes To 'Epic' Level

Trailrunner7 writes "There has been a huge spike in spam volume in the last few days, including a massive amount of malicious spam with infected attachments, and researchers say that levels of junk mail are now far higher than they were before the takedown of the notorious Spamit affiliate program last fall. The huge spike comes at a time when spam should, in fact, be dropping because of the takedown of the Rustock botnet, the Spamit network and other botnets. 'From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October. The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors,' M86 researcher Rodel Mendrez said."

If you tear it down

[Osgeld]

they just build it back up again, you can do this for the rest of history and still be in the same place, much like the war on drugs

not according to my graphs

[fifedrum]

my graphs show a steady decline in spam capture rates since October, 2010. we're measuring an average daily rate about 1/2 of this time last year. (millions of mail boxes, dozens of MX servers, decent antispam filtering) We're blocking around %91.2 of mail at the perimeter as opposed to %98.8 last year.

Re:not according to my graphs

[SwedishChef]

What is even more amazing is that with all the blocking and getting information out to users apparently spam is still profitable enough to keep on doing it. I have *never* responded to email spam but enough people must. Truly amazing.

Re:not according to my graphs

[Hatta]

The fact that you are blocking less spam is not necessarily evidence that there is less spam.

Re:not according to my graphs

[cratermoon]

Spam isn't so much about getting the recipient to buy things any more, it's about getting the recipient to give up a credit card number, bank account password, or something similar that can then be used to either directly rip off the individual or in an attack to compromise a higher value target.

The spammers don't need to convince users to buy pills or whatever, they just need them to be gullible enough to give up enough information to get ripped off.

Re:not according to my graphs

[damn_registrars]

And how is that going for you long-term? How much time and money do you have invested in this strategy? How often do you have to adjust it?

You may be happy with the end result, but you should also be aware on some level that what you are doing is not sustainable in the long-term. If people continue to insist on filtering only, they will never win the war on spam.

Re:not according to my graphs

[fifedrum]

you are correct, the missing data point is the volume of email considered "not spam".  This line in the graph stayed the same over the range, or within a minor fraction of a percent of the same. it's the spam counts that have dropped since 10/2010. The customer base also represents a large number of domain names, hundreds of thousands of domain names. One of our largest customers has been offering email since 1995, with many accounts in their domain being around for over a decade. I think it's a pretty solid sample of email accounts.

Re:not according to my graphs

[kwark]

Well I'm running systems a lot smaller but still for a fairly decent amount of corpotate customers. Though overall spam has been down since sep-oct last year (to about 1/4 of that time). Last couple of weeks there have been huge spikes in attempted deliveries, but 90% is stopped by using simple mail sanity checks (like a wellformed HELO) and DNS blacklists. The other 10% is stopped by greylisting.

Re:not according to my graphs

[Albanach]

Or your filters could be less effective?.

This stuff with infected attachments tends to get caught. Of course the consequences of any getting through are higher than for run of the mill spam.

Still, I've seen a lot of spam recently containing random links to hijacked websites and sent from valid MTAs. That stuff can be hard to filter out without collateral damage.

Re:not according to my graphs

Am I the only person who reads this in a robot voice?

Re:not according to my graphs

[fifedrum]

long term, we've been allowing into the environment roughly the same volume of email per customer for 10 years. Some spam gets through, most does not, and there are few false positives. those that are labeled false positives are most often bulk mail that people mark as junk. So IMO, it's junk mail.

We use rules at the protocol level, DNS responses, RBLs (combined into one large RBL with miltiple return values), external reputation lists, internal dynamic reputation lists, rate limitations, and multiple feedback systems to provide this level of protection, that's before content filtering and personal white/black lists.

Just today, on the protocol layer, we're blocking 60% at banner (RBLs, bad DNS) , %14 of the remainder at HELO, %3.5 of the remainder Mail From (fake domain names) and finally a good chunk of what's left is blocked because it's destined to bad email addresses (which feeds back into the reputation lists).

Customer feedback helps stop those who are newly spewing spam, and since the feedback systems are widely distributed over many different email service providers, a massive spike at one translates into a blocked email at the others (whether by IP or content).

Better still, we do the same thing on the outbound side of things. If a customer catches a virus, they're cut off from email pretty fast and the feedback system is a very very tight loop internally.

But you are right, it's an ever escalating war, and if we could skip a few steps and jail (permanently, with broken hands) the spammers and bot coders, we wouldn't have to spend the money on the filtering and RBLs and feedback loops and hardware. We adjust the rules slowly over time, the feedback systems are maintained by the "trusted" customer, we're spending hundreds of thousands of dollars a year to protect against junk mail. I'm not certain of the math here, but an educated guess, this translates to around %5 of the cost to serve a user's mailbox. That's just operations staff time, and datacenter space for the extra hardware, the hardware itself, the subscription fees to the antispam service, wasted bandwidth etc.

Re:not according to my graphs

[ccguy]

Amazing how much of email traffic is spam, mind boggling.

Indeed. I just can't get my boss to stop.

Obvious

[Arancaytar]

Apparently, most of the current spam is aimed at building new botnets. Which is sort of what you'd expect after a lot of botnets are taken down.

Lazy Spammer Grammar

[seven+of+five]

If these knuckleheads ever learn correct English, we're screwed.

Even more spam then before?

[93+Escort+Wagon]

They must've turned it up to 11.

Older people

What is even more amazing is that with all the blocking and getting information out to users apparently spam is still profitable enough to keep on doing it. I have *never* responded to email spam but enough people must. Truly amazing.

I volunteer in a call center for consumer help.

Many older people (that call us, anyway) think of email offers or anything via email for that matter, on the same level as regular mail. In other words, if they get an offer in their email inbox, it has the same weight as something they get in their regular mail - is the best way I can explain it.

It's the same with the email spam from certain lobbying organizations that claim that their Social Security and Medicare are going to be cut and they need to RESPOND NOW and DONATE to stop this! - regardless of the merits of the claim.

If someone in an email says they "checked it out and it's TRUE" they believe them, too.

We need to tell our parents and grand parents to treat all unsolicited email as scams and even have serious doubts about emails from organizations that they do deal with.

This is what we get...

[damn_registrars]

When our anti-spam activities center on filtering received mail and chasing down the spammers themselves. Eventually someone else comes in and comes up with a different way to send spam so it gets around existing filters, which just starts a new round of whac-a-mole.

Until we do something about the motivating factors behind spam - that is, the economics of spam - we will continue to get nowhere, while wasting more time and money on the problem.

correction in the summary:

[nimbius]

A security company with 11 products designed to solve your spam problem, has made a picture showing a bombastic and ludicrous increase in spam the likes of which you cannot possibly cope with. This spam targets your genitals using african money laundering transfers to smuggle a dirty bomb into your new nike jordans and boochi bags at 80% discount, and free shipping.

It is imperative you believe this un-renound seldom-published security engineer working for a vague corporation that runs its main website on a dated version of microsoft IIS 6.0 with ASP. this company worked hard to ensure its pretty pictures had maximum market placement, and slashdot is no exception.

Re:unless

[EraserMouseMan]

Whindows partitions getting whiped and their machines whork? Suddenly? I can't whait!

Not spam volume, just malicious attachments

[Tony+Isaac]

Overall spam volume is down, based on M86 Security and others. http://www.m86security.com/labs/spam_statistics.asp

My own spam rates via GMail, and my own domain, show spam rates down by 50% since last year.

It might depend on who you read. Try googling "spam statistics" and you'll get quite a mix of "spam is up," "spam is down."

Re:Good luck with that.

[Jeng]

Much like an advertising campaign, spamming does not have to be profitable to those who employ spam. It only has to be profitable to the organization that is being paid to spam.

The only people who have to buy anything are the people who buy the spamming service.