Home | The Book | Training | Events | Tools | Stats |
April 21, 2009
The Inefficiencies of Botnet SpammersIf you've been watching my daily spam stats recently, you must have noticed a sizable uptick in the number of items I classify under "Dictionary Attacks." Into this category goes every incoming message that gets immediately rejected as "User unknown" because there is no account set up for the addressee's name. In the past two days alone, my poor server has turned back more than 51,000 such attempts.
Diving into the logs, I see that the patterns are typical of what I've reported in the past (gateway article here): small bursts from a widely distributed range of IP addresses around the world.
One To: address at random caught my eye, so I was curious how often the bots tried to spam it. Yesterday it was 82; today it was 70 (four of which had the address also in the envelope "from" field). I then set my scope wider, searching a couple years' worth of logs for the same address.
There were nearly 4800 hits dating back to April 2007.
So much for the notion that there might be a feedback loop of some kind that reports back to controllers when addresses bounce or are accepted. For at least the past two years, my server has consistently rejected attempts to send email to that address. I don't think it's a case of optimism on the list owner's part ("Someday dannyg.com will open an account under that name, and we're ready to spam the crap out of it." — like the optimistic child who, upon opening a birthday present box filled with manure, is convinced there is a pony outside). It must be the case that they just don't care.
What I like about this (if one can like anything about spam) is that sending this crap costs the sender something. True, it's nano-cents per piece, and payment may even be done under barter arrangements, but the sender is expending something of value to pay for botnet time and, more importantly, address lists that must be getting dirtier and dirtier over time. Heck, someone has been propagating a clearly bad address here (one of thousands) for at least two years.
It gives me a glimmer of hope that botnet spamming could one day begin to collapse under the weight of its own inefficiencies. The recent upswing in incoming spam addressed to non-existent addresses may be a sign that the botnet spammers are getting more desperate in trying to rustle up sales of whatever they're peddling. The bum economy may also be helping otherwise gullible spam recipients to think twice before buying counterfeit medz or a Piaget knockoff.
Whatever it takes to undermine the spam economy is okay with me. And if the damage is self-inflicted, all the better.
Posted on April 21, 2009 at 07:50 AM