Q3’09 Spam & Virus Trends from Postini
October 1st, 2009 | Published in Google Enterprise
Editor's note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which processes more than 3 billion email connections per day in the course of providing email security to more than 50,000 businesses and 15 million business users.
Back in 2007, we saw the first variants of a big virus attack later labeled the "Storm" virus. During that summer, Storm attacked with force, pushing payload spam activity to then-unprecedented levels and sustaining them for several months. The security community eventually caught up, and payload spam activity fell to nominal levels and held there. That is, until this year: Q2'09 saw a significant surge in payload spam activity, and now Q3'09 levels have made the 2007 Storm virus attack look small in comparison. Postini data centers have blocked more than 100 million viruses every day during what has so far been the height of the attack.
The majority (55%) of these viruses are messages like the one you see below, a fake notice of underreported income from the IRS (which the IRS distributed an alert on earlier this week). Another large contingent (33%) have come in the form of fake package tracking attachments, which were already on the rise in Q2. You might think a spoofed IRS notice or package tracking email is obviously spam, and wonder who would fall for it and actually click on the attachment.
However, at these volumes, it takes only a tiny fraction of the recipients being fooled for the spammers to add hundreds of computers to their botnets every day.
ISP takedowns continue, overall spam levels steady
Last quarter we saw a temporary 30% drop in overall spam levels following the 3FN ISP takedown, and the ISP takedown trend continues into Q3 with a new culprit called Real Host, a large Latvia-based ISP that was disconnected by upstream providers on August 1. This takedown didn't have the same drastic effects of McColo (last November), but it was comparable to 3FN. Ultimately, the effects of the Real Host takedown lasted only two days, with an initial 30% drop in spam followed by a quick resurgence.
Back in 2007, we saw the first variants of a big virus attack later labeled the "Storm" virus. During that summer, Storm attacked with force, pushing payload spam activity to then-unprecedented levels and sustaining them for several months. The security community eventually caught up, and payload spam activity fell to nominal levels and held there. That is, until this year: Q2'09 saw a significant surge in payload spam activity, and now Q3'09 levels have made the 2007 Storm virus attack look small in comparison. Postini data centers have blocked more than 100 million viruses every day during what has so far been the height of the attack.
However, at these volumes, it takes only a tiny fraction of the recipients being fooled for the spammers to add hundreds of computers to their botnets every day.
ISP takedowns continue, overall spam levels steady
Last quarter we saw a temporary 30% drop in overall spam levels following the 3FN ISP takedown, and the ISP takedown trend continues into Q3 with a new culprit called Real Host, a large Latvia-based ISP that was disconnected by upstream providers on August 1. This takedown didn't have the same drastic effects of McColo (last November), but it was comparable to 3FN. Ultimately, the effects of the Real Host takedown lasted only two days, with an initial 30% drop in spam followed by a quick resurgence.
Overall, spam levels remained steady this quarter, with little growth or decline since the Real Host incident. In Q3, spam as a percentage of total message volume is hovering around 90%, down from the Q2 average of around 95%. Q3'09 average spam levels were down 8% from Q2'09 and on par with levels in Q3'08. Spam levels also saw smaller ups and downs than in previous quarters.
Older spam techniques driving message size up
Last quarter we reported on the trend toward larger message sizes, measured in bytes. The trend has continued into this quarter, making 2009 a year of resurgence in old techniques such as image spam and payload viruses. When considering the spam bytes processed per user, growth has been steep in 2009, with Q3'09 rates up 123% from Q3'08.
Organizations that process spam inside their network should pay attention to this trend. The larger sizes create a bandwidth burden that can impact speed across your network. As the chart shows, Q2'09 delivered the record high to date for spam size – and subsequently for bandwidth drag for teams that manage spam in-house, potentially forcing those organizations to upgrade their capacity limits.
Best practices to optimize your enterprise spam filter
A common piece of feedback we get from our customers is that many of the messages in their spam folder or quarantine seem to come from "them" – from what appear to be valid email addresses from their own domain. These email addresses are actually spoofed (a common technique to mask the real origins of a message), and spammers employ this technique to take advantage of a mistake organizations sometimes make in configuring their spam filters: adding their own domain to their approved sender list.
While this might seem like a good idea at first glance – we want to make sure we don't block email from our colleagues, right? – in practice all it does is open your organization up to spoofed email. With that in mind, we strongly recommend that organizations not add their own domains to their approved sender lists. (Don't worry – legitimate mail from within your domain is correctly identified by filters and generally gets through just fine.)
For more information on how Google email security services, powered by Postini, can help your organization provide better spam protection and take a load off your network by halting spam in the cloud, visit www.google.com/postini.
Posted by Adam Swidler, Google Postini Services team
Last quarter we reported on the trend toward larger message sizes, measured in bytes. The trend has continued into this quarter, making 2009 a year of resurgence in old techniques such as image spam and payload viruses. When considering the spam bytes processed per user, growth has been steep in 2009, with Q3'09 rates up 123% from Q3'08.
Organizations that process spam inside their network should pay attention to this trend. The larger sizes create a bandwidth burden that can impact speed across your network. As the chart shows, Q2'09 delivered the record high to date for spam size – and subsequently for bandwidth drag for teams that manage spam in-house, potentially forcing those organizations to upgrade their capacity limits.
Best practices to optimize your enterprise spam filter
A common piece of feedback we get from our customers is that many of the messages in their spam folder or quarantine seem to come from "them" – from what appear to be valid email addresses from their own domain. These email addresses are actually spoofed (a common technique to mask the real origins of a message), and spammers employ this technique to take advantage of a mistake organizations sometimes make in configuring their spam filters: adding their own domain to their approved sender list.
While this might seem like a good idea at first glance – we want to make sure we don't block email from our colleagues, right? – in practice all it does is open your organization up to spoofed email. With that in mind, we strongly recommend that organizations not add their own domains to their approved sender lists. (Don't worry – legitimate mail from within your domain is correctly identified by filters and generally gets through just fine.)
For more information on how Google email security services, powered by Postini, can help your organization provide better spam protection and take a load off your network by halting spam in the cloud, visit www.google.com/postini.
Posted by Adam Swidler, Google Postini Services team