Monthly Archives: April 2010

Spam and Virus Trends from Google Postini

Editor’s note: The spam data cited in this post is drawn from the network of Google email security and archiving services, powered by Postini, which processes more than 3 billion email connections per day in the course of providing email security to more than 50,000 businesses and 18 million business users.

In 2009, the security community started seeing diminishing returns from the takedown of malicious ISPs. After the ISP 3FN was taken down, spam levels rebounded in less than a month, and after Real Host went down, spam volumes recovered after only two days. In response, the anti-spam community turned its attention toward taking botnets offline instead.

Toward the end of 2009, Mega-D, a top-10 botnet – responsible for infecting more than 250,000 computers worldwide – was severely crippled through a carefully orchestrated campaign designed to isolate the command-and-control servers spammers were using to support the botnet. In early 2010, security professionals, along with government agencies, successfully mounted a campaign against several more targets: major botnets such as Waledac, Mariposa, and Zeus were either shut down or had their operations significantly curtailed.

However, this recent spate of botnet takedowns has not had a dramatic impact on spam levels. Although spam and virus levels did fall below Q4’09 highs, reports from Google’s global analytics show that spam levels held relatively steady over the course of Q1’10.

This suggests that there’s no shortage of botnets out there for spammers to use. If one botnet goes offline, spammers simply buy, rent, or deploy another, making it difficult for the anti-spam community to make significant inroads in the fight against spam with individual botnet takedowns.

Spam by the numbers
Overall, spam volume fell 12% from Q4’09 to Q1’10, which follows a trend of quarterly decreases in overall spam levels that started after the surge in Q2’09. This may be attributed to some of the recent takedowns, but spam volume was still 6% higher this quarter than it was during the same period in 2009, and spam volume as a percentage of total email messages is holding steady.

Recently, our data centers showed a 30% increase in the size of individual spam messages (measured in bytes) that occurred toward the end of March, as shown below.

This spike points to a resurgence of image spam, similar to what we reported in Q2’09. This is likely due to the fact that reusing image templates makes it easier and faster for spammers to start new campaigns.

As always, spammers tend to make use of predictable topics – cheap pharmaceuticals, celebrity gossip, breaking news – to encourage user clicks. In January, spammers hastened to exploit the Haiti earthquake crisis, sending pleas for donations that appeared to have been sent by reputable charitable organizations, politicians, and celebrities.

The frequency and variety of post-earthquake spam illustrates an unpleasant reality: spammers will exploit any means – even tragedies – to accomplish their objectives.

Virus levels fall after Q4’09 surge
During 2009, spam with attached viruses increased tenfold, with levels rising from 0.3% of total spam in the first half of the year to 3.7% in the second. Postini filters blocked more than 100 million virus-bearing messages per day during the worst of the attack.

Since then, spam with attached viruses leveled off to around 1.1% in Q1’10, and dropped as low as 0.7% in March. It’s good news that virus levels are currently trending down – but Q1’10 levels are still 12-fold higher than they were in Q1’09.

In fact, this virus surge may be part of the reason that there hasn’t been a significant impact on spam volume after the recent takedown of major botnets. With a host of new machines now infected and part of a botnet, it is unlikely that there would be a dip in spam proliferation.

Benefits of security in the cloud
Although the botnets that distribute spam are mindless drones, the spammers that take advantage of these botnets are a highly active and adaptable group. This is evidenced by the varied techniques and tactics that they employ in an ongoing effort to evade spam filters and deliver messages to their targets.

2010 is likely to see more botnets taken offline, but the question remains – will that have a long-term impact on spam volumes overall? So far in 2010, the effect has been limited, and the security community may begin to turn to other tactics that yield a more substantial impact on global spam volumes.

As long as the threat is there, however, Google is committed to using the power of the cloud to protect your enterprise from spam and viruses. Outsourcing message security to Google enables you to leverage our technical expertise and massive infrastructure to keep spammers from your inbox.

For more details on Google Apps and all of the protection it includes, go here.

April 2010 Newsletter – Ping Tool

MxToolBox Ping is one of the free tools provided by MxToolBox to help you determine if Inbound and Outbound mail flow is working.

As System Administrators, most of us are familiar with using the ping command as a tool to see if a host is unreachable or unavailable. Ping works by sending Internet Control Message Protocol (ICMP) echo request packets to the intended host and waits for a response. If a response does not occur, it will fail and return blank packets. If a response does happen, the results will be returned in the form of response packets.

At MxToolBox we wanted to harness the power of ping in a different manner to help administrators troubleshoot their Inbound and Outbound Mail Flow. We have created a quick and easy tool to do this. Simply send an email from your network to and the tool will look at the email headers of your message and send you a notification back immediately. Please note that the subject and body do not matter. The response email will include several helpful troubleshooting tools including your Outbound IP, server hops, any transaction times or delays and it can help trace the route your email is taking to discover any outbound gateways you might be using.

An example of what the email looks like when it comes back from is below and a few of the features have been highlighted:

  1. This is your Outbound IP Address
  2. Link back to Blacklist Tool. We would highly recommend setting up a Blacklist Alert through our Free Server Monitoring Tool. If this is configured, you will get an automatic alert if your server becomes Blacklisted.
  3. Link back to our SMTP Diagnostics Tool. We would highly recommend setting up a SMTP Alert through our Free Server Monitoring Tool. If this is configured, you will get an automatic alert if your server becomes unreachable.
  4. Transaction time on this email and an explanation of the actual transaction times and hops. The hops will also include any delays if they are present.
  5. Other Misc Headers


While this is one of our favorite free tools, we have even more tools available on our website. Be sure to check out the MX Record ToolBlacklist ToolSMTP Diagnostic ToolFree Server MonitoringSPF ToolDNS Lookup and more!

If you are not able to resolve your mail server problems or have other questions, please do not hesitate to contact us or view our Email Business Products.

March Newsletter
Introducing the MxToolBox Super Tool

From all of us at MxToolBox, thank you for your business and your time.

Forums Find updates on our BLOG
Twitter Join us on our FORUMS
Blog Follow us on TWITTER Facebook Become our fan on FACEBOOK

Ping Tool Reporting Wrong IP

This morning we released our April Newsletter and let everyone know about one of our favorite tools. Unfortunately for about 30 minutes if you sent an email to it was not returning the correct Outbound IP. This has been corrected and we apologize for any problems this may have caused.

UPDATE: This issue was resolved approximately 20 minutes after it was reported. Thank you to all of the users that quickly let us know we had an issue!

What does the Warning ‘Reverse DNS FAILED!’ Mean? – SMTP Diagnostic Tool

We wanted to give a bit more insight into the Warning from our SMTP Diagnostic tool about ‘Reverse DNS Failing’.

When a sending server makes a connection to the recipient server, the recipient server notes the sending IP address and performs a reverse lookup. This is done by sending a DNS query which returns a Fully Qualified Domain Name ( FQDN) registered for that IP address. If the sending SMTP address matches the domain, then it’s much more likely that the message is legitimate and therefore will be passed on to the recipient. If the IP address doesn’t match, it’s much more likely that the sending address was spoofed and therefore much more likely that it’s unwanted and could be considered spam.

A FQDN is associated to an IP with a valid PTR record. You want the domain name portion of the FQDN to match the domain of your email address. (e.g. if your sending addresses follow the convention of, your PTR record should contain something like Only the organiztion which controls and owns the IP can set a PTR record. PTR record queries are sent to the owner of the IP address which is the ISP, unlike other DNS queries which are sent to the DNS server of whoever owns the domain. For this reason Setting a PTR record on your own DNS servers is almost useless since no one is asking your servers.

To make any changes to your rDNS, you will need to contact your ISP or if you host your own DNS (rare) you will adjust it yourself. You will not be able to do this in your DNS control panel unless your ISP also hosts your DNS and gives you the functionality to add your own rDNS records.