Numerous reports have been circulating about the sudden demise of the Rustock botnet. The question is whether this has had an effect on global spam levels.
Some observations:
- There are clear “humps” on Saturday, Monday and Tuesday – but less activity on Friday, Sunday and today. These patterns and levels are fairly typical for the past few weeks
- There is no dramatic drop in the average level on Wednesday or Thursday this week – Compare the graph above to the one below – following the takedown of the McColo botnet in November 2008. The graph below clearly shows a dramatic drop in traffic.
- The lone “spike” on Wednesday might be of interest – one report describes the Rustock botnet being “cut off in mid attack”.
If Rustock has been taken down there are several possible explanations for the generally stable spam levels shown above:
- Commtouch labs tracks global spam (from over 2 billion emails per day), and the graphs above do not only present the traffic from Rustock. This particular botnet (or part of it that was disrupted) may not have been sending out significant amounts of spam
- We have seen consensus that botnet operators are tending to larger groups of small botnets. This provides them with multiple alternatives should a particular botnet be brought down.
In any event we will continue to monitor the daily levels and report back if we see any significant downward trend.
UPDATE: March 24th 2011
After one week of watching the daily spam levels we can confirm that the Rustock takedown has had an effect. This can be seen in the 2 graphs below. Also visible (on the top Left – Wednesday) is the “last spike” of spam that was cut off during the takedown.
