Which botnet sends the most spam?

  • Article

Around the Internet, and even on this blog, various analyses have been done on botnets and which one is responsible for sending the most spam.  Whether it’s Rustock, Cutwail, or one of the new kids on the block (grum, gheg, or donbot), I don’t really see any consensus on which one is the spammiest.

There are a couple of ways to measure which botnet sends the most spam.  You could do it by which one is sending spam from the most distinct IPs.  You could also do it by which one sends the most amount of messages.  But the most amount of messages has a couple of different ways of measuring it – by total number of envelopes, total number of messages, and total number of bytes.

The envelope level is different from the message level.  For you see, a message envelope can have multiple messages.  A message might be addressed to multiple recipients, in other words:

From: Guy Incognito
To: Frank Grimes, Lenny Leonard, Carl Carlson

This particular email would be one envelope and three messages, because the message has to get delivered to 3 people.  So, at the message level, it is more costly to process a message with multiple recipients.  You could scan the message before branching it out, but afterwards when it comes time to deliver the message, you would have to fork it out into each individual messages, and each of these messages costs bandwidth and storage. 

At the message level, here are 10 botnets that I have been tracking for around a month along with the average number of recipients per message:

image 
From this perspective, cutwail and lethic are the spammiest botnets.  They send spam messages to lots of different recipients which results in higher infrastructure costs for the recipient (not to mention the filterer of the spam).  Lethic is a fairly new botnet, I don’t have a lot of stats for it before November 2009.  I wonder whether or not it is related to cutwail1/2 at all, seeing as how the behavior is so similar.  I’d have to dig into our logs and see what the messages look like in order to see if there are enough similarities.

Rustock is way down the list.  Rustock is a very clever botnet, contrasting it from cutwail1/2 and lethic.  Rustock’s strategy is to have a botnet base a mile wide and an inch deep.  In other words, the number of distinct IPs is far higher in Rustock than any other botnet (it isn’t even close).  But the number of messages it sends per envelope is small, approaching 1.0.  This allows it to have a wider footprint that is harder to detect.  A bursty emission of spam from a small number of IPs is easier to detect than a scattered distribution of it coming from many, many more IPs.  On the other hand, while the latter is harder to detect, the former does more damage to a network because of the additional load put onto a network during the peak traffic times.

What about the types of messages it is sending?  How big are they and how much bandwidth do they consume?  That’s the subject for a future post.