According to the August edition of the MessageLabs Intelligence monthly report, Real Host (an ISP based in Riga, Latvia) was alleged to be linked to command-and-control servers for infected botnet computers, as well as being linked to malicious websites, phishing websites and rogue anti-virus products.
Real Host was disconnected by its upstream providers on 1 August 2009. The impact was immediately felt (spam volumes dropped briefly by as much as 38% in the subsequent 48-hour period).
The figure shows the relative proportion of spam originating from the five major botnets globally during the period of this attack: Cutwail, Xarvester, Rustock, Mega-D, and Donbot.
Much of this spam was linked to the Cutwail botnet, currently one of the largest botnets and responsible for approximately 15-20% of all spam. Its activity levels fell by as much as 90% when Real Host was taken offline, but quickly recovered in a matter of days.