Spam Volumes Making a Comeback After the McColo Shutdown?

Although spam levels remain at a relatively low volume following the takedown of the spam host McColo last week, there is some evidence that spammers are starting to prepare for a rally. Late last week we observed the spam volume spike as much as 150% in an hour-to-hour comparison, which is about a seven percent increase since McColo was shut down.

In addition to overall spam volumes, the percentage of spam messages containing the text/HTML content type mime part jumped to 55% of all spam, indicating a change in the overall makeup of spam. Prior to the McColo takedown, the overall percentage of spam messages containing the text/HTML content type mime part was over 55%, but after the takedown the average has been around 34%. This change indicates that a return to normal spam activity could be in the works.

When we took a closer look at the spam contained in the spikes, it was revealed that there was an increased use of HTML. The spam messages were typical “Canadian Pharmacy” spam messages that were using short HTML messages with a varying set of domains in the URLs. The spam messages were being sent from compromised hosts around the globe.

A copy of one of the spam emails shows the advertisement for Canadian Pharmacy, offering various medications:

The URLs in the messages observed contained hundreds of domains that used the Chinese top-level domain (.cn TLD). The URLs all redirected to a smaller set of domains. Both the domains in the spam emails and the domains that they redirected to were being hosted on the same set of IP addresses located in China. The URLs in the messages used different name servers from the domains that they redirected to. All of the name servers were hosted on either the same IP addresses as the domains, or additional IP addresses also located in China.

The spam messages were sent from various locations around the world and appeared to be coming from compromised servers or botnets. The top sources of the spam were the United States, Brazil, and China.

The content of the actual website is familiar—it has appeared in association with Canadian Pharmacy spam messages sent out by SanCash/Affking, which was taken down earlier this year, as well as other spam networks.

Although worldwide spam volumes have only increased slightly overall since the McColo takedown, this recent spam activity indicates that spammers are still willing and able to continue sending spam out on previously seen levels. It seems to be only a question of when they are ready, so it is now just a matter of time.