SOURCE: Marshal

August 12, 2008 09:20 ET

Spam Volume Doubles and Is More Likely to Be Malicious

Marshal TRACE Midyear Threat Report Warns 45 Percent of Internet Users Are at Risk From New Cyber Criminal Tactics

ATLANTA, GA--(Marketwire - August 12, 2008) - Cyber criminals are using 'blended attacks' to distribute malware and links to hacked websites via email on an unprecedented scale. Unpatched browsers are putting more than 45 percent of Internet users at risk when they visit legitimate Websites infected with malicious code. Three botnets are responsible for 75 percent of all spam, pumping out billions of messages every hour through zombie clients and being used to launch mass attacks on Websites. These are the key findings of the Marshal Threat Research and Content Engineering (TRACE) report for the first half of 2008.

In an alarming new development, spam sent from webmail accounts that had been automatically created using CAPTCHA-breaking technology was seen to be on the increase, rendering common anti-spam defenses such as reputation less effective. CAPTCHA or Completely Automated Public Turing Test to tell Computers & Humans Apart was developed by Carnegie Mellon University to prevent spam robots exploiting Web forms.

In a departure from unsolicited messages pushing pharmaceuticals or counterfeit products, TRACE also identified a major increase in spam used to infect computers with Trojan malware. During the same period, many of the most popular Websites were found to be hosting malicious software designed to steal data or add PCs to botnets. The TRACE team identified 1.5 million Websites infected by a botnet attack in May 2008.

Marshal's TRACE team uses a network of bait machines and honey-pot accounts to continuously monitor spam, phishing attacks, botnets and malware, and identify new tactics employed by spammers and cyber criminals. In the six months ending in June 2008, the TRACE team saw spam volumes double, with the Srizbi botnet identified as the most prolific offender, capable of pushing out 7.8 billion messages an hour. As the world's largest botnet, Srizbi controls more than 315,000 infected machines sending 50 percent of all spam, followed by Rustock and Mega-D botnets, generating 14 percent each. Marshal traced 90 percent of all spam to just seven botnets, indicating millions of Trojan-infected computers worldwide. The report notes a reduction in the use of gimmicks such as image spam (down to one percent), with spammers reverting to social engineering to dupe recipients into opening malicious messages, using sensational subject lines relating to the economic crisis or celebrity deaths.

Commenting on this year's findings, Bradley Anstis, vice president of Products for Marshal said, "Spammers are moving en masse to the Web and distributing malware on a scale not seen before. Criminals are not bothering to set up their own sites; they are infecting legitimate sites with malicious code. We can no longer rely on traditional URL filtering lists because the 'safe' sites may no longer warrant that trust. The use of webmail accounts to send spam makes IP reputation or message header inspection less effective because the spam is generated using Gmail, Yahoo and Hotmail, so the messages will appear to come from legitimate sources. In our view, the use of botnets to launch mass Website attacks is the most concerning issue to arise so far in 2008."

Although TRACE reports that phishing represented just 0.5 percent of all spam over the last six months, the TRACE report draws attention to the flaw in the Domain Name System (DNS) identified by security expert Dan Kaminsky in early 2008. The flaw could have been exploited by criminals to redirect Internet users to phishing Websites, even if they typed the correct URL into their browser. Microsoft distributed a patch for the flaw on July 8th; however, a patching delay by some ISPs increased the online threat to users.

"We are now in the situation where spam accounts for almost 90 percent of all email and increasingly contains links to infected sites," said Anstis. "Companies really need to employ a combination of email security gateways that have anti-spam protection using multiple techniques to block malicious content and secure Web gateway products that do not just rely on URL filtering but also scan the content that end users are downloading and uploading in real-time."

The Marshal TRACE Mid Year 08 report is available at

About the Marshal TRACE Team

TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats through the TRACE website at TRACE services are provided as part of standard product maintenance that includes updates to Marshal's unique, proprietary anti-spam technology, SpamCensor. TRACE analyzes spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. It also provides "Zero Day" security protection against new email and virus exploits the day they emerge.

About Marshal

Marshal is a global leader in content security across multiple protocols, enabling organizations to secure their IT environment, protect against threats and comply with corporate governance needs. Marshal provides customers with a complete portfolio of policy-driven email and Internet solutions that integrate content filtering, compliance, secure messaging and archiving. Forty percent of the Global Fortune 500 companies use Marshal security solutions to secure their corporate messaging networks and Web access against internal abuse and external threats such as viruses, spam and malicious code. More than 7 million users in over 18,000 companies worldwide use Marshal solutions to protect their networks, employees, business assets and corporate reputation and to comply with corporate governance legislation requirements.

Marshal's Americas headquarters is in Atlanta, Georgia, with corporate headquarters in London (UK) and offices in Auckland (New Zealand), Houston (USA), Johannesburg (South Africa), Munich (Germany), Paris (France) and Sydney (Australia). More information is available at

Contact Information