Botnet Shutdown Stops 18% of Daily Spam. For Now.
If you're finding yourself wondering why you are receiving less pharmaceutical spam in your inbox over the past few days, thank the folks over at FireEye and Spamhaus. They've been hard at work shutting down large portions of the Grum spam botnet.
If you aren't familiar with Grum, it's believed to have cropped up in 2008 and has been associated with a good chunk of the pharma spam that has been circulating ever since. The folks over at FireEye estimate that the Grum botnet was responsible for approximately 18 billion spam messages every day, or about 18% of daily total spam volumes.
Those are some huge numbers and cutting off that much unwanted traffic is cause for serious recognition! But before you raise your glass, keep this in perspective: When spam hosting provider McColo was shut down back in November 2008, 50-70% of the world's spam firehose was turned off in a single day. (To be fair you can't draw a direct comparison between the two events as McColo was a spam hosting provider who was providing command and control capabilities for 3 major botnets.) Also the entire Grum botnet hasn't been taken offline. Its capabilities have been significantly diminished for the time being, however. According to estimates, the network has gone from 121,000 IP addresses down to about 20,000, but it will be back and other spam networks will quickly fill the gap left by Grum.
What happens in these situations is the bot network ends up being rebuilt, typically with additional failsafe mechanisms and redundancy to make it even more resilient to being taken down again. So the result will be only a temporarily lull in spam volumes. You can be certain that other bot network operators have taken notice and are making accommodations to ensure that their networks aren't the next ones cut off at the knees.
In the meantime, a hearty congrats to the folks over at FireEye and Spamhaus for a job well done. Keep fighting the good fight!