Spam Levels Creep Back Up 2 Weeks After McColo Shutdown

Spam levels are heading back up after dropping dramatically following the shutdown of Web hosting company McColo. According to Symantec security research, some notorious botnets are back in action.

Spam levels appear to be rising again after a steep decline.

According to researchers at MessageLabs, now part of Symantec, spam volumes have doubled since last week. Spam levels dropped off dramatically with the shutdown of Web hosting company McColo on Nov. 11. Though the firm briefly gained new life the weekend of Nov. 15, it was quickly shut down again, and spam at first remained at relatively low levels.

McColo played host to a number of major botnets, including Rustock and Asprox. According to Matt Sergeant, senior anti-spam technologist at MessageLabs, the lag between the initial decline and the subsequent rise was due to the time it took for the botnet owners to find a new ISP and bandwidth provider.

"The Asprox and Rustock botnets are back with a vengeance after having found new command and control," Sergeant said in an e-mail. "Cutwail never went away and it seems its owners have used the opportunity to increase output. Mega-D is also on the rise again," he said. "Srizbi, having once been responsible for 50 percent of all spam, is now completely defunct. Without this botnet, spam levels won't return to what they had been."

In a blog post, Symantec Security Response noted that in addition to overall spam volumes being up, the percentage of spam messages containing the text/HTML content type mime part have jumped to 55 percent of all spam. Since the McColo takedown, that percentage has been around 34 percent; prior to the shutdown it was more than 55 percent. This change indicates that a return to normal spam activity could be in the works, according to the blog.

"When we took a closer look at the spam contained in the spikes, it was revealed that there was an increased use of HTML," the blog post said. "The spam messages were typical 'Canadian Pharmacy' spam messages that were using short HTML messages with a varying set of domains in the URLs. The spam messages were being sent from compromised hosts around the globe."

From an enterprise security perspective, the same threat of spam exists as always did, Sergeant said.

"Even while levels were down, organizations should have maintained the same levels of vigilance as they had when spam was at its highest," he said. "Organizations should continue to keep spam filters and anti-virus engines updated as always."