SOURCE: Symantec Hosted Services

Symantec Hosted Services

March 01, 2010 08:00 ET

Social Media Release: Symantec Announces February 2010 MessageLabs Intelligence Report

Spam Volumes Surge in February While Message Size Shrinks

MOUNTAIN VIEW, CA--(Marketwire - March 1, 2010) - Symantec Corp. (NASDAQ: SYMC) today announced the publication of its February 2010 MessageLabs Intelligence Report. Analysis reveals a surge in spam levels in February to 89.4 percent, an increase of 5.5 percent since January mostly due to an increase in spam emanating from the Grum and Rustock botnets. Over the past year, Grum has experienced relatively little change in spam volumes, but from February 5, Grum's output increased by 51 percent making it responsible for 26 percent of all spam, up from its usual 17 percent. Another significant spike in spam volumes occurred on February 17, when global spam volumes increased by 25 percent pushing spam volumes to their highest for the month. The spike was caused by an increase in output from the Rustock botnet. According to MessageLabs Intelligence, both spikes in activity were related to a Canadian pharmacy-style spam run. Pharmaceutical spam now accounts for 65 percent of all spam.

"Whether the spammers are trying to clear this spam run more quickly or have discovered that it is successful, they have certainly been using multiple botnets to distribute high-volume spam campaigns in February," said MessageLabs Intelligence Senior Analyst, Paul Wood. "The activities of this single spam operation have been driving recent global surges in spam rates and strongly impacting global spam levels in turn. Based on these latest spam patterns, we can predict additional surges in spam in the coming weeks."

While spam volumes grew in February, the size of spam messages simultaneously shrank as did the number of spam emails containing attachments. Over the past year, the number of attachments diminished from 10 percent in April 2009 to less than 1 percent in February 2010. The average file size of a spam email has fallen from 5 Kb in October 2009 to 3.3 Kb in February 2010.

"Rather than attach images to emails directly," Wood said, "spammers are choosing to host the image online with a free image hosting service thus reducing the average file size of a spam email and enabling the botnets to send a greater volume of spam per minute."

Currently only 0.56 percent of botnet spam contains an attachment, however some botnets use attachments more than others. For instance, 6.2 percent of spam from the Cutwail botnet contains an attachment and the Xarvester botnet sends 3.1 percent of attachment-based spam. However, other botnets send less than 1 percent of their spam with an attachment.

Finally the Waledac botnet made a recent comeback before its February 22 demise. Believed by many to be the botnet that replaced the now defunct Storm botnet, Waledac had been relatively quiet since January 2009. Malware from Waledac first spiked in January 2009 and a year later in January 2010, each spike accounting for approximately one percent of all malware intercepted. In response to a complaint filed by Microsoft, a temporary restraining order was granted, resulting in 277 domain names believed to be associated with the Waledac botnet being taken offline.

"Malware connected to Waledac are not distributed by the botnet itself but are sent by other botnets," Wood said. "Recently, Waledac malware has been sent from the Cutwail botnet. Also noteworthy is that spammers using the Waledac malware seem particularly focused on the major free webmail hosting services using email addresses in use by individuals. Waledac is adept at evading traditional dormant honeypot addresses."

Other report highlights:

Spam: In February 2010, the global ratio of spam in email traffic from new and previously unknown bad sources was 89.4 percent (1 in 1.12 emails), an increase of 5.5 percent since January.

Viruses: The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 302.8 emails (0.33 percent) in February, an increase of 0.02 percent since January. In February 30.5 percent of email-borne malware contained links to malicious websites, an increase of 17.3 percent since January.

Phishing: In February, phishing activity was 1 in 456.3 emails (0.22 percent) an increase of 0.04 percent since January. When judged as a proportion of all email-borne threats such as viruses and Trojans, the proportion of phishing emails had increased by 5.1 percent to 56.1 percent of all email-borne threats.

Web security: Analysis of web security activity shows that 41.6 percent of all web-based malware intercepted was new in February, a decrease of 0.1 percent since January. MessageLabs Intelligence also identified an average of 4,998 new websites per day harboring malware and other potentially unwanted programs such as spyware and adware, an increase of 184 percent since January.

Geographical Trends:

  • Spam levels in Italy reached 93.4 percent in February, positioning it as the most spammed country. 
  • In the US, 90.2 percent of email was spam and 88 percent in Canada. Spam levels in the UK fell to 88.6 percent.
  • In the Netherlands, spam levels reached 91.2 percent, while spam levels reached 89.5 percent in Australia and 91.3 percent in Germany. 
  • Spam levels in Hong Kong reached 90.6 percent and spam levels in Japan were at 86.2 percent.
  • Virus activity in China was 1 in 62.4 emails, keeping it at the top of the table for February.
  • Virus levels for the US were 1 in 488.6 and 1 in 364.8 for Canada. In Germany, virus levels were 1 in 275.8, 1 in 616.3 for the Netherlands, 1 in 315.1 for Australia, 1 in 272.2 for Hong Kong, 1 in 602.6 for Japan and 1 in 319.2 for Singapore.
  • China was the most active country for phishing attacks with 1 in 150.7 emails.

Vertical Trends:

  • In February, the most spammed industry sector with a spam rate of 93.1 percent was the Engineering sector.
  • Spam levels for the Education sector were 90.8 percent, 89.3 percent for the Chemical & Pharmaceutical sector, 89.8 percent for IT Services, 91.1 percent for Retail, 87.6 percent for Public Sector and 88.4 percent for Finance.
  • In February, the Public Sector remained the most targeted industry for malware with 1 in 88.1 emails being blocked as malicious. 
  • Virus levels for the Chemical & Pharmaceutical sector were 1 in 283.3, 1 in 328.2 for the IT Services sector, 1 in 564.7 for Retail, 1 in 149.0 for Education and 1 in 350.4 for Finance.

The February 2010 MessageLabs Intelligence Report provides greater detail on all of the trends and figures noted above, as well as more detailed geographical and vertical trends. The full report is available at

Symantec's MessageLabs Intelligence is a respected source of data and analysis for messaging security issues, trends and statistics. MessageLabs Intelligence provides a range of information on global security threats based on live data feeds from our control towers around the world scanning billions of messages each week.

About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at

NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please visit the Symantec News Room at All prices noted are in U.S. dollars and are valid only in the United States.

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

Contact Information

    Marissa Vicario
    Symantec Corp.
    +1 646 519 8116
    Email Contact

    Paul Wood
    + 44 (0) 1452 627705
    Email Contact

    Andrew Antal
    +61 2 908 68239
    Email Contact


Keyword Cloud

View Website