Pushdo/Cutwail Botnet Takedown Attempt: No Major Impact On Overall Spam Volume, Traffic “Spikey”

Just a quick note about recent news reports (such as PCWorld, “Huge Spamming Botnet Injured but Still Alive“and InfoWorld, “What it Takes to Shut Down a Botnet“) about efforts to curtail the activities of the so-called Pushdo or Cutwail botnet. This network of compromised computers is suspected of being one of the largest sources of spam and malware-infected email (see the coverage I mention previously or this interesting study on that botnet, published by Trend Micro last year).

Late last week, security researchers contact ISPs that were apparently hosting various command and control servers used by the botnet in an attempt to shut the network down (not unlike the original takedown of botnets hosted by rogue ISP McColo). Apparently approximately 20 out of 30 of the C&C servers used by the Pushdo/Cutwail botnet were cut off from the internet, possibly having a short-lived effect on overall spam volume.

As other vendors have seen, spam fighters tell me that our own spamtraps (sometimes referred to as “honeypots”) have not seen a volume decrease, but noted that the volume pattern—the natural rises and falls in spam volume that accompany new spam campaigns—have been more “spikey”, with bigger fluctuations between high and low volume than we are used to seeing. It’s unclear if this behavior is at all related to activities around the Pushdo/Cutwail botnet.

As always, email volumes, especially those received by large enterprises, can fluctuate wildly. This is driven in part by general spam and malware sending activity, but also from attacks that attempt to target specific organizations whether they are attempts at denial-of-service, directory harvest attacks, or targeted phishing attacks.

This ongoing unpredictability is one of the key reasons that many organizations have (or are looking at) moving their inbound email security protection to a SaaS model. The rationale being, “Why worry about properly scaling your email and email security infrastructure to meet worst case scenarios when the same type of protection and control is available “in the cloud” at a much lower total cost-of-ownership?”

Keith Crosley directs corporate communications for Proofpoint. Keith’s job entails the promotion of Proofpoint e-mail security solutions to press, analysts and the enterprise e-mail security market at large. His blog covers a wide variety of e-mail security topics including anti-spam, phishing, identity theft, data breaches and the policy, culture and technology issues that surround e-mail. Previous positions have included director, corporate communications at Elance, senior director, worldwide public relations at BroadVision and director of marketing at WiredPlanet.com. As a key spokesperson for Proofpoint and e-mail security evangelist/researcher, he takes part in television and radio appearances. Avocationally and semi-professionally, he is a filmmaker, musician and all-round multimedia enthusiast.