Which botnet sends the most spam, part 2

  • Article

Following up from my previous post, there are a couple of ways to measure which botnet sends the most spam.  On the one hand, botnets can send 1 spam message but address it to a lot of different recipients, thus putting the cost of delivery heavily onto the recipient.  This means that the spammer can have a small amount of nodes and the recipient has to assume the overhead of splitting the message up and delivery to multiple recipients.  On the other hand, a botnet can be very wide and send a lot of messages to a lot of different people, but only address each message to one recipient.  In this case, the overhead of delivery is shifted onto the sender since the spammer/botnet has to support and maintain a lot of different nodes.

But the total number of messages is only one way of looking at it.  What about the total size of the message?  If one botnet sends a 10 messages at 30 kb each, and other sends 100 messages at 3 kb each, the way we measure who sends the most spam varies.  They are each sending the same amount of data.  Regarding the 10 botnets I have been tracking this month, below is the botnet and the average size per message in kb that they send:

image

From here, we can see that cutwail1/2 send very large messages, and combining that with my previous post, we can see that they send a lot of messages per email envelope and the messages tend to be quite large.  Cutwail imposes a very large strain onto the overall Internet infrastructure.  Rustock, conversely, remains very hard to detect in terms of its footprint.  It sends on average 1 message per email envelope, and these messages are quite small.

Lethic sends lots of messages per email, but the messages are small.  Gheg doesn’t send very email emails per envelope either, but its messages tend to be larger.

So, what can we conclude from these figures?  Rustock is a very efficient spammer, and cutwail is very inefficient (where efficiency is defined as how easy they hide themselves and the costs they impose on the recipient).  Lethic is a new kid on the block but doesn’t impose large bandwidth costs, while the others are a mixture between the rustock/cutwail contrast.

Of course, can I definitively state which botnet sends the most spam?  The answer is that it depends.  While the Holy Grail of many businesses is that the more data you have, the better, I have found that this is not the case.  Often times, more data only serves to make you more confused and unable to give a straight up answer.