Last week we reported the significant decrease in spam volumes as a result of the shutdown of McColo, a hosting provider that was catering to spammers.  I wanted to take a few minutes and lend a bit more color and data to what we originally reported now that we have had a few days to let the real effect soak in.

We continue to see over an over 50% decline in total mail flow (all spam).  In fact, that percentage appears to have leveled off at over 60%.  A bit lower than the 75% reduction some are reporting, but no matter how you slice it the effect has been more than significant.

Below is a graph outlining hourly mail flow patterns since November 1:



The significant drop-off that you see about two-thirds of the way through the graph correlates directly with the McColo shutdown on 11/11.  According to our stats that dropoff occurred during the 1pm MST hour on the eleventh. 

A couple of botnets in particular appear to have been severely debilitated as a result of the McColo shutdown.  Those are the Srizbi, Rustock, and Mega-D botnets.  Traffic associated with the Mega-D botnet (named such because of its advertisement of male enhancement products) has declined over 95% since 11/11 and Srizbi volume has declined by over 80%.






Sophos is reporting that McColo was briefly brought back online this weekend by a Swedish ISP named TeliaSonera.  After receiving many complaints about the matter from security researchers they were taken offline again, but not before the folks responsible for the Rustock botnet were able to release a code update to their bots to point them away from McColo.  It is unclear at this point whether that update was released to a significant base of Rustock infected PCs, but it does breathe new life into a botnet that had briefly been put on life support.  So far today we are not observing any significant effect as a result of the Rustock update. 

Spam percentages have also taken a big hit as a result of the decline in spam volume.  For the past 2 years we have been reporting spam at about 90% of all email traffic on the internet.  Since the McColo shutdown those volumes have occasionally dipped down in the low-to-mid 70 percent range, percentages that we have not seen the likes of which since the first quarter of 2006.

Although the short-term effect of the McColo shutdown has been significant we still do not believe that spam volumes will be affected over the long haul.  Botnets come and go and malware techniques will continue to evolve.  As Storm declined in volume, botnets like Srizbi, Mega-D, Rustock, Cutwail, and others have been more than ready to pick up the slack.  The punch line to all of this remains the same.  The people who can have the most impact in continuing to win battles in the battle against spam are the people who are providing domain registrar service, DNS service, and ultimately bandwidth service to bots and botnet owners.  If bots cannot communicate, they cannot thrive.  The events of the past week have been a perfect example of that.