Most Spam Comes From Just Six Botnets

Ezhenito noted some research pointing out the (maybe) surprising bit of research that 6 botnets are responsible for 85 percent of the world's spam. That seems a bit high to me, but the only aspect of spam I am an expert in is *getting* it.

Who needs 6?

[elrous0]

Bet I could connect any one of these bots to Kevin Bacon in 3 or less.

Re:Hmm

Is there a way to block these specific botnets!? Yes. Unplug your computer. Or require every person who is stupid enough to run porn.exe that they found on some website to immediately jump off a cliff carrying their computer with them.

Most Spam Comes from just Six Bots, not Botnets

[Aaron+Isotton]

What TFA says is that most Spam comes from the following six types of Bot:

Srizbi: 39%
Rustock: 20%
Mega-D: 11%
Hacktool.Spammer: 7%
Pushdo: 6%
Storm: 2%
Other: 15%

This doesn't necessarily mean that most spam comes from six botnets. Some of the bots could be used by multiple bot masters; OTOH some botmasters could control multiple botnets using different bots.

Something else I just thought of:

The botmasters are going to use the best bot available, i.e. the one enabling them to send most spam at the least cost. On the other hand, the "good guys" are fighting spam (and the bots). So whenever a certain bot starts taking over (currently Srizbi) all the good guys will focus on that one and try to shut it down. So the bot decreases in value and another, better bot will take over. Evolution at its best.

The Antivirus companies which are trying to fight the malware are also trying their best. The big difference is that while the success of a spambot can be easily measured by the customer (i.e. the botmaster), the success of an AV product is much harder to estimate. Also, the typical AV customer doesn't have the ability/time to find out which AV product is best for him. Moreover, AV products are some sort of subscription service (you buy the package and get 1 year of updates) which makes it hard to switch products. Often AV products are bundled with computers, selected by business principles and not by technical superiority.

In other words, the evolution process of malware is far superior to the one of AV products.

Re:Most Spam Comes from just Six Bots, not Botnets

Tinfoil hat much Mr. 404? An AV product can't block every threat BECAUSE Windows is closed source? That makes no sense.

The reason that they can't block every threat is that they are still signature based and have not completed the move to behavior based blocking and heuristics. The other problem - the main one - that you don't even mention is users. If someone bothered to write a 'SomeFamousPersonNaked.exe' for other OS'es - stupid users would still run it. (I do note that in today's world, the average Linux user is brighter about these things than their Windows counterparts - mostly because Linux is still in that niche role where it is dominated by computer savvy folks at least for now).

But, give that same Windows user who is stupid enough to run that EXE an Ubuntu machine and send him a version that runs on Linux AND HE WILL STILL CLICK IT. Switching OS'es doesn't make a dork not a dork. Doesn't even really matter whether the user is an admin or not on Windows or Linux - just sending mail doesn't require it and now that Vista is actually usable by many people as a standard user the malware writers will adapt and not try to own the whole machine right away.

I can see how this will be a problem for Linux users in the future if the user base continues to grow into that "stupid user" segment - at which point folks will be more than happy to write bot software for those users to run.

Re:Since ISPs Love Filtering So Much...

[Von+Helmet]

Spam affects the little guy. Torrents affect (apparently) the big guy.

Sue the companies who advertise

[ThirdPrize]

While most of us treat spam as junk it is there to serve a very specific purpose. To get our money into the accounts of unscrupulous companies. A mate of mine (honestly) replied to spam and got some pills back. There are proper businesses behind them. Why can't we trace where the money goes and sue their butts off?

How many companies are actually advertising at any one time? Is all the spam for one company, ten companies, a thousand companies or a million?

Re:How much spam do you actually get?

[Tacticus.v1]

I just checked this and i think you got the address round the wrong way.

you need to put it john38+temp@gmail.com for it to work as the other way round just goes to the wrong address

Re:Anti-bots?

[MightyYar]

I was wondering whether it would help if Google (and maybe some of the other top 10) notified you when you showed up on one of the IP block lists with a big yellow box at the top of the page, like an IE alert: "Warning: Your computer has been reported to be a SPAM relay! Please clean up your computer with the following tools..."

Something like that. They could get the list of infected IPs from one of the black lists.

I'm not a network guy, so I don't know what kind of technical restrictions there would be... obviously this wouldn't work well with proxies - maybe NAT would be an issue as well? In any event, I personally would appreciate such a service, even if I got hit with false positives once in a while. Of course, the bots would eventually get wise and filter out the messages, but that's part of the fun of the war.