[Ed. Note: The spam data cited in this post is drawn from the Postini Message Security network, which processes and culls spam from more than 2 billion enterprise email connections per day, giving Google strong insight into the state of the spam industry overall. For a discussion of what Google is doing to keep spam out of your Gmail inboxes on the consumer side, check out this post.]

In November 2008 a large source of the world's spam, the McColo network, was taken offline. Prior to that, spam levels had been holding relatively constant. But when McColo went offline, we saw spam drop by 70% compared with previous levels. However, spammers are recovering with vigor.

While spam is still down overall, it's important to note its rate of growth. Spam levels are up by 156% since November 2008. As spammers recover, the increased rate of spam growth will likely have total spam volumes back to pre-McColo levels within a few months.



Although McColo received a lot of attention, the highest volume of spam in 2008 actually came on April 23, which was an all-time high spam level for Google Message Security data centers. That day, the average number of spam messages blocked per user was 194. This peak was driven by an unprecedented number of non-delivery receipt (NDR) attacks we saw in April. One customer who was the target of a specific NDR attack said that their users were receiving an average of 100 emails every minute.

As spammers fill the void left by McColo, it's reasonable to anticipate a decreasing rate of growth as spam reaches November 2008 levels. However, since the November levels weren't even the peak for the year, and since spammers appear to be quickly recovering, the question remains: Where will spam volume top out in 2009? Will it be near the November 2008 level? the April 2008 level? Or higher?



One way to approach that question might be to compare 2008 overall levels with previous years. Spam threats rose visibly in 2008, reflecting the overall trend of rising attacks. Even with the drop in November 2008, spam levels climbed 25% over 2007. Our statistics show that the average unprotected user would have received 45,000 spam messages in 2008 (up from 36,000 in 2007). All indicators suggest this trend will continue as virus, malware, and link-based attacks become both more frequent and more ingenious.



Looking ahead to the rest of 2009, we expect viruses sent via email and in blended attacks (email and web) to continue to be a serious threat. During the second half of 2008, virus volume increased six-fold from the first half of the year. These spam messages would often try to fool users by mimicking legitimate emails such as package tracking notifications or invoices that included virus attachments. Another popular technique in 2008 was emailing spoofed news alerts with URLs that would link to a website hosting the virus.

We can also expect that viruses and malware will continue to be a key tool and area of focus for spammers to upgrade their platforms. Even though virus attachment volumes have been low so far this year, we expect spammers to work hard to rebuild their networks to replace what was lost in the McColo shutdown.

Of course, the only thing we can really say with certainty about 2009 is that spam and viruses will continue to be unpredictable. And given that uncertainty, virus detection and blocking technologies become even more important. Last year we released advanced new anti-virus heuristics that specifically targeted zero-hour vulnerability (the period of time between when a new virus enters the wild and the release of the anti-virus signature file). When the zero-hour protection identifies a suspicious message, the message is scanned using the new anti-virus heuristics, and if confirmed as a virus, the message is quarantined.

The chart below is an example of our new heuristic virus detection and blocking at work. On October 1, 2008, our automated technology detected a viral message pattern (later identified as new strain of the Downloader-AAP!zip) in the wild and started quarantining messages with this virus. Five hours later we received the new virus signature file from one of our anti-virus partners and the signature-based blocks began to take effect.



As seen from the roller-coast ride of spam and viruses in 2008, spam has again demonstrated its resiliency. Despite eliminating a major source, spam keeps coming back. Spammers are re-investing with increasing speed to evolve their systems into decentralized, harder-to-detect ecosystems. If you'd like to know more about Google's anti-spam solution for businesses, visit us at www.google.com/a/security.