Trends from 2008

I have commented that one of the major trends that I have seen this year is a steady decline in the amount of spam that we see compared to 2007.  This was certainly accelerated after McColo was taken offline, but that was also true even before that.

However, while spam has been down by at least 50% (at least for us), the amount of viruses that we have seen this year has increased by substantially by at least a factor of 5.  I don't have the numbers in front of me or know them off the top of my head, but I wouldn't be surprised if it was more than that.

Do I have some theories about why we are seeing so many viruses this year?  Well, it all comes back to a post I made this year about spam bots diversifying:

  1. Spammers want to see their botnets so they send out spam with links to malware, or they send messages with malware attached.

  2. Recipient opens message with malware (or clicks on link and tries to view Paris Hilton on her newest video... or something) and gets their PC infected.

  3. Spammers use botnet in different ways, they are not just for sending spam anymore.  The bots are used for reputation hijacking.  Whereas before they sent spam, now they build landing pages on Windows Live and Google's Blogspot.  They also break into Hotmail, Yahoo Mail and Gmail and create bogus accounts for which to send spam.

  4. This part is pure speculation on my part.  More spam is emitted from MAGY to MAGY (Microsoft, AOL, Gmail and Yahoo).  It could be that our customer base does not fit the target profile for these spammer's recipients.  Indeed, we don't content filter mail any differently if email comes from MAGY.  Note I said content filter, as opposed to reputation filter.

Now that McColo is taken offline, there seems to be a consensus in the spam community that spammers need to rebuild their botnet so they will be sending out piles of viruses.  That may be true, but we were seeing piles of viruses even before McColo went down.  As for me, I'm not so sure.  My guess is that McColo going down is going to be more inconvenient to the spammers than we probably think and it will take them longer to rebuild their infrastructure than we pessimistically assume.