Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Symantec Intelligence

Welcome to the new-look Symantec Intelligence Report

Created: 28 Jun 2011 • Updated: 28 Jun 2011 • 2 comments
Paul Wood's picture
+3 3 Votes
Login to vote

Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report.  The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks.

Since the shutdown of the Rustock botnet in March, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.

The overall impact has been that spam now accounts for 72.9% of email in June, returning to the same level as in April earlier this year. In June, 76.6% of this spam was being sent from botnets, compared with 83.1% in March. This marks a return to the same level of output as at the end of 2010. On average during 2010, 88.2% of spam was sent from botnets, falling to 77% by the end of the year. Despite these recent successes, botnets are still a dangerous force on the Internet and can be used for a variety of other purposes, from conducting distributed denial of service attacks (DDoS), carrying out fraudulent click-thrus on unsuspecting Web sites for financial gain, hosting illegal Web site content on infected computers (known as bots), harvesting personal data from infected users and installing spyware to track the activities of those users.

Global spam has generally been falling since the shutdown of the Spamit affiliate Web site in late September 2010, and the takedown of Rustock has accelerated this decline. Spamit was one of the main affiliate Web sites through which pharmaceutical spam was being promoted and pharmaceutical spam levels have fallen considerably in recent months. In the latest analysis, spam relating to pharmaceutical products has fallen to approximately 40% of all spam in June 2011. Pharmaceutical spam accounted for approximately 64.2% at the end of 2010.

Even though spam is currently at the lowest level it has been since the McColo takedown in November 2008, it is still a huge problem In March, following the disruption of Rustock, the largest spam-sending botnet, approximately 36.9 billion spam emails were in circulation each day during April. This number rose to 41.7 billion in May, before falling back to 39.2 billion in June.

A longer-term view shows that for the same period last year, spam accounted for 121.5 billion emails in global circulation each day, equivalent to 89.3% of email traffic in June 2010. Highlighting that over a twelve month period, a drop of 68.7% in volume resulted in a fall of only 16.4 percentage points in the overall global spam rate.


Figure 1 – Trend showing fluctuating global daily spam volume over twelve months

However, this does not mean that spammers are dead.  This month’s report highlights the changing nature of the spam-sending botnet landscape and online pharmacy spam using two different angles: a spoof of an online video sharing service and a new online pharmacy brand, perhaps seeking to exploit the popularity of the “wiki” name in a number of high-profile Web sites.  Also, May spam subject line analysis shows that adult spam continue to flourish.

This month we reviewed the state of the spam-sending botnet landscape, and concluded that despite earlier predictions, Bagle has not taken over the role of Rustock following its shutdown; the main reason being that we could not find any relevant connection between spam campaigns sent by those two botnets. However, it did appear much more likely that Grum has taken over at least in part some of the previous Rustock activity. Several spam events occurred in which the two botnets were clearly interconnected.

I hope you enjoy reading this very first combined report, and please feel free to contact me directly with any comments or feedback as to what you like or dislike about this new format. The new report and accompanying podcast may be downloaded from here:

Paul Wood
Senior Intelligence Analyst,

Comments 2 CommentsJump to latest comment

fixer982's picture

Having just been through a saga involving non-RFC Compliant emails (greater than 1000 characters per line) being passed by MessageLabs filters, and after 12 days, no satisfactory response from MessageLabs, I wonder just how accurate some of this analysis is. I would like to be confident that such reports are near the mark, but worry that it depends on how well MessageLabs diagnoses its throughput.

Login to vote
Paul Wood's picture

Hi fixer982 - thanks for your feedback on this matter.  I have been in touch with the support engineers in order to escalate your ticket relating to RFC compliance. According to RFC 2821 (which supercedes RFC821) in relation to mails with >1000 characters, it does state that whilst these limits SHOULD be avoided when possible, clients MAY attempt to transmit these, but MUST be prepared for a server to reject them if they cannot be handled by it. Moreover, this limit may be increased through the use of SMTP Service Extensions. So although the limit should be avoided, it doesn't state that this length is not allowed.

Hopefully an engineer will be in touch shortly and will help to identify the issue and expedite a swift resolution.

Best wishes, Paul

Login to vote