One of the assumptions that I have long held about botnets is that they grab a compromised computer, spam it like crazy and then abandon it once it lands on an RBL. Eventually, this RBL delists it due to dormant activity, and later on the botnet reawakens and reacquires that IP and spams with it again. In other words, the botnet recycles (or re-uses) its IPs to spam but with sufficient time within spamming cycles that RBLs thinks that they are relatively safe to delist. After all, who wants an RBL that grows without bound?
I don’t have a good way to test this over a longer historical time frame, but I do have a shorter way to test this. Each day, I collect stats on botnets and dump all of the IPs for each botnet into a file in its own subdirectory. I planned to have the script delete the file, but I have discovered that that these files of historical spamming IPs are handy to have around. Incredibly handy, actually.
All I have is a month’s worth of data, but I figured this would be an interesting check. To test this, I went through the 14 botnets that I keep track of and counted all of the total IPs that it is sending spam from. I then did the Linux cat | sort | uniq | wc –l that prints all of the IPs, sorts them, gets the unique entries and counts them up. This gives me a Total Count, a Unique Count, and a % unique. If a botnet has 100 IPs and 98 of them are unique, then it means that the % Uniqueness is 98%. It implies that the spammer uses new originating sources of spam each day, which means that we cannot use the previous day’s spamming IPs to predict where today’s spam will come from. The results are below, the IPs are all normalized against the smallest botnet (waledac) to display the relative size of each botnet sending us spam (note that this is all post-RBL data):
You can see from this above that each botnet almost never re-uses its IPs. Only darkmailer and waledac do it with any consistency, and surprisingly enough, so does rustock. But even then, 5 out of every 6 IPs are IPs that it has not used before (in the previous one month, ie, Feb 5 – March 5).
I then decided to see whether or not there is any overlap between the botnets. Perhaps they are unique amongst themselves, but what about amongst each other? It turns out that there is 86.7% uniqueness amongst them. I would say that the number is this low only because rustock pulls down the average and accounts for so many of the IPs.
Based upon this snapshot of data, I conclude the following:
- Spammers do not recycle their IPs amongst the same botnets at regular intervals, at least if the interval is less than one month. They get new ones each day.
- Spammers do not share IPs amongst each other, at least if the interval is less than one month.
- It is depressing how many new sources of IPs they are able to get, per day.
- However, I can not make any definitive conclusions because once an IP gets blocked at our network edge (ie, is on an RBL), I don’t have visibility. So, my above conclusions are based upon post-RBL mail which may not be reflective of all spam.