Which botnet sends the most spam, part 3

In part 1 of my series, I looked at which botnet sends the most spam, by total number of messages sent at the recipient level and not the envelope level.  In part 2, I looked at which one sends the most spam by total amount of bytes that they emit.  Now, I’d like to put it all together; if we normalize the values, which botnet is responsible for sending out the most spam on a daily basis?  Depending on how we measure it, there are a couple of answers.

To check this, first I took a look at the average number of message envelopes each botnet sends per day.  I then normalized the value and used the lowest sending botnet as a base, assigning it a value of 1.  I have removed lethic from this count because it seems to have fallen off the radar (is something wrong with my script?).  The table is below:


Looking at this table here, sorting by the average amount of total envelopes each botnet sends per day, it isn’t even close (for the month of January).  Rustock, by far, sends more individual spam messages than any other botnet by a factor of 10.  Its net is so wide and the other botnets aren’t even in the running.  Mega-d is next followed by cutwail2.

But if we measure the amount of bandwidth the individual receiving mail servers have to process, the numbers change.  If we take the average number of messages/envelope, multiple by the average message size (kb) and multiple by the average number of message envelopes per day, then we get the total amount of traffic, in bytes, that each botnet sends.  Doing this, the numbers change (remember that these are normalized values, not absolute values):


Looking at it this way, the worst botnet is cutwail followed by cutwail2.  Rustock drops down to 3rd in the list, a distant 3rd but not far behind cutwail1.  The other botnets bring up the rear, only looking out into the distance and wishing they were as cool as the others.

So there you have it, my study on which botnet sends out the most spam.  I’ve shown my work and therefore these results should be reproducible in the future.  I’m not totally convinced that my scripts are completely accurate and capturing all of the required information, however, as time passes I should be able to refine them and provide an even more accurate analysis on which botnet is the worst.

Comments (0)

Skip to main content