> Enterprise > Security Response > Internet Security Threat Report > View the Report > Fraud Activity Trends

Fraud Activity Trends

Spam Delivered by Botnets


This section discusses botnets and their use in the sending of spam. Botnets can be identified by SMTP patterns and in the structure of email headers. Spam emails are classified for further analysis according to the originating botnet during the SMTP transaction phase. This analysis only reviews botnets involved in sending spam and does not look at botnets used for other purposes, such as for financial fraud or DoS attacks.


MessageLabs Intelligence spam honeypots collected between 30-50 million spam emails each day during 2010. These are classified according to a series of heuristic rules applied to the SMTP conversation and the email header information. A variety of internal and external IP reputation lists are also used in order to classify known botnet traffic based on the source IP address of the sender. Information is shared with other industry insiders to ensure data is up to date and accurate.


Figure 24. Percentage of volume of botnet spam sent per day by Rustock botnet, 2009–2010
Source: MessageLabs Intelligence

Figure 25. Percentage of volume of botnet spam sent per day by Grum botnet, 2009–2010
Source: MessageLabs Intelligence

Figure 26. Spam from botnets as a percentage of total email, July 2009–October 2010
Source: MessageLabs Intelligence


Overall botnet spam decreases in 2010: The total amount of global spam in circulation decreased toward the end of 2010, with a number of major botnets reducing their output. A major reason for the decrease in volume of spam email from botnets in 2010 is likely the shutdown of the SpamIt affiliate program in the fall of 2010. SpamIt was the largest known pharmaceutical spam affiliate—responsible predominantly for the “Canadian Pharmacy” brand—and the largest botnets send mostly pharmaceutical spam.
Changing tactics to send more spam using fewer bots: One of the factors worth noting in the increased throughput from Rustock is that, in April 2010, its controllers stopped using TLS encryption to send spam, thus speeding up the email connections.1 For example, at its peak in March 2010, TLS-encrypted spam accounted for more than 30 percent of all spam, and as much as 70 percent of the spam from Rustock was sent using TLS-encrypted connections. However, since April 2010, the use of TLS in sending spam has fallen away dramatically, and by the end of 2010 accounted for just between 0.1 and 0.2 percent of spam. The use of TLS slows down a connection due to the additional encryption processing required. Symantec believes that the controllers of Rustock needed to recover this additional capacity in order to compensate for the recent contraction of the botnet in terms of its overall size. By turning off TLS, Rustock has been able to send more spam using fewer bots than it had previously with more bots and using TLS.

Major botnet activity in 2010

Rustock remained the most dominant botnet in 2010 with over 1 million bots under its control and its volume of spam more than double its 2009 percentage. It was the most dominant botnet throughout 2010 and was responsible for 36 percent of all spam during the year, with peak outputs of 64 percent of botnet spam in August and October. The output of spam from Rustock decreased at the end of 2010, likely due to the SpamIt shutdown, as mentioned previously.

Grum was the second most active botnet for spam at the end of 2010, although both its number of active bots and volume of spam sent dropped off by the end of the year from peaks earlier in the year. Its volume dropped from 16 percent of the total at mid-year to 9 percent by year’s end, while the bots it controlled decreased by more than 50 percent, to between an estimated 310,000 to 470,000 bots worldwide.

Cutwail ranked third, with approximately 6 percent of global spam in 2010. Its number of active bots increased by approximately 16 percent from the number of bots under its control at the end of 2009. Despite several takedown attempts during 2010, no action managed to do more than marginally reduce the spam output from Cutwail for a brief period. Each time it has returned to business-as-usual within a day or two. During 2010, Cutwail sent the widest variety of spam of any major botnets, including being the largest source of spam emails containing the Bredolab Trojan.

Maazben—which had dropped out of the top 10 most active spam sending botnets by mid-2010—surged in the second half of the year to rank as the fourth most active botnet responsible for over 5 percent of spam by year’s end. The number of active bots under the control of Maazben control increased by more than 1,000 percent from March 2010, to between 510,000 and 770,000 bots by the end of the year.

Toward the end of 2009, attempts to disrupt the Mega-D botnet seemed effectively to eliminate it. However, after only a few days, it resumed sending spam using a larger number of brand-new IP addresses. At that point, it was responsible for almost 18 percent of global spam. By the end of 2010, the amount of global spam sent by Mega-D was 2.3 percent of the total, the number of active bots under its control dropped by approximately 58 percent, and the spam output from each of its bots roughly halved every three months during the year—from approximately 428 spam emails every minute from each active bot in March, to 105 spam emails per bot per minute by the end of the year. It is likely that Mega-D was also reliant on a lot of business from the SpamIt affiliate and suffered after the shutdown in October.

Since 2008, the Storm botnet has been a minor botnet; however, in April and May 2010 it made a significant reappearance when it was linked to a spam campaign making heavy use of legitimate shortened URLs that would redirect visitors to spam websites. Spam with shortened hyperlinks reached a peak of 18 percent at the end of April—equivalent to roughly 23.4 billion spam emails. In May 2010, spam from Storm accounted for nearly 12 percent of all the spam containing shortened hyperlinks.

  • 1Transport Layer Security is a protocol that is intended to secure and authenticate communications across a public network through data encryption.