Wednesday, July 1, 2009

Q2 2009 Spam Trends

Editor's Note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which provide email security to more than 50,000 organizations, including businesses of all sizes, government agencies, and educational institutions. To learn more about what the Gmail team is doing to keep spam out of your inboxes, check out this post.

Our "Spam Trend" update last quarter summarized the rise in both levels and types of spam, with new players and techniques entering the market. This quarter, proliferation continues, with an unpredictable pattern of drops and spikes as 2009 moves along. Overall, spam is measurably up: Q2'09 average spam levels are 53% higher than in Q1'09 and 6% higher than in Q2'08.

After last November's McColo ISP takedown, when spam volumes dropped by 70%, spammers worked overtime to fill the void. They succeeded: Within four months, spam levels rose back to pre-McColo levels. This upward trend continued through June 4, when another large ISP spam source, 3FN, was reported to have been dismantled. Spam volume immediately dropped 30% – not as extreme as McColo, but still significant. Although this created a sudden dip in spam levels, it also created an open invitation for opportunistic spammers to once again seize a market opportunity.

Over the coming months, we anticipate watching new players once again drive spam levels back up. Since June 4, spammers have already made up a significant amount of ground, climbing 14% from the initial drop.

Here's what the trend looked like, as tracked through Postini filters, over the past six months:


"Unpredictability" summarizes the overall trend as Q2'09 winds down and spammers test both new and "retro" techniques. For example, on June 18 we tracked a new attack that unleashed 50% of a typical day's spam volume in just two hours' time. This attack used a simple "newsletter" template – somewhat "old school" by today's spam standard – with malevolent links and images inserted into the content. Google's Postini filters detected more than 11,000 variants of this spam during those two hours. Because this spam enabled spoofing of the recipient domain (meaning the "from" field was falsified), distribution lists were especially hard-hit by this attack.


Resurgence of image spam

One of the other trends we're watching closely is the sudden popularity of "image spam"a form of spam that rose to prominence in 2007, before most anti-spam filters learned how to block it. It's simple stuff: basic email with advertising content, usually containing a related image. They can also include malicious links or contentand either way, the large file size of an image spam can place a heavy load on an email network.

An image spam email might look something like this:



Evidence of the resurgence in image spam can be seen in the graph below, which shows that the actual size of spam messages, measured in bytes, is back on the rise:


There are a couple of possible explanations for the resurgence in image spam, despite the fact that most spam filters out there have adapted to the technique. One theory is that this wave is designed to test the defenses
of the different spam filters out there, so that spammers can do statistical analysis on what subject lines and content have the highest probability of success.

Another is that there may be some new players entering the spam game, following the McColo and 3FN takedowns, and these new players are opening with some well-tested techniques. Either way, we're watching this trend and will share insights as we gain them in the weeks and months ahead.

Spike in payload viruses

June was also an active month for viruses sent as email attachments, otherwise known as "payload viruses." Volumes rose to their highest level in almost two years as spammers returned to yet another tried-and-true technique to expand their botnets.

As you can see in the chart below, June's activity is almost as high as the two-month payload virus surge seen in Q3'07. Fortunately, Google's Postini zero-hour heuristics detected this uprise early and kept payload attacks in the cloud and away from users' email networks.


Everything old might be new again

In summary, Q2'09 saw continued unpredictability and the resurgence of old-style spam attacks. Are spammers finally running out of original ideas? And if so, like Hollywood, are we now starting to see spam "remakes," based on originals of a few years ago? And what are spammers looking to accomplish as they unleash these remakes? Only time will tell.

For more information on how Google email security services, powered by Postini, can help your organization provide better spam protection and take a load off your network by halting spam in the cloud, visit www.google.com/postini.

Posted by Amanda Kleha, Google message security and archiving team

No comments:

Post a Comment