Home / Blogs

Spam Volumes In 2010

I started hearing various people comment about lower spam volumes sometime in mid December. This isn’t that unusual, spam volumes are highly variable and someone is always noticing that their spam load is going up or going down. The problem is extrapolating larger trends from a small selection of email addresses. There’s too much variation between email addresses and even domains to make any realistic assumptions about global spam volumes from mail coming into a particular address or domain. And that variation is before you even consider that spam filters prevent much of the spam from actually reaching people.

Spam volumes between June 2008 and December 2010

Spam volumes from January 2010 through December 2010

Spammers took the week off.
There are organizations, though, that have access to extremely large groups of addresses they use to track spam. Those numbers tend to be more representative of the actual spam volumes and are very good for tracking trends.

The news seems good. During the second half of 2010 there was a consistent and steady decline in the amount of spam received by the Senderbase network. In fact, December levels went below 100 million emails.

The CBL also publishes numbers and shows a steady decline in volumes during 2010.

Related to the inquiries I started hearing in December, there was a clear dropoff (spammers going on Chrismas vacation?) in volume at the end of December. It’s harder to see in that graph, but is clearly demonstrated if we look at the CBL graph for Q4. There is a precipitous drop around Christmas. The traffic volumes reflect some of the drops seen when major botnets are taken offline, however there were no reports of arrests or takedowns around that time. It’s unclear if this decrease will be sustained or not.

An article posted yesterday by Threatpost about increased activity from the Storm botnet indicates that botnets aren’t necessarily dead yet. It also indicates old botnets may be evolving yet again.

There are a lot of possible reasons that volumes are down, from vacations to arrests through to spammers finding more effective ways to get their messages out. Anecdotally, a lot of spammers are moving to social media networks, especially twitter. This may work better for spammers, who rely on immediacy rather than a consistent or coherent message.

Updated Jan 4, 2011: Added link to CBL as source for additional graphs.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Laura Atkins, Founding partner of anti-spam consultancy & software firm Word to the Wise

Filed Under

Comments

Rock steady as a percentage, though The Famous Brett Watson  –  Jan 4, 2011 6:43 AM

Interestingly, the Cisco IronPort SenderBase stats you show in the first figure indicate that spam remained remarkably steady as a percentage of global email volume, varying less than 1% in the last six months (between 85.1% and 85.8%), despite the substantial changes in total volume. What we see in the last six months is a decline in the email medium as a whole (with spam following that trend in close synchronisation, assuming that IronPort’s classification accuracy has remained consistent in that period).

In other words, this data can be read almost as-is to describe the trends of global email as a whole. That being so, the data reveals a couple of counter-intuitive things. For one, nothing in the past year and a half has managed to alter significantly the overall percentage of spam being produced. If you remove the top and bottom outliers, the variability is 1.1%. More to the point, the differences in spam volume are utterly dwarfed by differences in overall email volume from month to month. The difference between April and May 2010 is a case in point. Did email really hit a long-term peak in popularity in June 2010, two months after a long-term low?

These trends are a bit bizarre. Are they real, or is it telling us more about the underlying spam classification techniques than the popularity of email? We need more data and deeper analysis.

Incidentally, can you please cite a source for the data in the second and third charts?

I've heard that the Rustock botnet has Terry Zink  –  Jan 11, 2011 6:25 AM

I’ve heard that the Rustock botnet has moved to click fraud.  If so, then that would explain the drop off in spam since Rustock was the largest spam-sending botnet.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign