Posted:
Editor's note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, that process more than 3 billion email messages per day. More than 50,000 businesses and 22 million users use Google Postini Services to protect themselves from a range of email and web-borne threats.

Q3’10 spam and virus trends confirm that spammers are still hard at work distributing malicious content in new and creative ways. August saw a massive 241% increase in virus volume over July, representing the greatest recorded surge in viral activity since 2008. Overall, payload virus volume increased 42% over Q2’10 and 10% over Q3’09, while spam levels decreased 16% and 24% over the same periods, respectively. The spike in malware attacks during August suggests that we might see higher levels of spam moving forward into Q4 as botnet “seeds” planted during this time begin to take action.

By the numbers
Overall, spam volume stayed relatively constant throughout Q3, with a slight dip in August and September. In comparison to the same time in 2009, spam levels are down 24%. This may be attributed to some recent botnet takedowns, such as the partial Pushdo shut down, or point to a generally slower summer season for spam.


However, payload virus levels shot up to record-high levels in August. In comparison to August of 2009, we saw a 111% percent increase in volume overall. What is more remarkable, though, is that this August saw the highest registered number of viruses blocked in a single day: 188 million. This virus surge is even more pronounced than last October’s, when Mega-D, a top-ten botnet, infected over 250,000 computers worldwide before being shut down by a carefully orchestrated campaign by security professionals. This recent increase in viral activity could indicate a “gearing up” as spammers attempt to construct botnets in time for the holiday season and increased consumer spending. With the commercialization of spam in 2006, we’ve often seen a correlation between spam, malware campaigns, and seasonal consumer patterns.

The actual content of this virus wave consisted mainly of traditional spoofing of major brands, along with a new tactic involving recycling previously sent emails taken from the hard drives of infected computers. This new method is more difficult to detect as the wording and content is familiar to the recipient. As always, be on the lookout for suspicious email language and exercise extreme caution when clicking on links. Features in Gmail such as authentication icons can go a long way in protecting your computer, but it’s important to be aware and mindful of these new viral activities when managing your inbox.


An interesting and unusual trend has been in the sizes of the individual viruses being transmitted. Particularly, we’ve seen some irregularly sharp peaks in size throughout September, following the surge in total numbers during August. This could be due in part to increased use of .zip and .html attachments containing malicious JavaScripts. Overall, virus traffic continues to be strong and users need to be on high alert when handling suspicious messages. Postini Services customers are strongly encouraged to enable the Early Detection Filtering functionality in order to ensure maximum protection from zero day virus threats.


Shortened URLs can mask suspicious links
This quarter we detected an increased volume of emails containing shortened URLs linking to suspicious websites. Spammers are increasingly making use of services that shorten URLs as a way of masking the destination website to the user. With the widespread proliferation of shortened URLs, particularly among blogging sites and social networks, it has become increasingly important to remain vigilant and skeptical when evaluating URLs. A shortened URL sent from a “friend” might seem innocuous enough, but, as always, links and emails sent from unknown senders should be scrutinized before further action is taken.

Beware false financial transaction messages
We continue to see false notifications claiming to be sent by various financial authorities. Spammers will frequently send their targets a simple yet authoritative message alerting them of a rejected or unauthorized transaction, then provide a false link directing them to a website. The format of these emails is often simple and innocuous, making it difficult to ascertain the malicious content from a quick glance.

Continued use of NDRs
Non-Delivery Report/Receipt (NDR) are legitimate messages used to alert users that a sent email has not been delivered correctly. Back in July we noticed an upswing in false NDRs bearing malicious JavaScript. As a hybrid between virus and spam messages, these messages were in reality obfuscated JavaScript attacks, directing users to a particular website or initiating an unexpected download. The user is often unaware of the attacks, making these messages particularly dangerous and difficult to detect. However, Google’s vast network and patented filtering technology was able to detect these messages early on and respond quickly. The Postini-Anti-Spam-Engine (PASE) was immediately updated in response and has been protecting users throughout Q3 from the continued use of false NDRs.

Fake celebrity gossip
Although August was a slower month in terms of overall spam volume, we saw a substantial spike in messages claiming to break the news of untimely and sudden deaths of various high-profile celebrities. The messages referenced a zip file that in turn contained a virus. These messages, similar to various classic phishing scams involving “friends” in need, attempt to pique a user’s interest with an alarming subject line and content. This has proven to be a successful tactic – hence its continued popularity – as users will often open an email instinctively in response to a particularly emotional or compelling subject line. In response to these attacks, our engineers have developed and released filters designed to combat new spam waves.

Stay safe with a cloud-based security solution
Postini’s hosted email security solutions provide comprehensive spam and virus filtering in the cloud – before they reach the network level. Google’s vast network filters billions of messages a day from all over the globe, creating a “network effect” that allows Google to identify emerging threats and respond early.

For more information on how Google Postini Services can help your organization remain safe, compliant, and spam-free, please visit www.google.com/postini.

Posted:
Enterprise Holdings is the largest rental car company in North America and operates Alamo Rent A Car, Enterprise Rent-A-Car and National Car Rental. They manage over 1.1 million cars, 68,000 employees and 7,600 locations around the world. When Enterprise Holdings wanted to add more security to their corporate e-mail, they chose Google Postini Services.

Join us for a free webinar on September 28, where Michael Preuss, Manager of Windows Engineering for Enterprise Holdings, will discuss why his company chose a cloud-based message security solution and how Postini’s powerful spam filtering technology was able to help them address their email security challenges. Adam Swidler, Senior Manager with Google Enterprise, will also provide an overview of Google’s security solutions and facilitate a deep-dive discussion into best-in-class practices for organizations interested in enterprise-grade protection.

A live Q & A session will follow. We hope you can join us!

Message Security in the Cloud
Tuesday, September 28th, 2010
10 a.m. PDT / 1 p.m. EDT / 6 p.m. GMT
Register here

Posted by Adrian Soghoian, Google Postini Services team

Posted:
Editor's note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which processes more than 3 billion email messages per day in the course of providing email security to more than 50,000 businesses and 18 million business users.

Spam and virus volumes this year have continued their upward trend. Q2’10 has seen a sharp 16% increase in spam volume over Q1’10. Virus traffic has moderately increased 3% increase this quarter, however Q2’10 virus was 260% higher than Q2’09. These trends tell us that the spammers are still extremely active, and their botnets produce high levels of spam and virus traffic.

By the by numbers
Spam volume shot up 16% from Q1’10 to Q2’10. Overall, however spam levels are down 15% from Q2’09.

Virus volume grew quickly at the beginning of the quarter, shooting up 90% from March to April, but then quickly dropped off. We saw only a modest 3% uptick from Q1’10 to Q2’10 at the aggregate level. Compared to Q2’09, this represents a 260% increase.

One interesting trend we noticed is size of individual spam messages rising 35% from Q1’10. This points to the fact that spammers are sending more image-based spam, as well as viruses as attachments.

New methods of attack
We have also seen a recent surge in obfuscated (hidden) JavaScript attacks. These messages are a hybrid between virus and spam messages. The messages are designed to look like Non Delivery Report (NDR) messages, which are legitimate messages, however they contained hidden JavaScript which in some cases tried to do things the user may not have been aware of.

In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected, which is more virus-like. Since the messages contained classic JavaScript which generates code, the messages could change themselves and take multiple forms, making them challenging to identify.

Fortunately, our spam traps were receiving these messages early, providing our engineers with advanced warning which allowed us to write manual filters and escalate to our anti-virus partners quickly. In addition to this, we updated our Postini Anti-Spam Engine (PASE) to recognize the obfuscated JavaScript and capture the messages based on the underlying code to ensure accuracy.

The classics
Although they’ve added a few new tricks to their bag, spammers continue to exploit tried and true techniques, including:

• False Social Networking Messages
Social networks continue to be one of the most frequently spoofed domains for the purpose of spreading phishing scams and virus downloaders. These messages do not actually come from social networks but look similar to legitimate social networks messages. Such messages often contain links to external websites which contain malicious content and/or attempt to harvest user login information. The Postini Anti-Spam Engine is very good at detecting such messages, but users should always be cautious when handling messages from popular social networking sites.

• Current events
As always, spammers continue to spoof major news stories, and this quarter, we saw an increase in spam involving the World Cup. Here is one example of a virus downloader that our spam filters caught:

• Shipping scams
The shipping scam is a favorite of spammers. This quarter we saw a more wide spread outbreak of messages claiming to be from major shipping companies because spammers get a higher success rate with these type of scams. The subject for the message made it look like an invoice and the message body contained random text such as news stories that did not look particularly "spammy." Each message had an attached zip file that presumably was intended to contain some sort of virus payload; however, the data was corrupt and did not pose any actual threat.

Stay safe from phishing scams
With the global economy continuing to lag, we have seen a continued upswing in “friend-in-need” phishing attempts, where hackers break into the email account of unsuspecting users and then hand-type a message to send to the victim’s email contacts.

The most common message told a story of the person being mugged while traveling abroad and requesting money to be sent to them in order to help them get home. The hacker is preying on the generosity of the victims friends in the hopes that one or more of them will send money to them. These messages can be difficult for spam filters to identify since they are hand typed and not sent in bulk. It goes without saying, but be wary of emails requesting money – regardless of the sender.

In response to these outbreaks, our engineers have released several updated filters to combat new spam waves.

Conclusion
Spam volume fluctuates in the short term, but overall, for the last 3 quarters spam volume has been relatively flat. Spammers continue to exploit techniques that have proven results, but as we have seen with obfuscated JavaScript attacks spammers are always experimenting with new techniques to stay ahead of security measures. Google Postini Services customers are protected from the brunt of these increases in spam volume.

For more information on how Google’s security and archiving services can help your business stay safe and compliant, please visit www.google.com/postini.

Posted by Adam Hollman and Gopal Shah, Google Postini Services team

Posted:
Editor's note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which processes more than 3 billion email connections per day in the course of providing email security to more than 50,000 businesses and 18 million business users.

In 2009, the security community started seeing diminishing returns from the takedown of malicious ISPs. After the ISP 3FN was taken down, spam levels rebounded in less than a month, and after Real Host went down, spam volumes recovered after only two days. In response, the anti-spam community turned its attention toward taking botnets offline instead.

Toward the end of 2009, Mega-D, a top-10 botnet – responsible for infecting more than 250,000 computers worldwide – was severely crippled through a carefully orchestrated campaign designed to isolate the command-and-control servers spammers were using to support the botnet. In early 2010, security professionals, along with government agencies, successfully mounted a campaign against several more targets: major botnets such as Waledac, Mariposa, and Zeus were either shut down or had their operations significantly curtailed.

However, this recent spate of botnet takedowns has not had a dramatic impact on spam levels. Although spam and virus levels did fall below Q4’09 highs, reports from Google’s global analytics show that spam levels held relatively steady over the course of Q1’10.

This suggests that there’s no shortage of botnets out there for spammers to use. If one botnet goes offline, spammers simply buy, rent, or deploy another, making it difficult for the anti-spam community to make significant inroads in the fight against spam with individual botnet takedowns.

Spam by the numbers
Overall, spam volume fell 12% from Q4’09 to Q1’10, which follows a trend of quarterly decreases in overall spam levels that started after the surge in Q2’09. This may be attributed to some of the recent takedowns, but spam volume was still 6% higher this quarter than it was during the same period in 2009, and spam volume as a percentage of total email messages is holding steady.


Recently, our data centers showed a 30% increase in the size of individual spam messages (measured in bytes) that occurred toward the end of March, as shown below.


This spike points to a resurgence of image spam, similar to what we reported in Q2’09. This is likely due to the fact that reusing image templates makes it easier and faster for spammers to start new campaigns.

As always, spammers tend to make use of predictable topics – cheap pharmaceuticals, celebrity gossip, breaking news – to encourage user clicks. In January, spammers hastened to exploit the Haiti earthquake crisis, sending pleas for donations that appeared to have been sent by reputable charitable organizations, politicians, and celebrities.

The frequency and variety of post-earthquake spam illustrates an unpleasant reality: spammers will exploit any means – even tragedies – to accomplish their objectives.


Virus levels fall after Q4’09 surge
During 2009, spam with attached viruses increased tenfold, with levels rising from 0.3% of total spam in the first half of the year to 3.7% in the second. Postini filters blocked more than 100 million virus-bearing messages per day during the worst of the attack.

Since then, spam with attached viruses leveled off to around 1.1% in Q1’10, and dropped as low as 0.7% in March. It’s good news that virus levels are currently trending down – but Q1’10 levels are still 12-fold higher than they were in Q1’09.

In fact, this virus surge may be part of the reason that there hasn’t been a significant impact on spam volume after the recent takedown of major botnets. With a host of new machines now infected and part of a botnet, it is unlikely that there would be a dip in spam proliferation.

Benefits of security in the cloud
Although the botnets that distribute spam are mindless drones, the spammers that take advantage of these botnets are a highly active and adaptable group. This is evidenced by the varied techniques and tactics that they employ in an ongoing effort to evade spam filters and deliver messages to their targets.

2010 is likely to see more botnets taken offline, but the question remains – will that have a long-term impact on spam volumes overall? So far in 2010, the effect has been limited, and the security community may begin to turn to other tactics that yield a more substantial impact on global spam volumes.

As long as the threat is there, however, Google is committed to using the power of the cloud to protect your enterprise from spam and viruses. Outsourcing message security to Google enables you to leverage our technical expertise and massive infrastructure to keep spammers from your inbox.

For more information on how Google’s security and archiving services can help your business stay safe and compliant, please visit www.google.com/postini.

Posted by Gopal Shah, Google Postini Services team

Posted:
Editor's note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which processes more than 3 billion email connections per day in the course of providing email security to more than 50,000 businesses and 15 million business users.

Back in 2007, we saw the first variants of a big virus attack later labeled the "Storm" virus. During that summer, Storm attacked with force, pushing payload spam activity to then-unprecedented levels and sustaining them for several months. The security community eventually caught up, and payload spam activity fell to nominal levels and held there. That is, until this year: Q2'09 saw a significant surge in payload spam activity, and now Q3'09 levels have made the 2007 Storm virus attack look small in comparison. Postini data centers have blocked more than 100 million viruses every day during what has so far been the height of the attack.


The majority (55%) of these viruses are messages like the one you see below, a fake notice of underreported income from the IRS (which the IRS distributed an alert on earlier this week). Another large contingent (33%) have come in the form of fake package tracking attachments, which were already on the rise in Q2. You might think a spoofed IRS notice or package tracking email is obviously spam, and wonder who would fall for it and actually click on the attachment.

However, at these volumes, it takes only a tiny fraction of the recipients being fooled for the spammers to add hundreds of computers to their botnets every day.


ISP takedowns continue, overall spam levels steady

Last quarter we saw a temporary 30% drop in overall spam levels following the 3FN ISP takedown, and the ISP takedown trend continues into Q3 with a new culprit called Real Host, a large Latvia-based ISP that was disconnected by upstream providers on August 1. This takedown didn't have the same drastic effects of McColo (last November), but it was comparable to 3FN. Ultimately, the effects of the Real Host takedown lasted only two days, with an initial 30% drop in spam followed by a quick resurgence.

Overall, spam levels remained steady this quarter, with little growth or decline since the Real Host incident. In Q3, spam as a percentage of total message volume is hovering around 90%, down from the Q2 average of around 95%. Q3'09 average spam levels were down 8% from Q2'09 and on par with levels in Q3'08. Spam levels also saw smaller ups and downs than in previous quarters.


Older spam techniques driving message size up

Last quarter we reported on the trend toward larger message sizes, measured in bytes. The trend has continued into this quarter, making 2009 a year of resurgence in old techniques such as image spam and payload viruses. When considering the spam bytes processed per user, growth has been steep in 2009, with Q3'09 rates up 123% from Q3'08.

Organizations that process spam inside their network should pay attention to this trend. The larger sizes create a bandwidth burden that can impact speed across your network. As the chart shows, Q2'09 delivered the record high to date for spam size – and subsequently for bandwidth drag for teams that manage spam in-house, potentially forcing those organizations to upgrade their capacity limits.


Best practices to optimize your enterprise spam filter

A common piece of feedback we get from our customers is that many of the messages in their spam folder or quarantine seem to come from "them" – from what appear to be valid email addresses from their own domain. These email addresses are actually spoofed (a common technique to mask the real origins of a message), and spammers employ this technique to take advantage of a mistake organizations sometimes make in configuring their spam filters: adding their own domain to their approved sender list.

While this might seem like a good idea at first glance – we want to make sure we don't block email from our colleagues, right? – in practice all it does is open your organization up to spoofed email. With that in mind, we strongly recommend that organizations not add their own domains to their approved sender lists. (Don't worry – legitimate mail from within your domain is correctly identified by filters and generally gets through just fine.)

For more information on how Google email security services, powered by Postini, can help your organization provide better spam protection and take a load off your network by halting spam in the cloud, visit www.google.com/postini.

Posted by Adam Swidler, Google Postini Services team

Posted:
Editor's Note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which provide email security to more than 50,000 organizations, including businesses of all sizes, government agencies, and educational institutions. To learn more about what the Gmail team is doing to keep spam out of your inboxes, check out this post.

Our "Spam Trend" update last quarter summarized the rise in both levels and types of spam, with new players and techniques entering the market. This quarter, proliferation continues, with an unpredictable pattern of drops and spikes as 2009 moves along. Overall, spam is measurably up: Q2'09 average spam levels are 53% higher than in Q1'09 and 6% higher than in Q2'08.

After last November's McColo ISP takedown, when spam volumes dropped by 70%, spammers worked overtime to fill the void. They succeeded: Within four months, spam levels rose back to pre-McColo levels. This upward trend continued through June 4, when another large ISP spam source, 3FN, was reported to have been dismantled. Spam volume immediately dropped 30% – not as extreme as McColo, but still significant. Although this created a sudden dip in spam levels, it also created an open invitation for opportunistic spammers to once again seize a market opportunity.

Over the coming months, we anticipate watching new players once again drive spam levels back up. Since June 4, spammers have already made up a significant amount of ground, climbing 14% from the initial drop.

Here's what the trend looked like, as tracked through Postini filters, over the past six months:


"Unpredictability" summarizes the overall trend as Q2'09 winds down and spammers test both new and "retro" techniques. For example, on June 18 we tracked a new attack that unleashed 50% of a typical day's spam volume in just two hours' time. This attack used a simple "newsletter" template – somewhat "old school" by today's spam standard – with malevolent links and images inserted into the content. Google's Postini filters detected more than 11,000 variants of this spam during those two hours. Because this spam enabled spoofing of the recipient domain (meaning the "from" field was falsified), distribution lists were especially hard-hit by this attack.


Resurgence of image spam

One of the other trends we're watching closely is the sudden popularity of "image spam"a form of spam that rose to prominence in 2007, before most anti-spam filters learned how to block it. It's simple stuff: basic email with advertising content, usually containing a related image. They can also include malicious links or contentand either way, the large file size of an image spam can place a heavy load on an email network.

An image spam email might look something like this:



Evidence of the resurgence in image spam can be seen in the graph below, which shows that the actual size of spam messages, measured in bytes, is back on the rise:


There are a couple of possible explanations for the resurgence in image spam, despite the fact that most spam filters out there have adapted to the technique. One theory is that this wave is designed to test the defenses
of the different spam filters out there, so that spammers can do statistical analysis on what subject lines and content have the highest probability of success.

Another is that there may be some new players entering the spam game, following the McColo and 3FN takedowns, and these new players are opening with some well-tested techniques. Either way, we're watching this trend and will share insights as we gain them in the weeks and months ahead.

Spike in payload viruses

June was also an active month for viruses sent as email attachments, otherwise known as "payload viruses." Volumes rose to their highest level in almost two years as spammers returned to yet another tried-and-true technique to expand their botnets.

As you can see in the chart below, June's activity is almost as high as the two-month payload virus surge seen in Q3'07. Fortunately, Google's Postini zero-hour heuristics detected this uprise early and kept payload attacks in the cloud and away from users' email networks.


Everything old might be new again

In summary, Q2'09 saw continued unpredictability and the resurgence of old-style spam attacks. Are spammers finally running out of original ideas? And if so, like Hollywood, are we now starting to see spam "remakes," based on originals of a few years ago? And what are spammers looking to accomplish as they unleash these remakes? Only time will tell.

For more information on how Google email security services, powered by Postini, can help your organization provide better spam protection and take a load off your network by halting spam in the cloud, visit www.google.com/postini.

Posted by Amanda Kleha, Google message security and archiving team

Posted:
Editor's Note: The spam data cited in this post is drawn from the Google enterprise security and archiving security network (Postini), which delivers an added layer of security for standalone mail servers and Google Apps Premier Edition customers. For a discussion of the anti-spam measures included in Gmail, please see this post from the Gmail blog.

In providing email security to more than 50,000 businesses and 15 million business users, Google security and archiving services, powered by Postini, process and cull spam from more than three billion enterprise email connections every day. This gives us strong insights into the state of the spam industry, some of which we share in regular posts to this blog.

R
ead on for a quick overview of spam trends and events in the first quarter of 2009.

What we saw in the Postini data centers

The most significant spam-related event in the first quarter of 2009 occurred when spam volume returned to pre-McColo takedown levels. By the second half of March, seven-day average spam volume was at the same volume we saw prior to the blocking of the McColo ISP in November 2008.


Spammers have clearly rallied following the McColo takedown, and overall spam volume growth during Q1 2009 was the strongest it's been since early 2008, increasing an average of 1.2% per day. To put that number into context, the growth rate of spam volume in Q1 2008 was approximately 1% per day – which, at the time, was a record high.

Of course, like every year before it, 2008 set a new record for overall spam volume. But in 2008 spam growth flattened over the summer and early fall, and then fell off a cliff after the McColo takedown (daily growth declined to .8%, .3%, and then .01% in the last three quarters of the year). This pattern raises some interesting questions regarding what we can expect in the rest of 2009: Will spam growth once again flatten or decline after a strong first quarter? Or have spammers – as part of their recovery from the McColo takedownrebuilt botnets to be capable of sustaining or even accelerating this early growth spurt?

It's difficult to ascertain exactly how spammers have rebuilt in the wake of McColo, but data suggests they're adopting new strategies to avoid a McColo-type takedown from occurring again. Specifically, the recent upward trajectory of spam could indicate that spammers are building botnets that are more robust but send less volumeor at least that they haven't enabled their botnets to run at full capacity because they're wary of exposing a new ISP as a target.

New types of spam

The most significant development in spam vectors this quarter was the appearance of location-based spam. In this type of attack, users click on a link in a spam message and are directed to a page that contains a fraudulent news headline describing a crisis or disaster in a major city nearby. The attack customizes the location for each user by determining the geolocation of the user's source IP and then identifying the nearest major city. The addition of location creates a heightened level of interest, and the user is tempted to click on the embedded video – which in turn downloads a virus to his or her machine.

Meanwhile, the economy, financial markets, job cuts, and resume help continue to be the most prominent topics spammers are employing as lures for more traditional attacks. We also saw increased spam activity around the U.S. presidential inauguration and St. Patrick's Day, in keeping with the recent propensity spammers have demonstrated for reading the news and keeping their eyes on the holiday calendar in targeting their attacks.

Virus roundup

In early 2008, a trend emerged in which we saw spam messages with attached viruses (otherwise known as "payload viruses") spiking every Sunday, possibly targeting a maintenance window to catch corporate defenses when they were undergoing scheduled updates.


This year we've seen the payload viruses spread out across every day of the week, with no immediately obvious pattern in their distribution. It's difficult to say for certain what prompted the change, but one possible explanation is that spammers switched tactics because they weren't seeing the success they'd hoped for from the focused attacks.


Of course, p
ayload viruses have also seen a recent spike overall -- in the month of March we saw a 9x increase from February. This pales in comparison to the highs we saw last summer, but it may indicate a developing trend that's worth keeping a close eye on.

Viruses delivered as a blended threat (when a spam message directs a user to a malicious website, which then results in a virus being downloaded to the user's computer) continue to be popular with spammers. E-cards are one of the best examples of this vector, and Valentine's Day saw a flurry of activity using e-cards to direct users to malicious websites.

Conclusions

Spammers continue to prove their resilience -- whether it's bouncing back from the biggest takedown on record or finding new ways to exploit the ways we communicate for malicious purposes, they're clearly here to stay. And Google believes firmly in the power of the cloud to protect your enterprise from them: Outsourcing message security to Google enables you to leverage our technical expertise and massive infrastructure to keep spammers from your door. See how much spam is costing your business, learn how much you could be saving with Google Message Security, or contact us for more information.

Posted by Amanda Kleha, Google security and archiving team

Posted:
[Ed. Note: The spam data cited in this post is drawn from the Postini Message Security network, which processes and culls spam from more than 2 billion enterprise email connections per day, giving Google strong insight into the state of the spam industry overall. For a discussion of what Google is doing to keep spam out of your Gmail inboxes on the consumer side, check out this post.]

In November 2008 a large source of the world's spam, the McColo network, was taken offline. Prior to that, spam levels had been holding relatively constant. But when McColo went offline, we saw spam drop by 70% compared with previous levels. However, spammers are recovering with vigor.

While spam is still down overall, it's important to note its rate of growth. Spam levels are up by 156% since November 2008. As spammers recover, the increased rate of spam growth will likely have total spam volumes back to pre-McColo levels within a few months.



Although McColo received a lot of attention, the highest volume of spam in 2008 actually came on April 23, which was an all-time high spam level for Google Message Security data centers. That day, the average number of spam messages blocked per user was 194. This peak was driven by an unprecedented number of non-delivery receipt (NDR) attacks we saw in April. One customer who was the target of a specific NDR attack said that their users were receiving an average of 100 emails every minute.

As spammers fill the void left by McColo, it's reasonable to anticipate a decreasing rate of growth as spam reaches November 2008 levels. However, since the November levels weren't even the peak for the year, and since spammers appear to be quickly recovering, the question remains: Where will spam volume top out in 2009? Will it be near the November 2008 level? the April 2008 level? Or higher?



One way to approach that question might be to compare 2008 overall levels with previous years. Spam threats rose visibly in 2008, reflecting the overall trend of rising attacks. Even with the drop in November 2008, spam levels climbed 25% over 2007. Our statistics show that the average unprotected user would have received 45,000 spam messages in 2008 (up from 36,000 in 2007). All indicators suggest this trend will continue as virus, malware, and link-based attacks become both more frequent and more ingenious.



Looking ahead to the rest of 2009, we expect viruses sent via email and in blended attacks (email and web) to continue to be a serious threat. During the second half of 2008, virus volume increased six-fold from the first half of the year. These spam messages would often try to fool users by mimicking legitimate emails such as package tracking notifications or invoices that included virus attachments. Another popular technique in 2008 was emailing spoofed news alerts with URLs that would link to a website hosting the virus.

We can also expect that viruses and malware will continue to be a key tool and area of focus for spammers to upgrade their platforms. Even though virus attachment volumes have been low so far this year, we expect spammers to work hard to rebuild their networks to replace what was lost in the McColo shutdown.

Of course, the only thing we can really say with certainty about 2009 is that spam and viruses will continue to be unpredictable. And given that uncertainty, virus detection and blocking technologies become even more important. Last year we released advanced new anti-virus heuristics that specifically targeted zero-hour vulnerability (the period of time between when a new virus enters the wild and the release of the anti-virus signature file). When the zero-hour protection identifies a suspicious message, the message is scanned using the new anti-virus heuristics, and if confirmed as a virus, the message is quarantined.

The chart below is an example of our new heuristic virus detection and blocking at work. On October 1, 2008, our automated technology detected a viral message pattern (later identified as new strain of the Downloader-AAP!zip) in the wild and started quarantining messages with this virus. Five hours later we received the new virus signature file from one of our anti-virus partners and the signature-based blocks began to take effect.



As seen from the roller-coast ride of spam and viruses in 2008, spam has again demonstrated its resiliency. Despite eliminating a major source, spam keeps coming back. Spammers are re-investing with increasing speed to evolve their systems into decentralized, harder-to-detect ecosystems. If you'd like to know more about Google's anti-spam solution for businesses, visit us at www.google.com/a/security.

Posted:
In today's economic climate you need to be more efficient with your IT budget. And since email is a key tool for almost every businesses, keeping spam and malware out of inboxes remains a top priority. In our experience, companies often overlook the productivity costs that spam and viruses have on their business. This simple ROI calculator lets you see how much spam can impact expenses and productivity, particularly if your current anti-spam solution is waning in effectiveness.

Once you quantify how much spam is costing your company, it makes sense to re-evaluate the IT options for managing spam. The first, and perhaps biggest, decision is whether to keep spam filtering in-house or use a hosted service. It can be difficult to add up the true expenses of each solution. On the surface, the cost of an appliance may seem reasonable, but the up-front costs are just the beginning in a complete cost-of-ownership calculation.

At Google, we believe that email security makes sense as a hosted service for several cost-related reasons:

* A cloud computing solution provides you with a predictable expense. A spike in spam can hit at any time, and companies using an in-house solution may find themselves dealing with the unexpected capital expense of a new appliance to deal with the load.

* You save on maintenance costs. After installation, most in-house appliances require regular upgrades and maintenance. With a hosted solution, all the updates are handled through the cloud. Nothing to worry about or budget for.

* Using the cloud makes email security more effective. With a hosted service such as Google Message Security, you tap into a network of intelligence that spans more than 40,000 businesses and 14 million users, reaping the benefits of the economies of scale that come with that.

To help you understand the whole cost of spam, we're introducing a TCO (total cost of ownership) calculator, which lets you compare expenses for in-house appliances versus hosted services. Using a three-year time horizon and considering both start-up and maintenance costs, companies can save thousands by choosing a hosted service. The graph below models the results of one cost scenario, for a 100-user company:



Let's look at a customer who was re-evaluating their spam solution last year: Gaines, Wolter, & Kinney, P.C. is a civil litigation firm in Birmingham, Alabama, that specializes in tort defense. They needed a solution that would reduce the inflow of network traffic and be cost effective. David Hebert, an IT administrator for GW&K, recalls, "Our limits on connection bandwidth meant that a service that filtered out spam was a no-brainer decision." But David needed data to convince management that a change was essential. He used a ROI calculator and found that they were losing 122 hours per employee in productivity each year to spam. With the hourly rate of their lawyers, this meant that choosing Google Message Security paid for itself in 1 day.

If your business is interested in learning more about how hosted services like Google Message Security can save you money and increase productivity, visit us at www.google.com/a/security.

Posted:
Last week, a web hosting service that was a significant source of spam was taken offline by the combined efforts of Security Fix and several Internet providers. Google would like to congratulate Security Fix for leading this effort and striking another blow in the battle to stamp out spam on the web. The removal of this service helps "clean up" the web for everyone, and dovetails with efforts like Google's to make web communications safer and more secure in all of the ways that people use it.

We'll continue to monitor spam traffic, as we always do, but here's what we've seen in the past few days:


On November 11, when the spam source was taken down, we saw a 70% drop in spam from levels seen at the beginning of the month. However, we've seen drops like this before. In late July this year there was a similar drop that was reversed within a few days.



Gmail servers, which also noticed a drop in spam on November 11, are now showing an upward trend as new sources of spam, as always, continue to emerge.
The team at Google stays "on guard" as the fight continues!

Posted:
In their recently released Magic Quadrant for Email Security Boundaries (published September 11, 2008), Gartner Inc., an information technology research and advisory company, placed Google in the "Leaders Quadrant." Quadrant leaders, as Gartner defines them, are "performing well today, have a clear vision of market direction, and are actively building competencies to sustain their leadership position in the market." Quadrant leaders also "offer a comprehensive and proficient range of email security functionality, and show evidence of superior vision and execution for current and anticipated customer requirements.

Leaders typically have relatively high market share and/or strong revenue growth, own a good portion of their threat or content-filtering capabilities, and demonstrate positive customer feedback for anti-spam efficacy, and related service and support.
" The report goes on to say that "The email security market is rapidly maturing, yet continues to show strong growth and remains a 'must have' security purchase."

We're pleased to be included in this report and recognized in the leaders quadrant, as it underlines, in our opinion, the importance we attach to protecting against email-based threats and the ways we're helping our customers do so. Since the integration of the Postini email security product line in 2007 into Google's Enterprise Apps, Google has continued to innovate these products with functionality for our customers, including a new early detection quarantine that uses our own heuristics to detect new virus strains before virus signatures are available. We have also added new content filter types, policy prioritization for messages that trigger more than one policy, and new policy engine interface features.

The Gartner Magic Quadrant is copyrighted 2008 by Gartner, Inc., and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders" quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Posted:
In July, our Postini datacenters saw the biggest volume of email virus attacks so far in 2008, with a peak of nearly 10 million messages on July 24. One of the more prominent attacks in the month involved a spoofed UPS package-tracking link that was intended to lure recipients into clicking on it and downloading malware. Our zero-hour virus protection technology first started catching these emails on July 20.



Many of the viruses we see follow a similar format, in which an email with an embedded website link in the message is changed from what the link displays. Another recent example was a spoofed CNN newsletter sent out by spammers. In this case, the content included current news stories with numerous links in the message. The majority of the links were valid, but there were some that were replaced with malicious links. As soon as our technology started detecting these messages, we implemented a filter to stop these elusive viruses and voila! -- all of our 14 million business users were protected. This network effect and rapid protection against these new tactics is why businesses are increasingly moving their email security into the cloud.

Viruses tend to increase during the summer months, and August is already showing some new types of viruses. On August 5, we saw a large inflow of messages with an encrypted .RAR attachment. The overall 2008 trend has been a decrease in the use of attachments, so this new virus is confirmation that spam doesn't follow trends for long.
These examples are also a good reminder about the importance of educating our colleagues, friends, and family on how to safely interact with email -- namely, that we should all be careful about clicking on links in emails, even if those messages appear to be from people or organizations we know.

Join Google security experts for an upcoming webinar for IT professionals that will explore the topic "How spam is changing your business email, and what to do about it" on Friday, August 15, at 10:00 am PDT.

For more information on how Google can help your business secure its email and web traffic, visit us at www.google.com/a/security.