Posted on behalf of Mathew Nisbet, Malware Data Analyst

Over the 2010 Christmas holiday, the level of spam in circulation has dropped drastically. For example, at the time of writing, the amount of spam hitting our spam honeypots is the lowest it has been since McColo, the rogue ISP, was shut down in November 2008. As can be seen from the global spam level estimates in figure 1 below, the amount of spam worldwide has dropped dramatically since 25th December 2010.

Figure 1 - Global spam volumes

The main cause of this drop is a from a huge reduction in output from the Rustock botnet, by far the most dominant spam botnet of 2010. Since 25th December, Rustock seems to have all but shut down, with the amount of spam coming from it consistently accounting for below 0.5% of all spam worldwide. Further  contributing to the massive reduction in spam levels is the apparent mollification of two other major botnets, Lethic and Xarvester. MessageLabs Intelligence has seen virtually nothing from Lethic since the 28th December, and Xarvester since the 31st December.

Other major botnets like Gheg and Cutwail seem to be unchanged at this time.

Figure 2 - Relative botnet spam volumes

At present we don't know why these botnets have stopped spamming, perhaps the botnet herders have decided they need a holiday too? Whilst this is an excellent gift over the holiday season for anyone who regularly  uses email, we would not expect the level of spam to stay this low for long. As we saw after the closure of McColo in 2008, and following futher takedown attempts in subsequent years, botnets rarely stay quiet for very long. Even if these three botnets don't come back soon, we would expect other botnets, even new ones, to pick-up where they have left off - very soon.