The ‘takedown’ of the world’s biggest botnet Rustock could have a marked effect on global spam levels for months to come despite rivals trying to move onto its patch, new figures from Symantec show.

The Symantec-MessageLabs report for March only covers a period of days after Rustock stopped spamming on 16 March, but the closing of its command and control servers has so far been almost as dramatic as the closure in early 2009 of spam ISP, McColo.

In the days after, spam dropped to 33 billion per day compared to the previous average of 52 billion per day, a fall of roughly a third. This puts the drop in second place only to the dramatic 50 percent shed from spam volumes worldwide after McColo’s closure.

As well as relieving the load on email servers, that also means that means to up to 700,000 infected PCs around the world that will not be wasting cycles sending the bot’s spam unless it is somehow reconstituted.

But spam is a global economy and the loss of one distribution mechanism will offer commercial opportunities to rivals, with the Bagle botnet a prime contender to take over some of its traffic, Symantec said.

Precisely what happened to the previously long-lived Rustock is still shrouded in some mystery. Although Microsoft plausibly claimed a big slice of the credit for acting against its server hosting – the company was also at the centre of successful action against McColo – Rustock has been exhibiting instability for months before that.

Last April, Rustock suddenly stopped using TLS encryption to hide its activity, presumably in an attempt to ramp up volumes. Not long after that, an unaccountable fluctuation in spam being sent by Rustock was part of the reason why spam volumes dropped in the second half of 2010 to levels last seen as long ago as 2008. Rustock has not been in good health for some time.

One bizarre finding of the March report – the company spotted its first ever 419 scam email written in the Welsh language, understood by only half a million people in the UK. In all likelihood this was simply a scam message run through an automatic online translator, the company said.