The downing of the CoreFlood botnet in mid-April pushed spam levels down by 15%, and figures have since remained at a steady level says the report.
Despite this, the analysis suggests that cybercriminals are using Facebook to infect more users, with two malware variants spotted in the last month that seek to infect users of the social networking site with a botnet loader.
Derek Manky, Fortinet's senior security strategist, said that the Facebook malware variants his team have examined are botnet loaders, which, after execution, connect to a command and control server to download and display a document that reveals a bogus password in an effort to look legitimate.
"Afterwards, the botnet continues to run in the background and requests files to download and execute, one by one. Always beware of file attachments, never disclose information generated by an unsolicited request, and attempt to confirm identities of those who contact you", he explained.
The CoreFlood botnet, says the report, dates all the way back to 2002 but was stopped on April 16 this year when - in the largest action of its type seen in US history - the FBI seized an array of systems and servers that spanned several countries and, over the years, had infected 2.3 million PCs.
"CoreFlood comes off the heels of the Rustock botnet, which was taken offline mid-March with the help of Microsoft and a number of Federal agencies", said Manky.
"As a result, two major botnets have dwindled and global spam rates have remained about 15% lower than they were before Rustock's downfall", he added.
On the Russian pharma website front, Fortinet says that the most popular store - drugstoretop.ru - was seen in more than 45% of analysed spam, with pharmacybuydrugs.ru and pharmacydrugsphysic.ru accounting for 37.4 and 38.3% of spam respectively.
Other sites such drugtoretabletsrx.ru (34.64%), drugsbuymedic.ru (32.46%) and drugshealthonline.ru (32.25%) also had the dubious distinction of dominating the pharma spam charts.