Often at TRACE we ask the question – which botnet is responsible for the most spam?
Linking spam to a botnet can be tricky, but not impossible. Our research over the past 18 months has identified characteristics of spam that are clearly ‘footprints’ of spambots – traits of the rogue spam sending software. Once recognized, these traits can be easily tracked. The following snapshot represents the results for the last week in January:
Several things about this chart are worth noting:
- One spambot type, which we have dubbed Mega-D, is responsible for 32% – nearly one-third – of all spam.
- Mega-D, and Type 3 spam, which is a particular type of HTML formatted spam concentrating on replica watches and Viagra, together account for 55% of all spam.
- Five spambot types are responsible for almost 70% of all spam.
- The Storm, which still garners much press, is currently a relatively minor source of spam.
Mega-D spam has been in this dominant position for some three months now. We have been tracking spam from this botnet for over a year, and during that time, the spam it generates has risen from 11% to 32% of all the spam we receive in our spam traps. The spam is almost always promoting male enlargement pills, and several brand names are used including MaxHerbal, Express Herbals, Herbal King, and VPXL. In short, it is a huge spam operation.
Of course the picture as represented by the chart above is constantly changing as spam operations get interrupted, in some cases by better anti-malware defenses, or law enforcement, and otherwise by spambot software upgrades or replacements. At its peak in mid 2007, the Storm botnet was responsible for 20% of spam, whereas now it only registers 2%. Likewise, in December 2007 we reported Pushdo was responsible for 20% of spam. However by the end of January Pushdo spam dropped to just 6%.
Investigation into the changing nature of these spamming botnets, including the malware behind them, is a major area of ongoing research for TRACE. If you have any information that you would like to share with us regarding these botnets, please send us an email at the following address:
