Wednesday, July 01, 2009 at 8:05 AM
Editor's Note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which provide email security to more than 50,000 organizations, including businesses of all sizes, government agencies, and educational institutions. To learn more about what the Gmail team is doing to keep spam out of your inboxes, check out this post.
Our "Spam Trend" update last quarter summarized the rise in both levels and types of spam, with new players and techniques entering the market. This quarter, proliferation continues, with an unpredictable pattern of drops and spikes as 2009 moves along. Overall, spam is measurably up: Q2'09 average spam levels are 53% higher than in Q1'09 and 6% higher than in Q2'08.
After last November's McColo ISP takedown, when spam volumes dropped by 70%, spammers worked overtime to fill the void. They succeeded: Within four months, spam levels rose back to pre-McColo levels. This upward trend continued through June 4, when another large ISP spam source, 3FN, was reported to have been dismantled. Spam volume immediately dropped 30% – not as extreme as McColo, but still significant. Although this created a sudden dip in spam levels, it also created an open invitation for opportunistic spammers to once again seize a market opportunity.
Over the coming months, we anticipate watching new players once again drive spam levels back up. Since June 4, spammers have already made up a significant amount of ground, climbing 14% from the initial drop.
Here's what the trend looked like, as tracked through Postini filters, over the past six months:
"Unpredictability" summarizes the overall trend as Q2'09 winds down and spammers test both new and "retro" techniques. For example, on June 18 we tracked a new attack that unleashed 50% of a typical day's spam volume in just two hours' time. This attack used a simple "newsletter" template – somewhat "old school" by today's spam standard – with malevolent links and images inserted into the content. Google's Postini filters detected more than 11,000 variants of this spam during those two hours. Because this spam enabled spoofing of the recipient domain (meaning the "from" field was falsified), distribution lists were especially hard-hit by this attack.
One of the other trends we're watching closely is the sudden popularity of "image spam" – a form of spam that rose to prominence in 2007, before most anti-spam filters learned how to block it. It's simple stuff: basic email with advertising content, usually containing a related image. They can also include malicious links or content – and either way, the large file size of an image spam can place a heavy load on an email network.
An image spam email might look something like this:
There are a couple of possible explanations for the resurgence in image spam, despite the fact that most spam filters out there have adapted to the technique. One theory is that this wave is designed to test the defenses of the different spam filters out there, so that spammers can do statistical analysis on what subject lines and content have the highest probability of success.
Another is that there may be some new players entering the spam game, following the McColo and 3FN takedowns, and these new players are opening with some well-tested techniques. Either way, we're watching this trend and will share insights as we gain them in the weeks and months ahead.
Spike in payload viruses
As you can see in the chart below, June's activity is almost as high as the two-month payload virus surge seen in Q3'07. Fortunately, Google's Postini zero-hour heuristics detected this uprise early and kept payload attacks in the cloud and away from users' email networks.
Everything old might be new again
In summary, Q2'09 saw continued unpredictability and the resurgence of old-style spam attacks. Are spammers finally running out of original ideas? And if so, like Hollywood, are we now starting to see spam "remakes," based on originals of a few years ago? And what are spammers looking to accomplish as they unleash these remakes? Only time will tell.
For more information on how Google email security services, powered by Postini, can help your organization provide better spam protection and take a load off your network by halting spam in the cloud, visit www.google.com/postini.
Posted by Amanda Kleha, Google message security and archiving team
Posts
18 comments:
I'm impressed with the amount of spam I'm now getting from "legal" sources.
These are corporations with whom I might have some (tenuous) business relationship, and a large amount of political spam (from legitimate groups).
I can filter these out since the domains are not forged, but my filters are growing exponentially.
In theory these groups have removal procedures, but they don't stick. I'm added back in within weeks.
I'd love to see an approach to filtering out this class of spam -- spam with authentic domains. It's easy to imagine ways to develop a user-generated "blacklist" that we could opt into.
Amazing! I unfortunately had three other folks with my same name start signing up for stuff with *my* e-mail account, so now I get spam whereas I never used to. I like to keep them in my Spam folder to see how many I get a month. It was sittting around 2000 for a while. Then a little over a month ago, it surged to 3500+! I was shocked.
What shocked me more was a few days ago when I was looking at 3600+ spam in my Spam folder at 9am, and then at noon it was at 1900 spams!! I got 1700 spam messages sent o me in a 2-3 hour period! And now I know why!
Thank you, Gmail, for doing such an amazing job of protecting all of us!
Image spam may have something to do with the iPhone's Load Remote Images setting on by default.
Great article. Of course, there is a big economic incentive to spam. I wonder if its possible to flip the coin and provide a similar economic incentive to reduce spam? Perhaps some sort of price on the heads of those that are responsible for the most spam and most time wasted on a global scale?
Interesting, there is so much of it
It's nice to see some background info on spam. What isn't entirely clear to me at this point: does Gmail use Postini, or do they have their own anti-spam measures? I'd guess that they use Postini, but the wording of this article makes me doubt that.
Also: "And if so, like Hollywood, are we now starting to see spam "remakes," based on originals of a few years ago?". If that's the case, your jobs should get easier. Sequels and remakes tend to suck. =]
Didn't it occur to you that the rise in image spam might be related to the rise in people sending images via email? i.e. there's more genuine email that looks like spam so it's harder to differentiate.
Wow! When do you sleep and how do you sleep thinking about this. Keep up the good job! Thanks for the information.
And still the legitimate marketer remains the only true casualty of this war. Not long before all ISP's or industry deliverability partners will require a "pay per delivery" or cost incurred IP address certification in order to get the requested marketing material in front of the consumer. I wonder if email stamps will sold in booklets or rolls.
Keep up the good work ';it's easy for us to forget how resourcefull they are ,so well done Google from a friend
i did not know that spam can be send through
advertisement.are any other solution to detect the spam messages?
thank you.
Hello,
Do you have the ability to break this down by UK/Europe?
Thank you for your great work. We have no idea how much of a mess our systems would be without your diligence.
Can you tell me how to delete 400 messages in my spam box without having to select every page of 50 at a time?
I'd like to see stats on msgs blocked w/o any user action req'd vs. msgs that were manually filtered.
Also it might be interesting to see stats on how many spam msgs are manually filtered before being read, vs. after being read/opened.
"how to delete 400 messages in my spam box without having to select every page of 50 at a time?"
Erm... You could use the link on top of the spam page that deletes them all at once, perhaps?
As Gene said, I'd too like to see the stats on messages blocked without enduser action.
Anyhow, great to see the statistics.
Any information on the false positives?
> "Fortunately, Google's Postini zero-hour heuristics detected this uprise early and kept payload attacks in the cloud and away from users' email networks."
Are the heuristics any more intelligent than checking if the attachments are executable?
Post a Comment
Thank you for sharing your feedback with the team at Google Enterprise. We will respond to open issues addressed in Comments with future posts on this blog. We appreciate your interest in Google Enterprise.