These graphs are the total number of spams (per second) detected as being sent by the Cutwail SpamBots at one of our larger (but not nearly largest) spamtraps. See graphical representation of total spamtrap flow for how this compares to total spamtrap flow.
There are two sets of graphs included here, that of "Cutwail" and "Cutwail2". Cutwail2 is a newer version of Cutwail, and is included first because it is the higher volume. "Ordinary" Cutwail has been in existance for at least two years, the latter for the past half year or so. We detect them separately, so we present graphs for each of them.
This is intended to give an indication of the overall Cutwail flow and how it was affected by the 3FN shutdown, which caused the shutdown of most or all of the Cutwail "Command and Control" (C&C) servers. See Krebs on FTC's shutdown of 3FN
As can be seen, the 3FN shutdown caused an immediate precipitous collapse in Cutwail-emitted spam, particularly the Cutwail2 variety - which had completely disappeared for two intervals in excess of 8 hours. However, as it was only one SpamBot family of many, its collapse is not particularly apparent in total spamtrap flow.
The shutdown of McColo was far more apparent in total flow simply because it was the shutdown of (or severe damage to) the C&C for the top 5 or 6 SpamBot networks all at once.
It is also readily apparent that Cutwail2 is struggling to get back on its feet. Cutwail2 has recovered to about 1/4 of its former volumes as of the date of this snapshot. "Ordinary" Cutwail never did vanish completely, but does not appear to be recovering yet.
The upsurge in Cutwail2 appears to be due to new C&C servers being established at other providers.
The Y axis is detections per second.
The X axis is the date/time in GMT. This snapshot was taken Tuesday, June 9th, 2009.