> Enterprise > Security Response > Internet Security Threat Report > View the Report > Spam and Fraud Activity Trends

Spam and Fraud Activity Trends

Spam and Fraud Activity Trends | Analysis of Spam Activity Trends | Analysis of Spam Activity by Geography, Industry Sector and Company Size | Analysis of Spam Delivered by Botnets | Spam Botnet Analysis – A Strategic Viewpoint | Significant Spam Tactics | Spam by Language | Spam by Category | Future Spam Trends: BGP Hijacking | Phishing Activity Trends | Analysis of Phishing Activity by Geography, Industry Sector and Company Size

Analysis of Spam Delivered by Botnets


This section discusses botnets and their use in the sending of spam. Like ballistics analysis in the real world can reveal the gun used to fire a bullet, botnets can similarly be identified by common features within the structure of email headers and corresponding patterns during the SMTP3 transactions. Spam emails are classified for further analysis according to the originating botnet during the SMTP transaction phase. This analysis only reviews botnets involved in sending spam and does not look at botnets used for other purposes, such as for financial fraud or DDoS attacks.

Methodology spam honeypots collected between 5–10 million spam emails each day during 2011. These are classified according to a series of heuristic rules applied to the SMTP conversation and the email header information. Further information and examples of this analysis can be found later in this Appendix: “Spam Botnet Analysis – A Strategic Viewpoint.”
A variety of internal and external IP reputation lists are also used in order to classify known botnet traffic based on the source IP address of the sender. Information is shared with other security experts to ensure data is up-to-date and accurate.


Figure C.6. Percentage of spam sent from botnets in 2011. Source:
3SMTP – Simple Mail Transfer Protocol
Figure C.7. Analysis of spam-sending botnet activity at the end of 2011. Source:


  • Over in 2011, approximately 78.8% of all spam was distributed by spam-sending botnets, compared with 88.2% in 2011, a decrease of 9.4 percentage points. This was in large part owing to the disruption of the Rustock botnet on 16 March 2011. By the end of 2011, this number rose to 81.2%.
  • In the 7 days prior to the disruption of the Rustock botnet, each day approximately 51.2 billion spam emails were in circulation worldwide. In the 7 days following, this number fell to 31.7 billion, a decrease of 38.0% in global spam volume.
  • The global spam rate during the 7 days prior to when the Rustock botnet ceasing spamming was 78.2%, compared with 70.0% in the 7 days after.
  • During the second-half of 2011, the change in frequency of botnet spam being distributed from botnets became much more noticeable, as shown in figure C.6. Large spam runs often lasted for only two or three days and when the spam run ceased, the volume of botnet-spam fell considerably; however, when Rustock was in operation during 2010 and during the first quarter of 2011, it was almost continually sending spam at a fairly regular and steady rate.