Home / Blogs

Spam Levels Still Lower a Year After Rustock

Arstechnica wrote an article recently entitled Spam levels still low a year after Rustock botnet takedown. From the article:

In March 2011, a Microsoft-led team targeted and decapitated the Rustock botnet, and a dramatic decrease in spam traffic was noticed almost immediately. It turns out that a full year later, spammers have not been able to fill the gaping hole left by Rustock’s absence.

Just before the Rustock takedown, “spam levels were around the 150 billion mark daily,” security vendor Commtouch said in a new analysis. “Spam levels dropped immediately after that takedown and have continued to decrease ever since. In the first quarter of 2012, an average of 94 billion spam emails were sent per day… There is no sign of a return to pre-Rustock spam levels.”

Rustock was responsible for sending 30 billion spam e-mails a day, and thus its takedown alone can’t account for the entire drop in spam volume. Commtouch said the sustained improvement was a combination of multiple botnet takedowns, as well as “increased prosecution of spammers and the source industries such as fake pharmaceuticals and replicas.”

The article is more detailed that numerous things have contributed to the decline in spam since then. However, the article misrepresents Rustock’s effect on the spam levels. It’s completely true that Rustock was the largest botnet and sent the most spam (by total individual spam connections). However, spam was falling even before that:

You can see starting in May 2010, spam hit a peak and has been declining ever since. Taking out Rustock no doubt accelerated that but that alone was not responsible for the decline in spam.

Commtouch’s report warns that abuse is still with us: botnets are growing and spammers are finding new ways to infect computers. The problem has not gone away.

So what’s going on?

  • Email spam is definitely on the decline. However, the spam has morphed from bucket loads of generic (no pun intended) spam to more targeted attacks. We still see things like pharmaceuticals, fake degrees, and the like, but not as much.
  • Malicious, targeted spam is on the rise. Because of the very successes at taking down botnets and disrupting spammers, spammers have gotten smaller in order to avoid detection. They’re tired of attracting the attention of anti-spammers who have gotten their act together. They’ve also started making more targeted spam campaigns that are designed to infect users’ computers rather than try to sell them something. The result is spam that is more difficult to detect and more difficult to catch.
  • Snowshoe spammers are filling the gap. Snowshoe spam is spam that looks quasi-legitimate, kind of like a newsletter, but is spam because of the techniques that the senders are using to evade detection. They sell free iPads, iPods, TV tuner cards, secret shoppers, and other useless things. These spammers send mail in fewer numbers but it’s just as annoying.
  • Other avenues are more popular. When email was new and popular and the main way to communicate (1996 – 2009), spammers targeted it. Now, more and more people are using mobile phones and social networks to communicate. Spammers have followed them. They are still interested in selling fake pharmaceuticals to end users, but now they are creating fake accounts on Facebook, Pinterest and Twitter instead of sending spam over SMTP. Spammers are only reacting to societal trends.

That is what accounts for the decline in spam since the Rustock takedown, and it’s corresponding lack of re-emergence since then.

By Terry Zink, Program Manager

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

New TLDs

Sponsored byRadix