The last few weeks has seen quite a shakeup in the spamming world. Our Spam Volume Index, which records relative movements in spam volume sent to a bundle of domains we monitor, has recorded a substantial drop two weeks in a row.
M86 Security Spam Volume Index
A major cause of the drop was a sudden drop in spam output from Rustock, one of the major spamming botnets of recent times. We noticed the decline starting around 20 September and dropping to negligible levels by 23 September. This happened at the same time as initial reports surfaced that the notorious SpamIt.com operation was shutting down.
Rustock Spam Volume Decline
Spamit.com is underground group of email spam affiliates closely linked to GlavMed, which in turn is responsible for one of the largest and oldest affiliate programs called “Canadian Pharmacy”. In recent times Canadian Pharmacy has been the dominant spammed program, simultaneously spammed by most of the major spamming botnets. In late September, the SpamIt.com domain had the following message announcing its impending shutdown on 10 October.
SpamIt.com web page prior to 10 October
Today, the SpamIt.com domain has the following page, which translated, reads “10.10.10 The King is dead! Long live the king!”
SpamIt.com: "The King is Dead. Long Live the King!"
Rustock, in particular, has had a long history of association with the Canadian Pharmacy program. In fact, for much of its life that we have observed, its spam output has been mostly or solely Canadian Pharmacy spam. The Rustock botnet itself has not gone away. Its control servers are still up, we have observed Rustock spamming in our lab, and some of our customers are still experiencing a low level of Rustock spam hitting their servers.
So what of the other botnets? There has been some suggestion that we may have confused Rustock spam with Pushdo. Not so. We observe these bots closely in our lab and know their traits, habits and templates well. The following chart shows Pushdo’s spam output over the same time frame.
Pushdo's ouput dips, gains and dips again
In the chart above we can see the big dip following the disruption to Pushdo’s control servers in late August. But inevitably Pushdo’s output recovered as it added new control servers. We observed another big dip on 3rd October, in line with other observers. At this stage we are unsure whether this latest dip is related to the SpamIt.com closure. Researchers are taking a close interest in Pushdo and there may well be other factors impacting on it (for instance see here).
Even more recently, since the weekend, the Grum botnet, another major spammer has also gone very quiet. Here is a chart from the same period, that shows a marked drop in spam output after 8 October, very close to the 10 October “official” SpamIt.com closure.
Grum's output dips after 8 October
So, what to make of all this? It seems that the SpamIt.com closure has had a major impact on the volume of spam output, as some botnet operators/spammers have lost one of their major affiliate programs, or in other words, sources of cash. How long it will last is another question entirely. There are competing affiliate programs for botnet operators to sign up for. We have noticed that one of the smaller botnets, Xarvester, who we have previously linked to Spamit.com has already swapped from Canadian Pharmacy to Ultimate Replicas. And it may well be that SpamIt.com and Canadian Pharmacy have gone into hiding, and after a brief hiatus, will reemerge in another guise. Only time will tell. In the meantime we are not complaining.
– Phil Hay on M86 Security Labs Blog
