|
I started hearing various people comment about lower spam volumes sometime in mid December. This isn’t that unusual, spam volumes are highly variable and someone is always noticing that their spam load is going up or going down. The problem is extrapolating larger trends from a small selection of email addresses. There’s too much variation between email addresses and even domains to make any realistic assumptions about global spam volumes from mail coming into a particular address or domain. And that variation is before you even consider that spam filters prevent much of the spam from actually reaching people.
Spam volumes between June 2008 and December 2010
Spam volumes from January 2010 through December 2010
Spammers took the week off. There are organizations, though, that have access to extremely large groups of addresses they use to track spam. Those numbers tend to be more representative of the actual spam volumes and are very good for tracking trends.
The news seems good. During the second half of 2010 there was a consistent and steady decline in the amount of spam received by the Senderbase network. In fact, December levels went below 100 million emails.
The CBL also publishes numbers and shows a steady decline in volumes during 2010.
Related to the inquiries I started hearing in December, there was a clear dropoff (spammers going on Chrismas vacation?) in volume at the end of December. It’s harder to see in that graph, but is clearly demonstrated if we look at the CBL graph for Q4. There is a precipitous drop around Christmas. The traffic volumes reflect some of the drops seen when major botnets are taken offline, however there were no reports of arrests or takedowns around that time. It’s unclear if this decrease will be sustained or not.
An article posted yesterday by Threatpost about increased activity from the Storm botnet indicates that botnets aren’t necessarily dead yet. It also indicates old botnets may be evolving yet again.
There are a lot of possible reasons that volumes are down, from vacations to arrests through to spammers finding more effective ways to get their messages out. Anecdotally, a lot of spammers are moving to social media networks, especially twitter. This may work better for spammers, who rely on immediacy rather than a consistent or coherent message.
Updated Jan 4, 2011: Added link to CBL as source for additional graphs.
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Interestingly, the Cisco IronPort SenderBase stats you show in the first figure indicate that spam remained remarkably steady as a percentage of global email volume, varying less than 1% in the last six months (between 85.1% and 85.8%), despite the substantial changes in total volume. What we see in the last six months is a decline in the email medium as a whole (with spam following that trend in close synchronisation, assuming that IronPort’s classification accuracy has remained consistent in that period).
In other words, this data can be read almost as-is to describe the trends of global email as a whole. That being so, the data reveals a couple of counter-intuitive things. For one, nothing in the past year and a half has managed to alter significantly the overall percentage of spam being produced. If you remove the top and bottom outliers, the variability is 1.1%. More to the point, the differences in spam volume are utterly dwarfed by differences in overall email volume from month to month. The difference between April and May 2010 is a case in point. Did email really hit a long-term peak in popularity in June 2010, two months after a long-term low?
These trends are a bit bizarre. Are they real, or is it telling us more about the underlying spam classification techniques than the popularity of email? We need more data and deeper analysis.
Incidentally, can you please cite a source for the data in the second and third charts?
I’ve heard that the Rustock botnet has moved to click fraud. If so, then that would explain the drop off in spam since Rustock was the largest spam-sending botnet.