Security researchers take out botnet responsible for 18 billion spam emails a day

A huge spam botnet responsible for an estimated 18 billion messages a day has been taken out by security researchers.

The four year old botnet - known as Grum - is believed to have been responsible for around 18% of the world's spam emails.

A botnet is a cluster of infected computers used by cybercriminals to send a variety of spam emails - often offering cheap Viagra, fake watches or unusual dating solutions.

The cluster of computers are usually infected using malware.

Security company FireEye and spam-tracking service SpamHaus worked with ISPs to shut down the illegal network.

The control servers for Grum were found to be mainly based in Ukraine, Russia and Panama.

FireEye security has been monitoring Grum since 2008 working in combination with the Russia Computer Security Incident Response Team and the Spamhaus Project.

Spamhaus estimated that up to 120,000 IP addresses were used to send spam each day, but that following the takedown the number reduced to around 21,000.

Writing on the FireEye blog Atif Mushtaq, a security researcher with FireEye said, "Grum's takedown resulted from the efforts of many individuals."

"This collaboration is sending a strong message to all the spammers: Stop sending us spam. We don't need your cheap Viagra or fake Rolex."

Experts anticipate that the takedown should result in a significantly reduced level of junk mail.

On Monday a Dutch server involved in Grum was shut down.

On Tuesday command and control servers based out of Panama were also shut.

"With the shutdown of the Panamanian server, a complete segment was dead forever", says Mushtaq.

However, the good news didn't last long as the bot herders - who scan networks to find weak or vulnerable systems to install their bot program - started pointing the command and control servers to secondary servers located in Ukraine.

Mushtaq says that in the past Ukraine had been something of a 'safe haven' for bot herders and that shutting down servers there had "never been easy."

Around 20,000 computers are thought to be still part of the botnet but are now ineffective without active control and command servers.

In recent years there has been a concerted effort to take down some of the largest botnets.

According to Atif Mushtaq global spam volume is at a record low thanks to the research community's effort against spammers.

Mushtaq is however clear about the scale of the problems involved in taking down botnets: "The research community needs to maintain this pressure until we reach a point where the bad guys start thinking that becoming a spammer is not worth the risk. If I were to rank Grum's takedown difficulty level from one to five where five is the most difficult, I would give Grum a two.

"When the appropriate channels are used, even ISPs within Russia and Ukraine can be pressured to end their cooperation with bot herders. There are no longer any safe havens."

FireEye Grum Takedown Q&A

How significant is the takedown of Grum?

Identifying the control servers quick enough so they can be shutdown is significant as it shows that the right personnel with the right tools can win.

How did FireEye bring down Grum?  (in the simplest terms possible!)

FireEye identifies command and control malware call-backs without prior signatures or URLs, by tracking the servers real time even when they move the teams were able to close in and shut them down.

Will people notice a reduction in the amount of spam they receive?

Absolutely. Time will always tell, but removing the command and control for the third largest botnet that was generating spam can only be a good thing.

What advice would you give people to avoid getting a deluge of spam emails?

Your email address is very personal and should be treated as such.

Do your best to make sure it's not published on a website for all the world to see, protect yourself from malware and don't open or reply to emails that don't make sense – even if they appear to be from people that you know.