Where’s waledac… part 2

Originally posted on the Microsoft Malware Protection Center blog.


The Spam Data

The MMPC and the Forefront Online Service for Exchange (FOSE) conducted some research on Waledac related spam. In this study we included the following subset of Waledac owned domains and monitored the spam emails between 4/15 and 4/23.

  • chinamoilesms.com
  • coralarmor.com
  • freeservesms.com
  • miosmsclu.com
  • smsclunet.com
  • smspianeta.com

From these domains we identified the related IPs and counted the emails sent from those IPs. Over the course of the study, we observed a total 7,199 distinct IPs sending spam from Waledac. We observed 4,091,725 spam emails distributed by these IPs during the seven days. Non-Delivery Report (NDR) is not counted as spam email in this study. Note this is not even the peak of Waledac email campaign.


The location of the senders of this spam does not necessarily match the geo distribution chart of the MMPC waledac detection. The controllers of waledac can decide which zombies will be throttled or heavily loaded. Furthermore, they can rotate these IPs in and out and need not have them all active simultaneously.


We will continue to monitor the waledac threats and the spam activities.

Scott Wu - Microsoft Malware Protection Center
Terry Zink - Forefront Online Security
Scott Molenkamp - Microsoft Malware Protection Center

Comments (2)

  1. Francisco Hernandez says:

    I need to know why my company’s domain was included in your blacklist beeing your blacklist the only one who has my ip address as spam, i have all protection and i’m loossing customers because of you, my e-mail is calidadiso@agemar.com.ve i would like an answer to this issue ASAP.


Skip to main content