We've followed the Mega-D botnet throughout 2008, from its amazing growth early in the year to its sudden deflation once its control servers were taken offline. Mega-D never completely lost its potency, however, and has continued to eject spam into the Internet's tubes for the past year.

Mega-D should've been spent by now, but the recent disruptions to McColo and Atrivo earlier in the fall may have led spammers to revive other, secondary botnets and possibly to combine forces. Phil Hay, lead threat analyst for Marshal8e6 has stated: "Spam from Mega-D has been ramping up over the last few days and reached up to 48 percent of all the spam we captured in our honeypot spam traps." As for Rustock and Srizbi, both remain offline; Srizbi has yet to resurface following its abortive attempt to return to life last week.

"The Mega-D bots appear to have been upgraded and altered quite substantially by the people behind it," Hay continued. "It now uses templates we have seen before with Rustock. "This could mean that the Mega-D spammers have looked at and copied from their rivals. Or, it could indicate that the individuals behind both botnets are working in collusion or are one in the same."

There seems to be a dispute, or at the very least, a different measurement, of how large Mega-D actually is. Hay states that Mega-D traffic is up substantially, but MessageLab's graph on botnet size, issued in their 2008 annual report, seems to point in a different direction.

MessageLab's chart doesn't cover anything past October 19, so it's possible that Mega-D has grown and evolved much more quickly than we'd normally expect. The good news, if you want to call it that, is that spam levels have yet to return to their pre-McColo takedown level. MessageLab's yearly report states that spam accounted for a total of 81.2 percent of all email for the year 2008, down from a high in February of 82.7 percent, and down 3.4 percent from 2007's 84.6 percent.

The long-term forecast for spam levels remains unchanged, but further ISP takedowns could change the expected scenarios if enough of them can be properly coordinated. The fact that spam levels remain depressed nearly three months after Atrivo and a month after McColo is proof that these sorts of efforts can have a lasting short-term effect, as opposed to causing a mere blip in spam volume. I expect we'll see more takedown initiatives in 2009—success tends to breed success, and spammers are going to have an increasingly harder time finding safe haven. The takedown trends of 2008 could be the beginning of a genuine white hat offensive against the deluge.