Official Google Cloud Blog: Q3'09 Spam & Virus Trends from Postini

Official Blog

Built in the cloud. Engineered for your enterprise.

Q3'09 Spam & Virus Trends from Postini

Thursday, October 1, 2009

Editor's note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which processes more than 3 billion email connections per day in the course of providing email security to more than 50,000 businesses and 15 million business users.

Back in 2007, we saw the first variants of a big virus attack later labeled the "Storm" virus. During that summer, Storm attacked with force, pushing payload spam activity to then-unprecedented levels and sustaining them for several months. The security community eventually caught up, and payload spam activity fell to nominal levels and held there. That is, until this year: Q2'09 saw a significant surge in payload spam activity, and now Q3'09 levels have made the 2007 Storm virus attack look small in comparison. Postini data centers have blocked more than 100 million viruses every day during what has so far been the height of the attack.

The majority (55%) of these viruses are messages like the one you see below, a fake notice of underreported income from the IRS (which the IRS distributed an alert on earlier this week). Another large contingent (33%) have come in the form of fake package tracking attachments, which were already on the rise in Q2. You might think a spoofed IRS notice or package tracking email is obviously spam, and wonder who would fall for it and actually click on the attachment.

However, at these volumes, it takes only a tiny fraction of the recipients being fooled for the spammers to add hundreds of computers to their botnets every day.

ISP takedowns continue, overall spam levels steady

Last quarter we saw a temporary 30% drop in overall spam levels following the 3FN ISP takedown, and the ISP takedown trend continues into Q3 with a new culprit called Real Host, a large Latvia-based ISP that was disconnected by upstream providers on August 1. This takedown didn't have the same drastic effects of McColo (last November), but it was comparable to 3FN. Ultimately, the effects of the Real Host takedown lasted only two days, with an initial 30% drop in spam followed by a quick resurgence.
Overall, spam levels remained steady this quarter, with little growth or decline since the Real Host incident. In Q3, spam as a percentage of total message volume is hovering around 90%, down from the Q2 average of around 95%. Q3'09 average spam levels were down 8% from Q2'09 and on par with levels in Q3'08. Spam levels also saw smaller ups and downs than in previous quarters.

Older spam techniques driving message size up

Last quarter we reported on the trend toward larger message sizes, measured in bytes. The trend has continued into this quarter, making 2009 a year of resurgence in old techniques such as image spam and payload viruses. When considering the spam bytes processed per user, growth has been steep in 2009, with Q3'09 rates up 123% from Q3'08.

Organizations that process spam inside their network should pay attention to this trend. The larger sizes create a bandwidth burden that can impact speed across your network. As the chart shows, Q2'09 delivered the record high to date for spam size – and subsequently for bandwidth drag for teams that manage spam in-house, potentially forcing those organizations to upgrade their capacity limits.

Best practices to optimize your enterprise spam filter

A common piece of feedback we get from our customers is that many of the messages in their spam folder or quarantine seem to come from "them" – from what appear to be valid email addresses from their own domain. These email addresses are actually spoofed (a common technique to mask the real origins of a message), and spammers employ this technique to take advantage of a mistake organizations sometimes make in configuring their spam filters: adding their own domain to their approved sender list.

While this might seem like a good idea at first glance – we want to make sure we don't block email from our colleagues, right? – in practice all it does is open your organization up to spoofed email. With that in mind, we strongly recommend that organizations not add their own domains to their approved sender lists. (Don't worry – legitimate mail from within your domain is correctly identified by filters and generally gets through just fine.)

For more information on how Google email security services, powered by Postini, can help your organization provide better spam protection and take a load off your network by halting spam in the cloud, visit www.google.com/postini.

Posted by Adam Swidler, Google Postini Services team

Google

Labels

#innovationupgrade
#InspireGirls
#moregoogleapps
#SysAdminDay
#tbt
#throwbackthursday
#top10trust
100% web
50states
ad contest
add-ons
admin
Admin console
admin sdk
AirPlay
Android
Android for Work
Android for Work Live
Android Marshmellow
Android Nougat
Android security
Android security tips
Apps Adventures
apps script
apptuesday
Armed Forces Day
Asia Pacific
Atmosphere Live
Audi
Audi Connect
audit
Australia
big data
Big Query
bigquery
Boston
browser
Chomebox for Meetings
Chrome
Chrome Device Management
Chrome digital signage
Chrome for Business
Chrome for Work
Chrome Frame
Chrome OS
Chromebit
Chromebooks
Chromebooks for Business
Chromebooks for Education
Chromebooks for Work
Chromebox for digital signage
Chromebox for meetings
Chromebox for signage
Chromeboxes
Chromecast
City 24/7
Classroom
Clearing Kosovo
Cloud
cloud computing
cloud computing gonegoogle
cloud computing gonegoogle Google Apps
cloud computing gonegoogle Google Apps google docs small business success story
cloud computing gonegoogle Google Apps google docs small business success story switch
cloud datastore
cloud platform
Cloud Platform Live
cloud print
cloud series
cloud services
cloud sql
collaboration
Colorado
Connectors
contacts
Control Panel
customer
customer love
Customer story
Customer support
Customer testimonial
data centers
data processing amendment
data protection
Developer
developers
Digital Learning Day
Docs
documents
DPA
Drawings
Drive for Education
drive sharing
Earth
earth and maps
EC
education
Education on Air
EMC
EMM
Energy
enterprise
EU
events
FedEx
Fedex.com
Finance
Firebase
Forms
franchises
GAFE
Gartner
GE
geo
Global Partner Summit
gmail
Gone Google
gonegoogle
Google AdWords
Google App Engine
Google Apps
Google Apps Blog
Google Apps for Business
Google Apps for Education
Google Apps for Government
Google Apps for Work
Google Apps Marketplace
Google Apps Reseller
Google Apps Script
Google Apps Vault
Google BigQuery
Google Calendar
Google Calendar app
Google Certified Teachers
Google Chrome
Google Chromebases
Google Classroom
Google Cloud Datastore
Google Cloud DNS
Google Cloud Platform
google cloud storage
Google Cloud Vision API
google commerce search
Google Compute Engine
Google Doc
Google Docs
Google Domains
Google Draw
Google Drive
Google Drive for Work
Google Earth
Google Earth Engine
Google Earth Enterprise
Google Earth Images
Google Earth Pro
Google Email Security and Archiving
Google Enterprise
Google Enterprise Search
Google Expeditions
Google for Education
Google for Education Partner Program
Google for Education Training Center
Google for Entrepreneurs
Google for Work
Google for Work and Google for Education Partner Program
Google for Work partner program
Google Forms
Google Green
google groups
Google Hangout
Google Hangouts
Google I/O
Google Keep
Google Maps
Google Maps API
Google Maps APIs
Google Maps Coordinate
Google Maps Engine
Google Maps Engine Pro
Google Maps Engine public data program
Google Maps for Business
Google Maps for Work
Google Maps Gallery
Google Maps Tracks API
Google Message Continuity
google message security
Google Mobile Device Management
Google My Maps
Google My Maps Pro
Google Places API
Google Play
google play for education
Google Prediction API
Google Research tool
Google Science Fair
Google Search Appliance
Google Security Key
Google Sheets
Google Site Search
google sites
Google Slides API
Google Smart Lock
Google spreadsheets
Google Springboard
google storage
Google Storage for Developers
Google Translate
Google Vault
Google Video
Google Wave
google+
Google+ api
Google+ Communities
googlenew
government
GSA
GSA 7.0
GSA for Commerce
guest post
HALO Trust
Hangout on Air
Hangouts on Air
HEAT
hints and tips
HIPAA
Inbox
Inbox by Gmail
innovation
international trade
Internet Explorer
intranet
io2011
iOS
iPad
IT
K-12
Kubernetes
large business
MAM
manufacturing
Mapping a better world
marketplace
marketplace highlights
mashups
MCCs
MDM
medium business
migration
mobile
mobile management
model contract clauses
moms
Mother's Day
mpstaffpick
MyHEAT
NAVMAN
new features
news
Niagara International Transportation Technology Coalition
non-profit
noteworthy
offline
OpenID Connect
Parters
partner
Partner Showcase
partners
Place Summaries
Postini
privacy
product ideas
productivity
Quickoffice
Receptionist's Day
reports
Reseller
retail
RSA
Safer Internet Day
SBW2013
SBW2014
sbweek
SCCs
Search
Security
Security Key
small business
Small Business Week
Small businesses
SMB
spam and security trends
Startups
success story
support
switch
System Admin
T Dispatch
Teamwork 2015
Thanksgiving
Transport and Logistics
Trust
UK
university
University of Calgary
Updates
utilities
Veteran Owned Businesses
Veterans Day
Veterans Day 2013
Veterans Day 2014
viewpoint
VNX
wallet
webinar
webmaster
Winter
women in tech
Women's History Month
Work Resolutions
World Bank

Feed

Googleon

Company-wide

Official Google Blog
Public Policy Blog
Student Blog

Products

Android Blog
Chrome Blog
Lat Long Blog

Developers

Developers Blog
Ads Developer Blog
Android Developers Blog

Google
Privacy
Terms