Are compromised accounts getting better or worse?

I decided to take a look at the total amount of outbound spam incidents that we have discovered over the past year.  We have multiple layers of incidents:

• We have thresholds for the amount of mail users can send where the content is marked as spam.
• We have thresholds for the amount of mail some organizations can send where the content is not marked as spam (pure volume threshold).
• Other organizations have the same processes in place but the threshold is lower.  This is because the organization has a history of sending outbound spam.  Therefore, in order to be more aggressive, we have lowered those limits to prevent zero-day spam from emitting.

I took a look at all of our automated alerts and plotted them on a weekly chart, seen below:

The data is not conclusive but you can see that it is trending up (i.e., getting worse) over time.  However, unlike spam which remains pretty constant (except on weekends), compromised accounts or machines oscillate a lot – up one week and down the other.  It is not consistent.

The good news in all of this is that our detection mechanisms have steadily improved.  The bad news is that the better we get at it, the more problems we see there are.