Top ten spambots compared, since March 2011 (Source: Symantec Intelligence Report, June 2011)
Advertising for pharmaceuticals is still the most common type of spam globally, despite a 24 percentage point drop in share since the end of 2010. The new fake online pharmacy brand WikiPharmacy is to blame, says Symantec.
Towards the end of 2010, advertising for pharmaceutical products accounted for 64 percent of all spam, according to research published in the June 2011 Symantec Intelligence Report. That included the vast majority of the up to 30 billion emails sent daily from the largest and most active spam-sending botnet, Rustock.
Spamit, one of the main affiliate websites through which pharmaceutical spam was being promoted, was shut down in September 2010. As a result, Rustock lost an important source of its work, sometimes suffering outages where very little or even no spam was sent from its bots -- although the longest outage was less that 48 hours.
Then in March 2011, the Rustock botnet was taken down by Operation b107, a coordinated action led by Microsoft.
"Global spam has generally been falling since the shutdown of the Spamit affiliate website in late September 2010," wrote report editor Paul Wood, senior intelligence analyst with Symantec.cloud. The takedown of Rustock accelerated the decline.
"Spam volumes have never quite recovered," Wood said. In June 2011, pharmaceutical spam is just 40% of the total, although still the biggest category, followed by dating, sex and adult-related at 19 percent, and watches and jewellery at 17.5 percent.
A new spam tactic, identified by Symantec Intelligence last month, is to use the "Wiki" prefix in the promotion of fake pharmaceutical products relating to a new pharmacy brand, WikiPharmacy.
The “Subject:” line in these attacks contains randomised text, with real-world examples including "yWIKIg", "hWikiPharmacyl" and "oWikiPharmacyp".
"The volume of spam in this latest attack is quite high. Needless to say is that the popularity of the wiki- name in a number of high-profile Web sites is being exploited here, and users must be very careful not to enter personal details on these fake sites," says the report.
Overall, spam is now at its lowest level since the November 2008 takedown of McColo, the California-based ISP that hosted the command and control channels for a number of major botnets. But despite the successes, in June 2011 spam still constituted 72.9 percent of all email globally, and 70.4 percent in Australia.
The June 2011 Symantec Intelligence Report, which is based on data collected in May and June, combines the research and analysis streams previously published separately in the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report.