The gTLD of choice for spammers – .ru

I have been playing around with a little more statistics for the various botnets that I track.  Just for fun, I decided to pick two of them – lethic and bobax, and see what types of TLDs they were using to send out spam.

This is kind of a tricky process, and is fairly complex (and I only have a small snapshot worth of data).  Here’s how I did it:

  • We have some mechanisms to track the total number of messages that hit certain gTLD’s - .com, .net, .org, .biz, .info, .cn and .ru.  There are others, but these are the most common.

  • Each day I track the various IP addresses, post IP block, that each botnet that sends mail to us and store them each day in a text file.  There are more IPs associated with these bots, but I only track the ones that hit our mail servers.
  • I go through and I find how many messages each bot sent by total messages, not total envelopes.  An envelope can have multiple To addresses, and therefore I count all of the To addresses to get total messages.
  • For each IP address, I add up all of the To addresses to get a total count of messages per IP address.  I then check to see what TLDs each message hit.  Not every message is associated with a TLD.  Sometimes we don’t catch it, other times we don’t record the specific URL.
  • In the end, what I am left with is how many TLDs each message contains per bot.

Here are the results.  Out of all the messages that I found, bobax sent messages with 50% of the gTLDs being .org and 50% .com.  Lethic sent 11% with .com and 89% with .ru.

Eventually, I’ll start checking the IP addresses of where these bots are sending from and see if we can determine any interesting relationships.

Comments (0)

Skip to main content