Spam trackers are seeing a fairly dramatic drop in junk e-mail sent over the past few days, specifically spam relayed by one of the world’s largest spam botnets – although security experts disagree on exactly which botnet may be throttling back or experiencing problems.
According to M86 Security Labs, the volume of spam has dipped quite a bit, approximately 40 percent since the beginning of the month by the looks of the graphic the company publishes on its site (pictured at right).
M86 says the decrease in spam is due to a rapid drop in activity from the Rustock botnet (see graphic below left), a collection of spam-spewing zombie PCs that experts say is responsible for relaying about 40 percent of all junk e-mail on any given day.
The decline in spam volume comes at about the same time that the world’s largest spam affiliate program — spamit.com — said it would stop paying affiliates to promote its online pharmacy Web sites — on Oct. 1.
Bradley Anstis, vice president of technical strategy for M86, said the most likely explanation is that the person(s) operating Rustock rented the botnet to a number of spamit.com affiliates, and many of those affiliates have not yet switched over to another pharmacy affiliate program.
“To me, that’s the most logical explanation,” Anstis said. “The timing certainly hooks up well, because we started seeing this decline right around the first of October.”
Several other spam watchers said they also were seeing the decline in junk e-mail, although they attribute it differently. Dmitri Alperovitch, vice president of threat research at McAfee, said his company’s sensors were attributing the drop in spam to a decline in activity from the Pushdo botnet.
Alperovitch said McAfee is seeing a 45 percent drop in the number of Pushdo-infected PCs sending spam spam since Oct. 1, and 27 percent decrease in overall spam levels since that same date.
The dispute over which botnet may be responsible for the missing spam is interesting because it dovetails with a discussion I had last month with a Russian source who has close contacts to many key players in the cybercrime underground. I had asked this source if he could connect me to the author of Rustock, and while my source couldn’t secure me an interview, he related the following tidbit from their conversation: He said the guy was amused because M86 was consistently conflating Pushdo and Rustock infections — effectively giving his Rustock botnet credit for spam that was being sent by Pushdo.
M86’s Anstis said his team would be checking their methodologies to make sure they weren’t misclassifying the spam sources.
“As security vendors, we try to work out which ones are most active and which ones we should concentrate on,” Anstis said. “In the end, the only person who is going to know who is sending what is the botnet authors.”
Update, Oct. 6, 5:13 p.m. ET: M86 said they re-checked their information after my story ran. Here was their response:
“We have also seen a drop since Sunday in Pushdo but not at the level of the Rustock drop. We are sure we have these labeled correctly, for example we saw the drop in just Pushdo last month when some of its controllers were taken offline. We still have no Rustock spam in our traps and since these traps come from many different sources we find it hard to believe that just we were blacklisted. We have double checked all our settings and algorithms, we were the first vendor to start reporting on spam bot traffic and we are positive that we have these labeled correctly.”