Sunday, December 26, 2010

Christmas time increases spammer's creativity

Every year around Christmas the spammers show their creativity and they try to figure out how to bypass existing spam filters. Currently they try spam bursts.

In week 51 the variation in spam mails increased rapidly. This led to a tripled amount of distinct hash sums of spam mails identified by the NiX Spam Project.
The blue lines shows the number of distinct hash sums of spam mails.

But this trend was already obsoleted by another trick used today.
Half the day spammers tried to burst spams in very short time slots but with high volume from countless IPs. On the graphs below you can see that the bursts last only few minutes followed by quiet minutes. This behavior was repeated over more than ten hours.
Attempts per second to deliver spam to spam traps.
All dates are in CET (UTC+1).
Hit rate of IPs queried at the NiX Spam DNSBL
Short time before and after the bursts the overall spam volume decreased significantly. The time before could have been used to prepare thousands of spam bots for their upcoming task. The time after is probably used to prepare the bots for the new attack. What would that be? Testing ways to effectively bypass Greylisting? Using each spam bot only a very short time to conceal the infection? Spreading malware in "Christmas greetings" to gain a bigger spam bot army? Whatever comes next we will see it soon. We are prepared...

No comments: