Spamhaus: Grum Dead, Festi Alive and Well

In July, the Grum botnet was shuttered thanks to the hard work of security firm FireEye, along with help from other organizations. The story garnered a lot of attention, and even a little confusion over exactly how big Grum was. Most agreed that Grum was responsible for a third of the world’s email spam and that the number was around 17 percent, and the world’s inboxes had a little bit of reprieve for a time.

Spamhaus participated in Grum’s demise by contacting the ISPs that were hosting Grum’s command and control servers. As the C&C servers came down, Grum’s operators attempted to re-establish new ones, but FireEye and Spamhaus were able to take these down too, and Grum was all but expired.

This from Spamhaus: “Since the takedowns Spamhaus has continued to monitor the Grum botnet, which at present consists of only 150 to 500 active (spam sending) IP addresses per day. Hence, one month later we can consider the Grum botnet dead.”

Maybe even more notable than the timely death of Grum, Atif Mushtaq, a senior scientist at FireEye made some bold statements about the future of spam, stating that taking down a few more botnets would be “enough for a rapid and permanent decline in worldwide spam level[s].”

Nobody can blame Mr. Mushtaq for his enthusiasm and optimism, especially after he just ended a spate of emails pushing fake Viagra; but his statements were also the stuff that eyebrow raising is made of.

A month later, it seems that his optimism was a tad premature, because Spamhaus has reported that while Grum is dead for good, another misbehaved little child has taken its place in the sandbox.

A few weeks before the action on Grum, Spamhaus noticed “a huge increase in spam activities from another spam botnet, called Festi or Spamnost by some Antivirus vendors.”

In June, the number of spamming IP addresses identified as Festi was still relatively small, compared to Grum. But that changed quickly, and by the end of June Spamhaus saw a dramatic increase in this new botnet’s activity.

“Since July,” Spamhaus reports, “the Spamhaus XBL has seen a huge increase in Festi spamming activities. At the peak, during one 24-hour period the XBL detected nearly 300,000 IP addresses that were infected with Festi, out of a total of 1 million that were infected with some sort of spam-sending bot. The sheer volume of Festi spam overwhelmed spam detection [processes] at some security organizations.” (See the chart above)

In fact, Festi is now competing with Cutwail, the world’s number one spamming botnet, for supremacy. The numbers recorded by Spamhaus suggest that, as of August 13, Festi has overtaken Cutwail slightly, with both botnets controlling more than a quarter of a million active spamming IP addresses.


Hoo-ray. Often, a coup d’état is nothing more than an attempt at taking down a dictator so another can take his place, and the rise of this new botnet seems to illustrate this adage. The hard work of FireEye, Spamhaus and others are laudable and they should be recognized for their tireless efforts. But if we’ve learned anything about cybercrooks, it is that they are tenacious, they don’t like being poked with a sharp stick, and they adapt far quicker than the good guys.

The dream of a spam-free world is a noble one, and Mr. Atif Mushtaq of FireEye should be applauded for daring to dream. But spam isn’t going anywhere. In fact, it’s spreading, to webmail, social media, mobile phones and tablets, and anywhere else that cybercriminals see an opportunity to make a buck. It’s even found its way to our landlines. Hell, one cannot blink today without facing the threat of financial ruination, data compromise, and all-out embarrassment.

No, spam’s not going away. It’s here to stay, and as long as people are naive enough to click a link that promises unimaginable wealth and success, it’s something we have to deal with. So where does that leave us?

Exactly where we started. With vigilance, education, anti-spam technologies and a modicum of common sense. Does it mean that we should stop taking down botnets? Of course not. Look, it’s a bit of a conundrum, but even though we cannot seem to gain an inch, it doesn’t mean we should lie down and take it. So hats off to FireEye, Spamhaus, and all the other vigilant heroes who fight this stuff every day.

And now, back to getting that pesky spam out of our inboxes.

Written by Malcolm James


  1. Lydia · August 27, 2012

    I don’t know why these folks call themselves security experts. You don’t have to be a security expert to know that spam won’t die because of taking some botnets. Botnets are just a tool – when a tool breaks, you simply replace it. Spam will die when there is no more money in it, which I doubt will ever happen.

  2. George Bryan · August 31, 2012

    CAN’T WE JUST KILL SPAM FOR GOOD? Something is not really right in here. What happened
    to the anti-spam law, to those organizations that are responsible for monitoring,
    as well as to the hundreds of IT experts that are given funds to study and
    eventually find a “cure” to spamming? How can spammer bounce themselves back so
    fast? This cat-and-mouse game has been going on for years, and it’s costing not
    only the government but even small businesses a lot of money. Now with the way
    things are going, I do not know if this is going to end anymore.

  3. Michael Monner · August 31, 2012

    There’s no killing to this spam, eh? I’m wondering,
    will I ever live the day when there will be no more spam in the world? By the
    rate things are going, that may never happen in my lifetime, which is extremely
    sad for me. I would just like to commend, though, those who have been working
    real hard to kick this spam out of the Internet and our e-mails. Perhaps
    scammers are not as no-brainer as we thought they are. We need better software,
    more reliable best practices, and definitely more secure e-mail providers to
    ensure that this doesn’t happen very often.

Leave A Reply