While Google didn’t suggest where security researchers ought to strike next, others have named the target. If hitting rogue hosting companies doesn’t help, and beheading the botnets is limited in effect, then the next logical step is for ISPs to target the PCs that make up the botnets, blocking the TCP/IP ports through which they send e-mail and notifying their owners that they need cleaning up, according to Trend Micro CTO Dave Rand.
Despite security researchers’ efforts to cut spam down to size, it just keeps growing back. The volume of unsolicited email in the first quarter was around 6 percent higher than a year earlier, according to Google’s e-mail filtering division Postini.
Security researchers have won a few significant battles against the spammers in the last year, first against those hosting the spammers’ control systems, and later against the control systems themselves, but they will have to change tactics again if they want to win the war, Google said in a posting to its Enterprise blog.
These days, spammers typically contract out the business of sending messages to a botnet operator, who controls a group of malware-infected PCs. There are dozens of botnets of varying sizes, each typically looking to a different command-and-control server for its instructions.
In the first half of last year, security researchers concentrated their efforts on identifying the ISPs or hosting companies that allowed these command-and-control servers to operate, and shutting them down. The success of that tactic was short-lived. It took a little less than a month after the shut-down of ISP 3FN for spam sent to the 18 million business users of Google’s Postini service to return to its previous level, while the closure of Real Host affected spam levels for only two days: the botnet operators quickly found new homes for their servers and reprogrammed their botnets.
Security researchers soon switched their attentions to the botnet command-and-control servers themselves, infiltrating them and preventing the botnet from receiving new instructions. However, the closure late last year of Mega-D, a botnet of 250,000 PCs, and the crippling early this year of the Waledac, Mariposa and Zeus botnets, has had little effect on spam volumes, with spammers simply turning to another botnet to deliver their e-mail, Google said.
Those successes meant that the volume of spam fell 12 percent from the fourth quarter of 2009 to the first of 2010, although levels remained higher than a year earlier.
One reason Google identified for that year-on-year growth was that the botnets pushed out a higher volume of virus-laden spam in the second half of the 2009 than in the first half (3.7 percent compared to 0.3 percent), with a peak in the fourth quarter of up to 100 million virus-infected messages a day. Many of the machines infected by those viruses would have been recruited to join the botnets, Google said.