Posted by Matt O’Connor, Product Manager, Google Postini Services Team

We’re constantly working to protect our users from email spam and phishing attempts. Some examples of these efforts include educating users about phishing and supporting open standards for email authentication such as DomainKeys Identified Mail (DKIM) in Google Apps - which can help reduce the risk of phishing attacks sent from spoofed domains.

And now our Postini services customers can take advantage of new capabilities to help protect users on legacy email servers such as Microsoft(R) Exchange. Recipient Policy Framework (RPF) is a new feature we developed for Postini that allows customers to authenticate inbound email to help ensure that each message is actually coming from who it says it’s from.

RPF uses an open Internet standard called Sender Policy Framework to authenticate inbound emails and allows customers to define policies on how to handle emails that don’t check out. When RPF is enabled by an administrator, it will help detect and block email spam and other suspicious messages.

To learn more about Postini services including our email security, compliance and continuity products, please visit our web site where you can compare pricing and sign up online.

Enterprise Holdings is the largest rental car company in North America and operates Alamo Rent A Car, Enterprise Rent-A-Car and National Car Rental. They manage over 1.1 million cars, 68,000 employees and 7,600 locations around the world. When Enterprise Holdings wanted to add more security to their corporate e-mail, they chose Google Postini Services.

Join us for a free webinar on September 28, where Michael Preuss, Manager of Windows Engineering for Enterprise Holdings, will discuss why his company chose a cloud-based message security solution and how Postini’s powerful spam filtering technology was able to help them address their email security challenges. Adam Swidler, Senior Manager with Google Enterprise, will also provide an overview of Google’s security solutions and facilitate a deep-dive discussion into best-in-class practices for organizations interested in enterprise-grade protection.

A live Q & A session will follow. We hope you can join us!

Message Security in the Cloud
Tuesday, September 28th, 2010
10 a.m. PDT / 1 p.m. EDT / 6 p.m. GMT
Register here

Posted by Adrian Soghoian, Google Postini Services team

Editor's note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which processes more than 3 billion email connections per day in the course of providing email security to more than 50,000 businesses and 18 million business users.

In 2009, the security community started seeing diminishing returns from the takedown of malicious ISPs. After the ISP 3FN was taken down, spam levels rebounded in less than a month, and after Real Host went down, spam volumes recovered after only two days. In response, the anti-spam community turned its attention toward taking botnets offline instead.

Toward the end of 2009, Mega-D, a top-10 botnet – responsible for infecting more than 250,000 computers worldwide – was severely crippled through a carefully orchestrated campaign designed to isolate the command-and-control servers spammers were using to support the botnet. In early 2010, security professionals, along with government agencies, successfully mounted a campaign against several more targets: major botnets such as Waledac, Mariposa, and Zeus were either shut down or had their operations significantly curtailed.

However, this recent spate of botnet takedowns has not had a dramatic impact on spam levels. Although spam and virus levels did fall below Q4’09 highs, reports from Google’s global analytics show that spam levels held relatively steady over the course of Q1’10.

This suggests that there’s no shortage of botnets out there for spammers to use. If one botnet goes offline, spammers simply buy, rent, or deploy another, making it difficult for the anti-spam community to make significant inroads in the fight against spam with individual botnet takedowns.

Spam by the numbers
Overall, spam volume fell 12% from Q4’09 to Q1’10, which follows a trend of quarterly decreases in overall spam levels that started after the surge in Q2’09. This may be attributed to some of the recent takedowns, but spam volume was still 6% higher this quarter than it was during the same period in 2009, and spam volume as a percentage of total email messages is holding steady.

Recently, our data centers showed a 30% increase in the size of individual spam messages (measured in bytes) that occurred toward the end of March, as shown below.

This spike points to a resurgence of image spam, similar to what we reported in Q2’09. This is likely due to the fact that reusing image templates makes it easier and faster for spammers to start new campaigns.

As always, spammers tend to make use of predictable topics – cheap pharmaceuticals, celebrity gossip, breaking news – to encourage user clicks. In January, spammers hastened to exploit the Haiti earthquake crisis, sending pleas for donations that appeared to have been sent by reputable charitable organizations, politicians, and celebrities.

The frequency and variety of post-earthquake spam illustrates an unpleasant reality: spammers will exploit any means – even tragedies – to accomplish their objectives.

Virus levels fall after Q4’09 surge
During 2009, spam with attached viruses increased tenfold, with levels rising from 0.3% of total spam in the first half of the year to 3.7% in the second. Postini filters blocked more than 100 million virus-bearing messages per day during the worst of the attack.

Since then, spam with attached viruses leveled off to around 1.1% in Q1’10, and dropped as low as 0.7% in March. It’s good news that virus levels are currently trending down – but Q1’10 levels are still 12-fold higher than they were in Q1’09.

In fact, this virus surge may be part of the reason that there hasn’t been a significant impact on spam volume after the recent takedown of major botnets. With a host of new machines now infected and part of a botnet, it is unlikely that there would be a dip in spam proliferation.

Benefits of security in the cloud
Although the botnets that distribute spam are mindless drones, the spammers that take advantage of these botnets are a highly active and adaptable group. This is evidenced by the varied techniques and tactics that they employ in an ongoing effort to evade spam filters and deliver messages to their targets.

2010 is likely to see more botnets taken offline, but the question remains – will that have a long-term impact on spam volumes overall? So far in 2010, the effect has been limited, and the security community may begin to turn to other tactics that yield a more substantial impact on global spam volumes.

As long as the threat is there, however, Google is committed to using the power of the cloud to protect your enterprise from spam and viruses. Outsourcing message security to Google enables you to leverage our technical expertise and massive infrastructure to keep spammers from your inbox.

For more information on how Google’s security and archiving services can help your business stay safe and compliant, please visit www.google.com/postini.

Posted by Gopal Shah, Google Postini Services team

Google Postini security services work in the cloud to help prevent spam and viruses before they hit your servers. These services also make it easy for admins to fine-tune filtering options to get the right level of protection for their organization's unique needs.

It can often be a delicate balance between protecting networks from attacks and allowing employees the flexibility to use email effectively. To help achieve this balance, today we're introducing a new Google Message Security reporting feature: Health Check.

Health Check helps you maximize the effectiveness of your spam filters. Think of it as a self-service "tune-up" for your Postini filters. It gives admins a comprehensive report that will help them check how current configurations impact the effectiveness of antispam and antivirus filters.

This report also highlights deviations from our recommended best practices, so that you can see areas where more protection might be helpful and select the levels that best meet your needs. For example, reports can "flag" areas of risk in user-defined settings, help optimize Approved Sender Lists, and guide the way you set up firewalls.

In this snippet from a Health Check report, the Virus Outbreak Level for this account is set to "Normal" (see red outline over item "2"). Our guidelines suggest that admins set this to Very High to increase security against viruses and malware. Deviations from recommended best practices are highlighted in red text so you can easily identify where changes can be made to tighten security.

You can see a larger view here.

With Health Check, we hope to empower administrators to make the best use of Postini Services. Health Check is now available through the Postini service administration console to Postini and Google Apps Premier Edition customers.

For more information the Google Postini suite of security and archving services, visit www.google.com/postini

Posted by Gopal Shah, Google Postini team

Today we're introducing Dual Delivery, a new feature for Google Message Security that enables a copy of an email to be delivered to two different mail hosts. Dual Delivery provides two benefits. First, it can be used to support a transition to a new email service; second, it can be used as a backup email access point.

Dual Delivery allows an interruption-free transition to a new email solution. By enabling incoming email messages to be copied and sent to two different mailhosts, Dual Delivery gives users the chance to familiarize themselves with a new email platform without disrupting mailflow to the existing system. It also gives IT the chance to learn from user behavior and understand the technical implications of a transition before a full rollout.

Take a closer look here.

Dual Delivery also makes it easier to pilot and transition to Google Apps. By enabling the "Send a copy to Google Apps Gmail" feature of Dual Delivery, you can test Gmail without interrupting current practice. If you choose to switch over to Google Apps, you can enable the "Use Google Apps Gmail" feature in the Administration Console to directly route all of your mail to Gmail without having to manually reroute your MX records.

Dual Delivery can also be used as a secondary email access point. If users are unable to access their primary mailbox for any reason, or if admins want to give users cloud-based remote or mobile email access, Dual Delivery can provide read/write email access through a secondary inbox.

Dual Delivery is now available to Postini customers through the Delivery Manager settings in the Postini Administration Console.

For more information about the Google Postini suite of security and archiving services, visit www.google.com/postini

Posted by Gopal Shah, Google Postini team

Update 04/05/2010: Dual Delivery is not a tool for migrating historical email or legacy data. It is a tool that makes it easier to transition to a new email system, like Google Apps, by having production email show up in both the new system and the legacy system, allowing you to evaluate both. Please check our Switching from Microsoft Exchange and Switching from Lotus Notes posts, for more information on migrating to Google Apps.

A few months back, we learned that Google Message Security, powered by Postini, was selected as a finalist in the 2010 SC Awards for outstanding achievement in IT security. Today, we are thrilled to announce that Google Message Security has received the Reader Trust Award for Best Managed Security Service.

At Google, we think about the user experience in all that we do, so we are especially honored to receive this award from the Reader Trust Voting Panel, which consists of security and technology experts from large, medium and small enterprises from all major vertical markets.

The Postini team would like to thank SC Magazine and the many readers who voted for Google Message Security. We'd also like to congratulate our fellow nominees and award-winners and acknowledge their contributions to the field of online security.

For more information on Google Message Security and the Postini suite of security and archiving products, please visit, www.google.com/postini

Posted by Gopal Shah, Google Postini team

Today, we're introducing a new feature for Google Postini Services: Message Log Search. This feature delivers the search and analysis capabilities normally available with on-premise solutions, but without the associated complexity or maintenance.

When messages pass through the Postini service, header and transaction data about these messages is stored in a log. Previously, admins only had access to this data through customer support. With the Message Log Search feature, email administrators can now easily run searches on these logs and drill down to the details about how specific messages were processed.

For example, admins can view the disposition of messages, such as whether a message or group of messages was delivered, quarantined, archived, or encrypted.

Say an admin was checking the delivery status of all inbound emails from Matthew Smith:

Message Log Search returns results which include who received the message, date/time, disposition, and more. Click the image below for full view.

Customers trying a beta version of Message Log Search have found many useful, time-saving applications for the feature. For example, Dave Lugo at Affiliated Computer Systems is "very happy" that Message Log Search helps him track errant emails and easily resolve the "they didn't get it / we didn't get it" tickets he receives from his users. Joe Stark at HeidelbergCement uses log searching to "proactively search for problem senders" and block them entirely from his network.

Other customers have found that the Message Log Search interface is "very fast and responsive," and helps them to determine the effectiveness of new content policies and gain insight into traffic patterns across their organization.

These are a few examples that illustrate the flexibility and power of Message Log Search, and starting today, you can try the feature for yourself. Message Log Search is now available through the Postini service administration console to Postini and Google Apps Premier Edition customers.

For more information on Google Postini Services, please visit www.google.com/postini.

Note: Message Log Search data is managed and stored in Google datacenters pursuant to the privacy and data confidentiality provisions spelled out in our customer agreements. The message security service stores information about messages in a log, such as how it is processed, but does not store the content of messages.

Posted by Gopal Shah, Google Postini team

Google recently sponsored a global, multi-industry research project surveying 1,125 IT decision-makers and their perceptions about cloud computing and the key drivers behind the growth of cloud-based IT solutions.

We're sharing the results of the study in a new whitepaper: the Google Communications Intelligence Report. The findings provide some insights on what types of organizations are moving to the cloud, what value they find there, and what the key drivers for and barriers to adoption are. Some of the key takeaways follow:

• More than 60% of respondents indicated that the IT department holds the majority of the responsibility for communications security and compliance, but fewer than 20% feel they are well equipped to handle it.
• Email security, web security, and messaging are the cloud applications most widely adopted, and organizations using these applications in the cloud report higher satisfaction than users of traditional platforms.
• Ease of use is cited as the key motivator for transitioning to cloud-based applications.
• Although price is mentioned as a key deterrent for respondents who are not yet using cloud-based apps, value is cited as a key benefit by respondents who already work in the cloud.

In these findings – and in our conversations with businesses of all types and sizes – we are seeing that more and more businesses are finding enhanced productivity and IT efficiency when they move their applications to the cloud with services such as Postini or Google Apps. That the cloud movement is more than just a trend is validated by our research findings, which indicate that 50% of the respondents who were aware of but not currently using cloud-based apps are planning to deploy a cloud solution within the next 12 months.

Read more about how your organization (or business) might benefit from the research in the Communication Intelligence Report.

Posted by Adam Swidler, Google Postini Services team

Editor's note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which processes more than 3 billion email connections per day in the course of providing email security to more than 50,000 businesses and 15 million business users.

Back in 2007, we saw the first variants of a big virus attack later labeled the "Storm" virus. During that summer, Storm attacked with force, pushing payload spam activity to then-unprecedented levels and sustaining them for several months. The security community eventually caught up, and payload spam activity fell to nominal levels and held there. That is, until this year: Q2'09 saw a significant surge in payload spam activity, and now Q3'09 levels have made the 2007 Storm virus attack look small in comparison. Postini data centers have blocked more than 100 million viruses every day during what has so far been the height of the attack.

The majority (55%) of these viruses are messages like the one you see below, a fake notice of underreported income from the IRS (which the IRS distributed an alert on earlier this week). Another large contingent (33%) have come in the form of fake package tracking attachments, which were already on the rise in Q2. You might think a spoofed IRS notice or package tracking email is obviously spam, and wonder who would fall for it and actually click on the attachment.

However, at these volumes, it takes only a tiny fraction of the recipients being fooled for the spammers to add hundreds of computers to their botnets every day.

ISP takedowns continue, overall spam levels steady

Last quarter we saw a temporary 30% drop in overall spam levels following the 3FN ISP takedown, and the ISP takedown trend continues into Q3 with a new culprit called Real Host, a large Latvia-based ISP that was disconnected by upstream providers on August 1. This takedown didn't have the same drastic effects of McColo (last November), but it was comparable to 3FN. Ultimately, the effects of the Real Host takedown lasted only two days, with an initial 30% drop in spam followed by a quick resurgence.

Overall, spam levels remained steady this quarter, with little growth or decline since the Real Host incident. In Q3, spam as a percentage of total message volume is hovering around 90%, down from the Q2 average of around 95%. Q3'09 average spam levels were down 8% from Q2'09 and on par with levels in Q3'08. Spam levels also saw smaller ups and downs than in previous quarters.

Older spam techniques driving message size up

Last quarter we reported on the trend toward larger message sizes, measured in bytes. The trend has continued into this quarter, making 2009 a year of resurgence in old techniques such as image spam and payload viruses. When considering the spam bytes processed per user, growth has been steep in 2009, with Q3'09 rates up 123% from Q3'08.

Organizations that process spam inside their network should pay attention to this trend. The larger sizes create a bandwidth burden that can impact speed across your network. As the chart shows, Q2'09 delivered the record high to date for spam size – and subsequently for bandwidth drag for teams that manage spam in-house, potentially forcing those organizations to upgrade their capacity limits.

Best practices to optimize your enterprise spam filter

A common piece of feedback we get from our customers is that many of the messages in their spam folder or quarantine seem to come from "them" – from what appear to be valid email addresses from their own domain. These email addresses are actually spoofed (a common technique to mask the real origins of a message), and spammers employ this technique to take advantage of a mistake organizations sometimes make in configuring their spam filters: adding their own domain to their approved sender list.

While this might seem like a good idea at first glance – we want to make sure we don't block email from our colleagues, right? – in practice all it does is open your organization up to spoofed email. With that in mind, we strongly recommend that organizations not add their own domains to their approved sender lists. (Don't worry – legitimate mail from within your domain is correctly identified by filters and generally gets through just fine.)

For more information on how Google email security services, powered by Postini, can help your organization provide better spam protection and take a load off your network by halting spam in the cloud, visit www.google.com/postini.

Posted by Adam Swidler, Google Postini Services team

Providers of cloud computing services like Google are equipped to protect millions of users' data every day – it's core to how we run our business. Our users enjoy our economies of scale at minimal expense. We also employ some of the world's best security experts to help to make sure that your data stays safe.


On October 1, join us for a live webcast with some of our top security experts who are on the front lines of fighting spam, malware, and phishing for Google Apps users, designing identity management systems for hosted web apps, and monitoring the Google network for potential threats. Register for this live webcast, “How Google Tackles IT Security – and What You Can Learn From It,” to learn about security in the cloud and get your questions answered by members of Google's Security team. Participants include:

Eran Feigenbaum – As the Director of Security for Google Apps, Eran Feigenbaum defines and implements security strategy for Google's suite of solutions for enterprises. Prior to joining Google in 2007, Eran was the US Chief Information Security Officer for PricewaterhouseCoopers.

John Flynn – John “Four” Flynn has an extensive background in network monitoring, intrusion detection, and incident response. John currently leads Google's Security Monitoring program and is a founder of Google's Security Metrics group.

Bradley Taylor – Gmail's “Spam Czar,” Brad Taylor leads Gmail's technical anti-spam, anti-abuse, and email delivery engineering efforts. Brad has played a key role in the development of Gmail's spam filter since Gmail launched in April, 2004.

Eric Sachs – Eric Sachs has over 15 years of experience with user identity and security for hosted web applications. During his years at Google, he has worked as a Product Manager for many services including Google Accounts, Google Apps, orkut, Google Health, Google Security, and Internal Systems.

While circumstances may vary, most IT departments face similar security challenges. Find out more from the people who confront these issues every day here at Google.

Join us for our live webcast to learn about the people, best practices, and technologies that we have in place to minimize security threats.

How Google Tackles IT Security – and What You Can Learn From It
Thursday, October 1, 2009
11:00 a.m. PDT / 2:00 p.m. EDT / 6:00 p.m. GMT

We hope to see you there.

Posted by Serena Satyasai, Google Apps team

Find customer stories and product information on our resource sites for current users of Microsoft Exchange and Lotus Notes/Domino.

Editor's Note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which provide email security to more than 50,000 organizations, including businesses of all sizes, government agencies, and educational institutions. To learn more about what the Gmail team is doing to keep spam out of your inboxes, check out this post.

Our "Spam Trend" update last quarter summarized the rise in both levels and types of spam, with new players and techniques entering the market. This quarter, proliferation continues, with an unpredictable pattern of drops and spikes as 2009 moves along. Overall, spam is measurably up: Q2'09 average spam levels are 53% higher than in Q1'09 and 6% higher than in Q2'08.

After last November's McColo ISP takedown, when spam volumes dropped by 70%, spammers worked overtime to fill the void. They succeeded: Within four months, spam levels rose back to pre-McColo levels. This upward trend continued through June 4, when another large ISP spam source, 3FN, was reported to have been dismantled. Spam volume immediately dropped 30% – not as extreme as McColo, but still significant. Although this created a sudden dip in spam levels, it also created an open invitation for opportunistic spammers to once again seize a market opportunity.

Over the coming months, we anticipate watching new players once again drive spam levels back up. Since June 4, spammers have already made up a significant amount of ground, climbing 14% from the initial drop.

Here's what the trend looked like, as tracked through Postini filters, over the past six months:

"Unpredictability" summarizes the overall trend as Q2'09 winds down and spammers test both new and "retro" techniques. For example, on June 18 we tracked a new attack that unleashed 50% of a typical day's spam volume in just two hours' time. This attack used a simple "newsletter" template – somewhat "old school" by today's spam standard – with malevolent links and images inserted into the content. Google's Postini filters detected more than 11,000 variants of this spam during those two hours. Because this spam enabled spoofing of the recipient domain (meaning the "from" field was falsified), distribution lists were especially hard-hit by this attack.

Resurgence of image spam

One of the other trends we're watching closely is the sudden popularity of "image spam" – a form of spam that rose to prominence in 2007, before most anti-spam filters learned how to block it. It's simple stuff: basic email with advertising content, usually containing a related image. They can also include malicious links or content – and either way, the large file size of an image spam can place a heavy load on an email network.

An image spam email might look something like this:

Evidence of the resurgence in image spam can be seen in the graph below, which shows that the actual size of spam messages, measured in bytes, is back on the rise:

There are a couple of possible explanations for the resurgence in image spam, despite the fact that most spam filters out there have adapted to the technique. One theory is that this wave is designed to test the defenses of the different spam filters out there, so that spammers can do statistical analysis on what subject lines and content have the highest probability of success.

Another is that there may be some new players entering the spam game, following the McColo and 3FN takedowns, and these new players are opening with some well-tested techniques. Either way, we're watching this trend and will share insights as we gain them in the weeks and months ahead.

Spike in payload viruses

June was also an active month for viruses sent as email attachments, otherwise known as "payload viruses." Volumes rose to their highest level in almost two years as spammers returned to yet another tried-and-true technique to expand their botnets.

As you can see in the chart below, June's activity is almost as high as the two-month payload virus surge seen in Q3'07. Fortunately, Google's Postini zero-hour heuristics detected this uprise early and kept payload attacks in the cloud and away from users' email networks.

Everything old might be new again

In summary, Q2'09 saw continued unpredictability and the resurgence of old-style spam attacks. Are spammers finally running out of original ideas? And if so, like Hollywood, are we now starting to see spam "remakes," based on originals of a few years ago? And what are spammers looking to accomplish as they unleash these remakes? Only time will tell.

For more information on how Google email security services, powered by Postini, can help your organization provide better spam protection and take a load off your network by halting spam in the cloud, visit www.google.com/postini.

Posted by Amanda Kleha, Google message security and archiving team

Editor's Note: There's never dull moment in the world of online security. Threat patterns evolve in volume, sophistication, and the types of exploits and sources. News about the recent Conficker virus got us talking with Scott Petry, founder of Postini (original developers of Google's suite of security and archiving services), and Wolfgang Kadek, CTO of Qualys. Their comments follow. To learn more about trends in spam, hacking, and ways of keeping email networks safe, join Google and Qualys in an on-line conversation, "In Cloud We Trust," on April 16, where we'll discuss these topics live.

Q: Ten years ago, packaged software was the norm. Yet Postini built a hosted service - what we today call cloud computing. Why did you drive a cloud architecture for Postini?

Scott: We believed that by offering a service infrastructure we could prove a lower TCO than an on-premise alternative. With that service infrastructure aggregating data, we'd also have insight into a wider sample of data, thus providing a more effective solution.

Q: How did the idea of having a "perimeter protection service" to protect email networks in the cloud first evolve? Is the right model for the future?

Scott: Postini's innovation was to see SMTP as an integration API and DNS as a way to access traffic, thus putting us "upstream" of the customers' infrastructure, alleviating integration challenges and stopping problems before they reached the firewall. We saw this as better for a number of reasons.

Email servers have a long shelf life, and customers typically add incrementally to their system, rather than get a complete replacement. This causes a management problem for IT, creating a heterogeneous environment into which they must layer in security and compliance services.

We never saw ourselves as just an anti-spam company, so we built infrastructure that allowed a business rule to be configured as tightly as a content string for a single user. This design decision is inherently linked to the cloud. It allows us to deliver a better anti-spam solution, and also expand into content compliance areas.

Q. Wolfgang, you've been keeping a tight watch on the latest vulnerabilities impacting networks worldwide via your Laws of Vulnerabilities research. What are some of the trends you're seeing in 2009?

Wolfgang: Our research into vulnerability trends has shown that the industry overall did not improve significantly its ability to address security problems in a timely manner At the same time attackers have been getting faster and more sophisticated. Proactive security by maintaining systems updated with the latest patches is the cheapest of all security tools, nevertheless it has not grown in the way I would have hoped.

The first three months of 2009 have been a great example. We've seen Conficker infect millions of machines. The simplest way of preventing the outbreak would have been to preventively apply a patch, if available, to stop the worm. But figuring out such patches takes time. In contrast to worms of the past which often gave us months to react, Conficker activated only two weeks after the official release of the patch, clearly showing that attackers have become faster in their timing. It's getting tougher for patches to keep up.

Q: As network security budgets continue to tighten, how can "security as a service" be advantageous to users?

Wolfgang: SaaS solutions have the advantage that they have minimal setup and are immediately usable. Companies can get their feet wet with a small pilot, show success, and then grow it at their own pace to address larger needs. Organizations of any size can take advantage of the functionality and the predictable steady cost of cloud solutions, while at the same time enjoying the usability brought through constant improvements.

Scott: Agreed. As IT faces more pressure from a changing threat landscape and increased compliance mandates, the cloud model gives maximum leverage to IT – always important, but especially in this economic climate.

Register here for "In Cloud we Trust"

Thursday, April 16, 2009 1:00 p.m. EST / 10:00 a.m. PST

Posted by Sundar Raghavan, Google security and archiving team

Editor's Note: The spam data cited in this post is drawn from the Google enterprise security and archiving security network (Postini), which delivers an added layer of security for standalone mail servers and Google Apps Premier Edition customers. For a discussion of the anti-spam measures included in Gmail, please see this post from the Gmail blog.

In providing email security to more than 50,000 businesses and 15 million business users, Google security and archiving services, powered by Postini, process and cull spam from more than three billion enterprise email connections every day. This gives us strong insights into the state of the spam industry, some of which we share in regular posts to this blog.

Read on for a quick overview of spam trends and events in the first quarter of 2009.

What we saw in the Postini data centers

The most significant spam-related event in the first quarter of 2009 occurred when spam volume returned to pre-McColo takedown levels. By the second half of March, seven-day average spam volume was at the same volume we saw prior to the blocking of the McColo ISP in November 2008.

Spammers have clearly rallied following the McColo takedown, and overall spam volume growth during Q1 2009 was the strongest it's been since early 2008, increasing an average of 1.2% per day. To put that number into context, the growth rate of spam volume in Q1 2008 was approximately 1% per day – which, at the time, was a record high.

Of course, like every year before it, 2008 set a new record for overall spam volume. But in 2008 spam growth flattened over the summer and early fall, and then fell off a cliff after the McColo takedown (daily growth declined to .8%, .3%, and then .01% in the last three quarters of the year). This pattern raises some interesting questions regarding what we can expect in the rest of 2009: Will spam growth once again flatten or decline after a strong first quarter? Or have spammers – as part of their recovery from the McColo takedown – rebuilt botnets to be capable of sustaining or even accelerating this early growth spurt?

It's difficult to ascertain exactly how spammers have rebuilt in the wake of McColo, but data suggests they're adopting new strategies to avoid a McColo-type takedown from occurring again. Specifically, the recent upward trajectory of spam could indicate that spammers are building botnets that are more robust but send less volume – or at least that they haven't enabled their botnets to run at full capacity because they're wary of exposing a new ISP as a target.

New types of spam

The most significant development in spam vectors this quarter was the appearance of location-based spam. In this type of attack, users click on a link in a spam message and are directed to a page that contains a fraudulent news headline describing a crisis or disaster in a major city nearby. The attack customizes the location for each user by determining the geolocation of the user's source IP and then identifying the nearest major city. The addition of location creates a heightened level of interest, and the user is tempted to click on the embedded video – which in turn downloads a virus to his or her machine.

Meanwhile, the economy, financial markets, job cuts, and resume help continue to be the most prominent topics spammers are employing as lures for more traditional attacks. We also saw increased spam activity around the U.S. presidential inauguration and St. Patrick's Day, in keeping with the recent propensity spammers have demonstrated for reading the news and keeping their eyes on the holiday calendar in targeting their attacks.

Virus roundup

In early 2008, a trend emerged in which we saw spam messages with attached viruses (otherwise known as "payload viruses") spiking every Sunday, possibly targeting a maintenance window to catch corporate defenses when they were undergoing scheduled updates.

This year we've seen the payload viruses spread out across every day of the week, with no immediately obvious pattern in their distribution. It's difficult to say for certain what prompted the change, but one possible explanation is that spammers switched tactics because they weren't seeing the success they'd hoped for from the focused attacks.

Of course, payload viruses have also seen a recent spike overall -- in the month of March we saw a 9x increase from February. This pales in comparison to the highs we saw last summer, but it may indicate a developing trend that's worth keeping a close eye on.

Viruses delivered as a blended threat (when a spam message directs a user to a malicious website, which then results in a virus being downloaded to the user's computer) continue to be popular with spammers. E-cards are one of the best examples of this vector, and Valentine's Day saw a flurry of activity using e-cards to direct users to malicious websites.

Conclusions

Spammers continue to prove their resilience -- whether it's bouncing back from the biggest takedown on record or finding new ways to exploit the ways we communicate for malicious purposes, they're clearly here to stay. And Google believes firmly in the power of the cloud to protect your enterprise from them: Outsourcing message security to Google enables you to leverage our technical expertise and massive infrastructure to keep spammers from your door. See how much spam is costing your business, learn how much you could be saving with Google Message Security, or contact us for more information.

Posted by Amanda Kleha, Google security and archiving team

What if we told you that a 35 minute tutorial would teach you everything you needed about keeping your Microsoft Exchange, Lotus Notes, or other on-premise email system safe from spam, malware, and viruses? We hope that you'd believe us, and that you'd give our new "Nuts to Bolts" on Google Message Security, powered by Postini, a view.

Don't have 35 minutes? We know the feeling. The topic overview (on the left) lets you pinpoint the subjects that interest you most.

This tutorial is just one from a growing library of information and resources in our Security and Archiving Learning Center. Find a moment to come in and look around.

Posted by Ellen Petry Leanse, Google Enterprise Team