Impact on Cutwail of Real Host shutdown

Media story about Real Host being cut off

These graphs are the total number of spams (per second) detected as being sent by the Cutwail SpamBots at one of our larger (but not nearly largest) spamtraps. See graphical representation of total spamtrap flow for how this compares to total spamtrap flow.

There is one graph included here, that of "Cutwail2".

This is intended to give an indication of the overall Cutwail flow and how it was affected by the Real Host shutdown, which caused the shutdown of most or all of the Cutwail "Command and Control" (C&C) servers.

As can be seen, the Real Host shutdown caused an immediate precipitous collapse in Cutwail-emitted spam which had effectively disappeared for approximately 60 hours. However, as it was only one SpamBot family of many, its collapse is not particularly apparent in total spamtrap flow.

The shutdown of McColo was far more apparent in total flow simply because it was the shutdown of (or severe damage to) the C&C for the top 5 or 6 SpamBot networks all at once.

The upsurge in Cutwail2 appears to be due to new C&C servers being established at other providers.

The Y axis is detections per second.

The X axis is the date/time in GMT. This snapshot was taken Tuesday, August 5th, 2009.