Law Enforcement Agencies Help Halve Spam in 2010

31 Mar 2011
Virus News

In order to fight spam successfully, we need more than just anti-spam solutions protecting users’ inboxes — we also need the proactive involvement of law enforcement agencies in catching spammers and shutting down their spambot networks. “The events of 2010 have demonstrated that intervention by the Internet crime units of law enforcement agencies around the globe can lead to unprecedented results — like a fifty percent reduction in the volume of spam,” notes Maria Namestnikova, Senior Spam Analyst at Kaspersky Lab, in her latest article A Short, Sharp Shock for Spam.

The events that took place during the last six months of 2010 included the shutdown of the command centers for the Pushdo, Cutwail and Bredolab botnets and criminal proceedings started against partnership programs that operated mass mailings of pharmaceutical-themed spam. These developments led to the amount of unwanted correspondence being halved if the average volume of global spam in the last week of October is compared with those levels recorded in mid-August, 2010.

The efforts of the Internet crime units of law enforcement agencies around the globe had an effect not only on the amount of unwanted correspondence, but also on the geographical distribution of the primary sources of mass mailings. In the second half of 2010, there was a noticeably large drop in the volume of spam emails sent from the US. In October, the US moved from being ranked as the first or second most prolific source of spam in the world to the eighteenth, producing just 1.6% of all spam, and in November the US did not appear in the Top 20 sources of spam at all. The reason is obvious: the shutdown of the Pushdo and Cutwail botnets, which were primarily comprised of computers in the US infected with Cutwail; and Bredolab, which was also partially based in the US. A drop in the amount of outgoing spam was also noted in Asia. The losses that spammers suffered were partially compensated for by renewed spam distribution efforts in South America and Europe.

As the events of the past year have shown, mass mailings with malicious attachments sent to particular regions always come directly before an upsurge in spam activity within those regions. First of all, the cybercriminals infect users’ computers with spambots and then the infected machines start sending out spam.

Which countries are most frequently targeted by malicious users? As soon as the law enforcement agencies in the US and western Europe turned their attention to spambots, the botnet owners changed their tactics. These regions experienced a steady drop in the amount of email threats, such as malicious code, detected by Kaspersky Lab’s antivirus products. Meanwhile, the reverse could be seen in countries in Asia and eastern Europe. More likely than not, the botnet owners were counting on inadequate anti-spam legislation and low levels of computer literacy among users in those regions.

The actions of the law enforcement agencies also affected the different categories of spam. The closure of SpamIt, one of the leading partnership programs that distributed pharmaceutical-related spam, triggered a significant decrease in the amount of spam advertising counterfeit Viagra. After 20 September, this category of spam was reduced by one third. Later, the Moscow police curtailed the activities of Glavmed, another pharmaceuticals partner program. This increase in attention from law enforcement agencies with regard to pharmaceutical spam dissuaded most malicious users from becoming involved. As a result, over the course of November and December 2010, Viagra advertising remained at a record low of 8-12% of all spam.

“The effective actions of law enforcement agencies in 2010 led to a two-fold decrease in the volume of spam, which is without doubt a major achievement. Nevertheless, spammers and the malicious users running botnets are not the types who give up their lucrative game quite so easily. Just two months of low activity in December and January gave them the time they needed to make substantial progress towards restoring what they had lost. By late January, the volume of spam had already reached levels recorded in September 2010, right before Bredolab was shut down,” writes Maria Namestnikova. “The key is to have a solid legislative base in place, and not just in a handful of developed countries but right around the world. Otherwise, malicious users will continue to avoid any liability and will regain any losses they sustain by simply relocating to other countries and taking their botnets with them."

To read the full version of Maria Namestnikova’s article A Short, Sharp Shock for Spam, visit: www.securelist.com/en.