Re: [Asrg] Countering Botnets to Reduce Spam

Chris Lewis <> Fri, 14 December 2012 15:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B750821F85C9 for <>; Fri, 14 Dec 2012 07:08:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.667
X-Spam-Status: No, score=-0.667 tagged_above=-999 required=5 tests=[AWL=0.381, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, RDNS_NONE=0.1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jdihbR2M8tdJ for <>; Fri, 14 Dec 2012 07:08:53 -0800 (PST)
Received: from (unknown []) by (Postfix) with ESMTP id 2655121F85C3 for <>; Fri, 14 Dec 2012 07:08:52 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id qBEF8mXd021580 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT) for <>; Fri, 14 Dec 2012 10:08:48 -0500
Message-ID: <>
Date: Fri, 14 Dec 2012 10:08:48 -0500
From: Chris Lewis <>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv: Gecko/20090812 Thunderbird/ Mnenhy/
MIME-Version: 1.0
References: <SNT002-W143FB9A867C92FA80D90E04C54E0@phx.gbl> <> <SNT002-W1393526B62C0940EF697B2C54E0@phx.gbl> <> <> <> <> <> <SNT002-W117523E9206C73F54784577C54D0@phx.gbl> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] Countering Botnets to Reduce Spam
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Dec 2012 15:08:53 -0000

On 12-12-14 08:39 AM, Rich Kulawiec wrote:

> - Linux systems are not a significant component of botnets.  I've been
> doing passive OS fingerprinting for most of a decade, and they're in
> the noise floor.  It's still true now, as it was years ago, that
> bot-originated spam comes from Windows systems to about six 9's.

If only that were still true.  Sorry Rich.

Compromised Linux machines (mostly servers) are now responsible for ~40%
of all spam.

The actual _count_ of compromised Linux machines is indeed quite low.
Say 62K out of 8.6M observed compromised machines.  About .72%. Two 9's ;-)

But prolific?

I have individual IPs out in the wild that have shoved >1M spams into a
single trap in <48 hours.  I have a copy of one of these bots.  I
periodically run it on a wimpy dual-Atom linux laptop to characterize
what it's sending at the time.  It shoves 65 spams per _second_.

Imagine what a real server could do on industrial grade connections.

And the machine owners don't notice!

> - Better techniques already exist, such a firewalling outbound port 25
> by default and only punching holes for systems that actually need to
> send mail.  Another example: monitoring the TCP connection rate to
> port 25 on remote systems -- spam-senders are likely to push it much
> higher than "normal".

Unfortunately,, getting people to deploy those is worse than pulling teeth.