Spam, spam and more spam.

Well most of you should know I know a little bit about spam, and I have to keep researching it to keep up with the times.

Seems something that I have been saying for sometime and been unable to prove, I have finally found proof.

Recently I registered some new domains in new TLDs (Top Level Domains, eg: co.uk, com.au etc) and found that the bots delivering spam to my servers cared nothing about the server they were delivering to, but everything about which domain they were delivering to. I have for some time been the owner of 50 odd domains, and have access to around 3 million more, and as such I monitor the data coming into these domains and submit it to automated and semi-automated spamtraps depending on the domain, the connection, and the content.

On would expect to see a nice steady stream of hosts connecting delivering spam, and disappearing, and this is exactly what is observed. However, these domains are mainly .com, .net, and .org not to mention a healthy smattering of .us and a few other TLDs. The new domains are not available to persons outside of their respective countries, and to my surprised they collect spam, not from the 30k per day collected from the 3 million domains, but a whole host of new IPs. What’s more surprising, cross-referencing the domains against each other has indicated that the botnets behind the spam delivery are not used across the domains, they are local to those specific domains.

One can theorize how the bots are local to the domains, are they are split logically (eg by first letter or a hash such as ‘bots 1-10 mail @a, bots 11-20 mail @b etc’), or are they split by geo-location or owner? Personally I think they might be split by geo-location, though that requires more research into the individual botnets.

Bootnote: Unlike other organisations neither I nor SORBS performs illegal activities such as hacking compromised hosts, or locating the ‘command and control’ bot/server to analyse it or the networks. We perform the analysis by looking carefully at the networks the spam comes from and what is advertised, the process is called “Data mining” and with an expert (something I am not, but I do have a few friends who are) you can use data such as that I have been collecting since 2005 to find most things out about the botnets, their locations and sizes.