Zombies winning? I disagree.

by

Commtouch recently announced our Q2 email threat trend report, which indicated, among other things:

  • Spam levels throughout the second quarter averaged 77%, ranging from a low of 64% to a peak of 94% of all email towards the end of the quarter
  • 10 million zombie IP addresses were active each day, on average
  • Pharmaceutical spam was the most popular topic in Q2, comprising 46% of all spam

Are these bullets different than previous quarters? Well, yes, just like the weather changes from day to day, and season to season. Last quarter may have been a bit colder and more rainy than this quarter; similarly we had more “enhancer” spam in the previous quarter than this quarter. But for some reason this quarter’s trend report generated much more provocative headlines than earlier reports, for example “Botnets Winning Spam Wars” by John E. Dunn in Techworld (and syndicated to dozens of other publications). I’m trying to figure out why our fairly staid report — one that has appeared in similar format for a couple of years already — got such… dare I say… sensational coverage?

In this post I’d like to respond to a few of the comments that came up in articles and other blogs about the report. First of all, Commtouch does not think that the botnets are winning the spam wars. What the report does state, however, is that botnets are wily and dynamic, and can outsmart traditional filtering methods, like content filters or black lists. There are several solutions out there – Commtouch’s included – that are fighting botnets and winning, in our case, simply by blocking their activity, or providing datafeeds of botnet IP addresses to partners that incorporate that information into their anti-botnet undertakings.

Joel Hruska of Ars Technica, a blog which I really enjoy and respect, also goes for the zinger headline, “Botnets Continue to Defy Containment Attempts.” He says a few things I’d like to respond to:

Commtouch steps through the various types of attacks it saw in the second quarter, but virtually all of them would be familiar to anyone who regularly follows security topics.

Yup, I agree, and like I said, it’s like the weather. One day a “blizzard” of Chinese earthquake spam, another day a new type of blended threat. And who doesn’t like to read the weather report from time to time? On the other hand, we do provide certain statistics that are not necessarily familiar from simple observation of your spam quarantine (or inbox, depending on how successful your email filter is), unless one is tracking the Commtouch stats on an ongoing basis.

Next quote:

Commtouch has two postulates: that anti-malware companies are running up a mountain that’s collapsing beneath them when it comes to keeping up with malware variations, and that it’s easy for a malware company to switch from botnet to botnet as a means of delivering their product. These could form the basis of a discussion of whether or not current anti-malware “best practices” will ever be able to address the crisis at hand.

Well, I agree and thanks for writing it much better and more succinctly than we could have written it ourselves. And we’d be happy to discuss this in more depth, which we have in other more malware-specific reports. Of course we believe that we have a solution for blocking multiple malware variations, but that leads us to his next statement:

Instead, Commtouch chooses to leverage its report as an advertisement for its own product line. Despite the company’s promising verbiage, it seems less and less likely that any single company will ever stumble on the magic combination of filters and heuristics to force malware authors to radically change their methods.

Ouch. It’s funny, I review every report we publish and always think to myself – should we be pushing more Commtouch product-specific messages in there? and I usually hold myself back because the reports are well-read and (I’d like to think) respected in the industry precisely because they donot read like a product pitch. If we’re starting to get too commercial in these reports, then I guess that’s a warning sign that we need to tone it down a bit and go back to our more research-oriented report roots. On the other hand, Commtouch does not pretend to be anything but what we are – a company that profits by selling email filtering software and services. So if a product pitch somehow slipped into one of our reports, I can understand how it could conceivably happen.

As for the second part of that statement, I tend to agree that there is probably no one single magic combination to block all the bad stuff out there, however as our licensing partners have found, (watch out, here comes the product pitch) combining Commtouch technology as part of defense in depth does work, and our 100 licensing partners and their tens of thousands of end-customers will attest to it.

Go back