A common way of combating spam traffic is to shut down the service provider through which the traffic is being processed. With a new variety of botnets, though, this method is becoming increasingly ineffective. The August report from Message Labs indicates that the shutdown of a Latvian ISP, while initially effective, ultimately did little to quell the malicious activity of one botnet, whose traffic recovered in a matter of days.

Cutwail is one of the largest botnets running amuck on the Internet, and is estimated to be behind 15-20 percent of all spam, including malicious websites, phishing websites, and fake antivirus products. Message Labs noted that Cutwail was conducting a large portion of its dubious business through Real Host, an ISP based in Riga, Latvia. Real Host was allegedly involved with "command-and-control" servers allowing large-scale botnet infection.

Proportion of traffic of top five botnets. Source: Message Labs.

Because Real Host was supporting such a large amount of suspicious traffic, it was disconnected by its upstream providers on August 1, 2009. As a result, spam volumes dropped by 38 percent across the board within 48 hours, and Cutwail's activity fell by as much as 90 percent during that time. A win for the good guys, or so it seemed.

After the 48-hour mark, Cutwail's activity levels has rebounded significantly, nearly to those of its Real Host heyday. This recovery indicates that botnets are increasingly able to continue their operations almost undisturbed, despite the lack of a colluding ISP. V3 points out that when the McColo Web hosting firm was shut down back in November 2008, its botnets took several weeks to reach their previous levels of activity.

Message Labs also indicated that it is difficult to discern ISP mal-intent from insufficient resources, and the process of determining which is which can hold up shutdowns. There are few barriers to setting up an ISP, and network problems can result from a smaller provider's even smaller abuse department.

The Message Labs report also noted the increase in use of URL-shortening services in spam emails, which may serve to disguise a questionable domain name or length. Filters are increasingly being set to suspect a shortened URL, as with Microsoft's ban on TinyURL from Windows Live Messenger. With the fast evolution of botnet processes and methods, smarter protection that can evolve with the malicious traffic may be in order.