Following on from my previous post on Waledac data, I decided to have a look-see on the distribution of the IPs that were sending spam. Here's the table of the breakdown by date, the average spam percentage of the IPs sending the mail (as measured by our content filters and excluding messages with an empty Mail From <>), and the number of distinct IPs.
Going from this table, we can see that the IPs sending spam on behalf of Waledac are not exclusively spammers. Indeed, for the most part, over that period of time they were sending mostly legitimate mail. This is a clear shift in botnets because most of the time, a given botnet will send nearly 100% spam.
What about the breakdown by spam percentage? What do the content filters say? Below is that table:
There are a lot of IPs that send only a very small amount of spam that were associated with the Waledac botnet. Indeed, some of them sent only a few spams and many of those were bounces.
It's an interesting shift in tactics for the spammer.