If you've noticed a lot less spam in your inbox in recent years, it's not just because spam filters are a whole lot better than they used to be, according to security expert Atif Mushtaq. The takedowns of several of the biggest spam-generating botnets on the Internet has also had a huge effect and the FireEye Malware Intelligence Lab researcher believes eliminating just a few more could virtually eliminate spam for good.
"Can we dream of a junk-free mailbox? Guess what — it's just a few takedowns away. In my opinion, taking down the top three spam botnets — Lethic, Cutwail, and Grum — is enough for a rapid and permanent decline in worldwide spam level. We still have to deal with small players, but I am sure that, after seeing the big players being knocked down, they will retreat as well," Mushtaq writes in a post concerning the Grum botnet published Monday on the FireEye blog.
The researcher, whose work on identifying the command and control (CnC) co-ordinates of popular spam botnets has assisted in taking down some of the world's most powerful junk email pushers, thinks at least one prominent remaining spam operation shouldn't be too difficult to dismantle as well.
"If I were to rank Grum's takedown difficulty level from one to five where five is the most difficult, I would give Grum a two," Mushtaq writes of a botnet that was the world's most active as recently as January 2012 but has since slipped behind Cutwail and Lethic. Grum produced about a third of worldwide spam at its height but as of June was driving only about 17.4 per cent of junk email on the Internet.
What's interesting about Grum, he writes, is that at more than four years old it's a relative geriatric in the fast-paced world of botnets. With CnC servers scattered about "in countries like Russia, Panama, and the Netherlands where authorities historically have been reluctant when dealing with abuse notifications," Grum is sort of the tortoise of the botnet scene, keeping its head down and eventually outpacing the high-flying, hard-crashing hares like Rustock.
Still, taking down Grum should be possible thanks to some "obvious architecture-level weaknesses," according to Mushtaq. These include a lack of a "fallback mechanism" from the master CnC servers to secondary servers, the ability to shut down big chunks of Grum even if some CnCs survive, and its reliance on hard-coded IP addresses.
Mushtaq figures big-time spam operations have been on the ropes for some time, but warns that security researchers and anti-spam authorities have to go in for the kill pretty soon.
"No doubt global spam volume is at a record low, thanks to the research community's efforts against spammers. But the research community needs to maintain this pressure until we reach a point where the bad guys start thinking that becoming a spammer is not worth the risk," he writes.