Spam data and trends: Q1 2009

Editor's Note: The spam data cited in this post is drawn from the Google enterprise security and archiving security network (Postini), which delivers an added layer of security for standalone mail servers and Google Apps Premier Edition customers. For a discussion of the anti-spam measures included in Gmail, please see this post from the Gmail blog.

In providing email security to more than 50,000 businesses and 15 million business users, Google security and archiving services, powered by Postini, process and cull spam from more than three billion enterprise email connections every day. This gives us strong insights into the state of the spam industry, some of which we share in regular posts to this blog.

Read on for a quick overview of spam trends and events in the first quarter of 2009.

What we saw in the Postini data centers

The most significant spam-related event in the first quarter of 2009 occurred when spam volume returned to pre-McColo takedown levels. By the second half of March, seven-day average spam volume was at the same volume we saw prior to the blocking of the McColo ISP in November 2008.

Spammers have clearly rallied following the McColo takedown, and overall spam volume growth during Q1 2009 was the strongest it's been since early 2008, increasing an average of 1.2% per day. To put that number into context, the growth rate of spam volume in Q1 2008 was approximately 1% per day – which, at the time, was a record high.

Of course, like every year before it, 2008 set a new record for overall spam volume. But in 2008 spam growth flattened over the summer and early fall, and then fell off a cliff after the McColo takedown (daily growth declined to .8%, .3%, and then .01% in the last three quarters of the year). This pattern raises some interesting questions regarding what we can expect in the rest of 2009: Will spam growth once again flatten or decline after a strong first quarter? Or have spammers – as part of their recovery from the McColo takedown – rebuilt botnets to be capable of sustaining or even accelerating this early growth spurt?

It's difficult to ascertain exactly how spammers have rebuilt in the wake of McColo, but data suggests they're adopting new strategies to avoid a McColo-type takedown from occurring again. Specifically, the recent upward trajectory of spam could indicate that spammers are building botnets that are more robust but send less volume – or at least that they haven't enabled their botnets to run at full capacity because they're wary of exposing a new ISP as a target.

New types of spam

The most significant development in spam vectors this quarter was the appearance of location-based spam. In this type of attack, users click on a link in a spam message and are directed to a page that contains a fraudulent news headline describing a crisis or disaster in a major city nearby. The attack customizes the location for each user by determining the geolocation of the user's source IP and then identifying the nearest major city. The addition of location creates a heightened level of interest, and the user is tempted to click on the embedded video – which in turn downloads a virus to his or her machine.

Meanwhile, the economy, financial markets, job cuts, and resume help continue to be the most prominent topics spammers are employing as lures for more traditional attacks. We also saw increased spam activity around the U.S. presidential inauguration and St. Patrick's Day, in keeping with the recent propensity spammers have demonstrated for reading the news and keeping their eyes on the holiday calendar in targeting their attacks.

Virus roundup

In early 2008, a trend emerged in which we saw spam messages with attached viruses (otherwise known as "payload viruses") spiking every Sunday, possibly targeting a maintenance window to catch corporate defenses when they were undergoing scheduled updates.

This year we've seen the payload viruses spread out across every day of the week, with no immediately obvious pattern in their distribution. It's difficult to say for certain what prompted the change, but one possible explanation is that spammers switched tactics because they weren't seeing the success they'd hoped for from the focused attacks.

Of course, payload viruses have also seen a recent spike overall -- in the month of March we saw a 9x increase from February. This pales in comparison to the highs we saw last summer, but it may indicate a developing trend that's worth keeping a close eye on.

Viruses delivered as a blended threat (when a spam message directs a user to a malicious website, which then results in a virus being downloaded to the user's computer) continue to be popular with spammers. E-cards are one of the best examples of this vector, and Valentine's Day saw a flurry of activity using e-cards to direct users to malicious websites.

Conclusions

Spammers continue to prove their resilience -- whether it's bouncing back from the biggest takedown on record or finding new ways to exploit the ways we communicate for malicious purposes, they're clearly here to stay. And Google believes firmly in the power of the cloud to protect your enterprise from them: Outsourcing message security to Google enables you to leverage our technical expertise and massive infrastructure to keep spammers from your door. See how much spam is costing your business, learn how much you could be saving with Google Message Security, or contact us for more information.

Posted by Amanda Kleha, Google security and archiving team