Botnet Spam Infrastructure

Timeline: The Cat and Mouse

2003 ← Attack emerges → 2008 ← Industry responds → 2011 ← Botnets decline → Limited

The Evolution

Key Events with Sources

Overview

When blacklists made open mail relays unusable, spammers needed a new delivery mechanism. The solution: malware that turned hundreds of thousands of home computers into spam-sending robots. Each infected machine sent only a few emails, but together they could deliver billions of messages daily. This distributed approach made traditional IP blocking nearly useless.

The Attack

Why Botnets Emerged

Open Relay Era (Pre-2003):

Spammer → Open Relay → Millions of victims
              │
        Gets blacklisted → Find new relay

Problem: Relays got blacklisted; finite supply of open relays.

Botnet Era (2003+):

Spammer → 500,000 infected home PCs → Millions of victims
              │
        Each sends 50 emails → Hard to blacklist all

Advantage: Residential IPs, distributed sending, self-replenishing supply.

Botnet Architecture

┌─────────────────────────────────────────────────────────────┐
│                     Botnet Operator                          │
└─────────────────────────────────────────────────────────────┘
                            │
                   Command & Control
                            │
         ┌──────────────────┼──────────────────┐
         ▼                  ▼                  ▼
    ┌─────────┐        ┌─────────┐        ┌─────────┐
    │  Bot 1  │        │  Bot 2  │        │ Bot ... │
    │ (Home   │        │ (Home   │        │ (500K   │
    │   PC)   │        │   PC)   │        │  total) │
    └────┬────┘        └────┬────┘        └────┬────┘
         │                  │                  │
    Sends 50 emails    Sends 50 emails    Sends 50 emails
         │                  │                  │
         └──────────────────┴──────────────────┘
                            │
                    25 million emails/day

Major Spam Botnets (Chronological)

Sobig (2003)

• Innovation: First major spam botnet
• Scale: ~100,000 infected machines
• Impact: Demonstrated botnet viability for spam

Storm Worm (2007-2008)

• Innovation: Peer-to-peer C2 (no central server to take down)
• Scale: ~1-50 million infected machines (estimates vary)
• Spam Volume: 20% of global spam at peak
• Delivery: Email attachments, drive-by downloads

Storm Worm P2P Architecture:
No central C2 server - bots communicate with each other
Take down one node → others continue operating

Bot A ←→ Bot B ←→ Bot C
  ↑         ↑         ↑
  └────→ Bot D ←──────┘

Srizbi (2007-2008)

• Innovation: Kernel-mode rootkit for stealth
• Scale: ~450,000 bots
• Spam Volume: 60 billion emails/day (est.)
• Death: McColo takedown (2008)

Rustock (2006-2011)

• Innovation: Polymorphic code, anti-analysis
• Scale: ~1 million bots
• Spam Volume: 30-40 billion emails/day
• Death: Microsoft/FBI takedown (March 2011)

Cutwail (2007-2014)

• Innovation: Spam-as-a-Service business model
• Scale: ~1.5 million bots
• Spam Volume: 74 billion emails/day at peak
• Notable: Survived multiple takedown attempts

Grum (2008-2012)

• Innovation: Extremely efficient SMTP engine
• Scale: ~120,000 bots
• Spam Volume: 18 billion emails/day (18% of global spam)
• Death: Coordinated takedown (July 2012)

Spam Email Characteristics

Headers from Botnet Spam:

Received: from unknown (HELO mail.randomword.com) (98.234.15.67)
    by mx.victim.com with SMTP; Tue, 15 Mar 2008 14:23:15 -0500
From: "Canadian Pharmacy" <deals@pharma-discount.biz>
Reply-To: orders@different-domain.info
Subject: RE: Your prescription is ready
Message-ID: <random123@infected-pc.home>
X-Mailer: Microsoft Outlook Express 6.00

Buy now at lowest prices!!!

Telltale Signs:

• Residential IP addresses (dynamic, DSL/cable ranges)
• Missing or malformed headers
• HELO/EHLO mismatch with actual hostname
• Inconsistent Message-ID formats
• Generic subjects with RE:/FW: prefixes

SMTP Session from Bot

$ telnet mx.victim.com 25

220 mx.victim.com ESMTP ready
HELO definitely-real-mail-server.com      ← Fake hostname
250 Hello definitely-real-mail-server.com
MAIL FROM:<random34234@sender.com>        ← Randomized sender
250 OK
RCPT TO:<victim@victim.com>
250 OK
DATA
354 Start mail input
From: Canadian Pharmacy <drugs@pharma.com>
To: victim@victim.com
Subject: RE: Important medication notice

[Spam content with image-based text, random word salad,
 URL to pharmacy site, unsubscribe link to track opens]

.
250 OK, message queued
QUIT

Defenses

IP Reputation Systems

Dynamic blacklists that learn sending patterns:

Traditional Blacklist:
IP 1.2.3.4 → Blacklist (static entry)

Reputation System:
IP 1.2.3.4:
  - Emails sent today: 10,000
  - Spam complaints: 8,000
  - Reputation score: 0.1 (terrible)
  → Temporarily block, re-evaluate in 24h

Key Services:

• Spamhaus ZEN
• Barracuda Reputation
• Cloudmark Sender Intelligence
• Return Path (now Validity)

ISP Port 25 Blocking

Residential ISPs block outbound port 25:

Home PC ──X──→ port 25 ──→ Victim's mail server
         │
         │ BLOCKED
         │
         └───→ ISP's mail server (port 587) ──→ Victim
                    │
              ISP can monitor
              and rate-limit

Impact: Bots must either:

• Relay through ISP (gets caught)
• Use compromised servers (limited supply)
• Find open proxies (cat-and-mouse)

Botnet Takedowns

Coordinated disruption of C2 infrastructure:

McColo Takedown (2008):

Before: McColo hosting provider hosts C2 for Srizbi, Rustock, others
Action: Upstream providers cut off McColo
After: Global spam drops 75% overnight

Rustock Takedown (2011):

Before: ~1 million bots sending 40B emails/day
Action: Microsoft legal action + FBI raids
After: C2 servers seized, bots orphaned

Content-Based Filtering

Machine learning on email content:

# Simplified spam classifier
features = [
    contains_pharmacy_keywords(email),
    has_image_heavy_content(email),
    url_reputation_score(email.links),
    sender_reputation(email.from),
    bayesian_spam_probability(email.body)
]

if ml_model.predict(features) > 0.8:
    mark_as_spam(email)

Advantage: Works regardless of sending IP.

Attacker Adaptation

Fast-Flux DNS

Rapidly rotate IP addresses behind domains:

Minute 1: spam-site.com → 1.2.3.4
Minute 2: spam-site.com → 5.6.7.8
Minute 3: spam-site.com → 9.10.11.12

TTL: 60 seconds
IPs: infected machines serve content

Snowshoe Spam

Spread sending across many IPs at low volume:

Traditional: 1 IP sends 1 million emails → Easy to block
Snowshoe:    1000 IPs each send 1000 emails → Harder to block

Each IP stays under reputation thresholds

Webmail Compromise

Shift from botnets to compromised legitimate accounts:

Instead of: Bot → Victim
Now:        Compromised Gmail/Yahoo account → Victim

Benefits:
- Inherits provider's reputation
- No residential IP issues
- Passes SPF/DKIM

Migration to Other Channels

Spam moved beyond email:

• SMS spam (smishing)
• Social media spam
• Messaging app spam
• Comment spam

Current State

Status: Limited

Traditional spam botnets have declined significantly:

Still Active:

• Emotet (rebuilt 2021, focuses on malware delivery)
• Smaller regional botnets
• IoT-based botnets (Mirai descendants)

Detection Guidance

Network Indicators

Monitor for:

• Outbound SMTP from workstations (unusual)
• High-volume email from single hosts
• Connections to known botnet C2

Email Analysis

Flag spam characteristics:

email.sender_ip IN residential_ip_ranges
AND email.spf_result != "pass"
AND email.content_spam_score > 0.7
AND email.links.domain_age < 30_days

Botnet Infection Indicators

On endpoints:

• Unusual SMTP traffic
• DNS queries to fast-flux domains
• Processes sending email without user action
• Communication with known C2 infrastructure

Historical Significance

Botnet spam infrastructure drove:

• IP reputation systems
• Behavioral email filtering
• Machine learning in email security
• ISP abuse desk operations
• International law enforcement cooperation

The arms race continues, but the battlefield has shifted from botnets to compromised accounts and other channels.