I have been playing around with a little more statistics for the various botnets that I track. Just for fun, I decided to pick two of them – lethic and bobax, and see what types of TLDs they were using to send out spam.
This is kind of a tricky process, and is fairly complex (and I only have a small snapshot worth of data). Here’s how I did it:
- We have some mechanisms to track the total number of messages that hit certain gTLD’s - .com, .net, .org, .biz, .info, .cn and .ru. There are others, but these are the most common.
- Each day I track the various IP addresses, post IP block, that each botnet that sends mail to us and store them each day in a text file. There are more IPs associated with these bots, but I only track the ones that hit our mail servers.
- I go through and I find how many messages each bot sent by total messages, not total envelopes. An envelope can have multiple To addresses, and therefore I count all of the To addresses to get total messages.
- For each IP address, I add up all of the To addresses to get a total count of messages per IP address. I then check to see what TLDs each message hit. Not every message is associated with a TLD. Sometimes we don’t catch it, other times we don’t record the specific URL.
- In the end, what I am left with is how many TLDs each message contains per bot.
Here are the results. Out of all the messages that I found, bobax sent messages with 50% of the gTLDs being .org and 50% .com. Lethic sent 11% with .com and 89% with .ru.
Eventually, I’ll start checking the IP addresses of where these bots are sending from and see if we can determine any interesting relationships.