How to send 5 million spam emails without even noticing

Filed Under: Botnet, Featured, Malware, Spam

Thanks to Attila Marosi of SophosLabs in Hungary. Attila came up with the idea for, and conducted the research used in, this article.

We write about bots, also known as zombies, fairly frequently on Naked Security.

That's because they're the money-making machinery of modern cybercrime.

The idea is simple: malware on your computer regularly "calls home," often by making an innocent-looking web request using HTTP, just like your browser.

But instead of fetching a web page for display, the bot (short for "malware robot") downloads a list of instructions, which it carries out using your computer and your network connection.

For example:

But the criminal activity most associated with bots is spamming.

That's because spammers don't just use a bot here and a bot there to send unwanted emails, they use a whole collection of bots at the same time (typically tens of thousands or more), for truly distributed spamming power.

→ The collective noun for a group of bots is a botnet, short for "robot network." The cybercrooks that runs a botnet are known as botherders or botmasters. If you want to send spam but you don't have a botnet of your own, you can rent time on someone else's, using the CaaS (crimeware-as-a-service) model.

(Audio player above not working? Download, or listen on Soundcloud.)

The crooks enjoy many benefits from using other people's computers to send spam, namely:

  • Resilience. There isn't a single point of failure. Even if half of the zombified computers are cleaned of malware, the other half keep going.
  • Value-for-money. The crooks pay nothing for their bandwidth. You pay instead. You also carry the risk of being blocklisted by your ISP, because you're the only publicly visible email step in the spam sending chain.
  • Performance. 10,000 computers sending 10,000 spams each will typically finish faster than one server sending 100,000,000 spams.

Enter the Honeybot

But just how much spam can a botnet send in real life?

SophosLabs in Hungary decided to find out, using a carefully-configured "honeybot" that would receive spamming commands from its botmasters, generate spam messages, and send them out.

However, the messages weren't allowed past a special dead-end server that was blocked off from the internet.

In other words, the spam was constructed and sent on its way, but then trapped and measured instead of being delivered to its real destination.

With that in mind, of course, the numbers in real life would be lower, because not all receiving servers would be working correctly, and not all email addresses would be valid.

Nevertheless, the numbers give a good idea of how much you might help the crooks if you had a single infected computer connected via a typical home network connection (e.g. ADSL or cable).

The results

In a one week period, from a single computer infected with a single piece of malware:

  • 5.5 million email addresses were spammed.
  • 30 GBytes of outbound email were sent.
  • 750,286 unique spam messages were sent.
  • 26% included another item of malware.
  • 74% contained links to a pharmaceutical website.

In the course of the week:

  • 11 different types of malware were sent out.
  • 3771 different URL-shortener links were used
  • ...which redirected via 58 different hacked servers
  • the same pharmaceutical site.

As we mentioned above, if you were infected on a real computer at home, your throughput might be lower.

Some of the 60,079 mail servers used might have been offline; some of the recipients would certainly have been invalid; and bandwidth or data limits might have reduced your total sending capacity.

But many users these days have uncapped data plans, or ISPs that meter downloads only (sending email is effectively an upload), 30GByte in a week is not an exceptional amount.

→ That's a sustained average throughput of about 400Kbit/sec, which is less than half the upload bandwidth of a regular ADSL connection. For many users, that would mean sufficient bandwidth left over that the spam would probably go unnoticed, or at least uninvestigated.

And that, in a nutshell, is how much spam a single infected computer in a botnet can send.

What does this mean?

• A 10,000-computer botnet can pump out 50 billion spams per week.

• Cybercrooks "invest" by spreading new malware during spam campaigns.

• Insecure servers provide innocent-looking URLs as a first hop.

• Don't give up on your spam filter just yet.

Clean up right away if you find you are infected..

Remember, if you aren't part of the solution, you're part of the problem!

Free Sophos UTM Home Edition

Want to filter spam and keep out zombie malware on your home network?

If you have a spare PC or laptop handy, why not try the Sophos UTM Home Edition?

You get all the features of our commercial product, including: web and email filtering; a network intrusion detection system; full-blown VPN support; regular and frequent updates; and licences to install and manage Sophos Anti-Virus for Windows on up to 12 PCs.

If you are the IT geek in a shared house or have children to keep safe online, this could be just what you need, all for $0.

Click to go to download page...

Image of honeypot courtesy of Shutterstock.

Image of woman blasting out messages courtesy of Shutterstock.

, , , , ,

You might like

15 Responses to How to send 5 million spam emails without even noticing

  1. MikeP_UK · 430 days ago

    Many rural connections still use ADSL Max and ours struggles to give 200kbps download so we would definitely notice such traffic levels - and we are not untypical of rural users. I gather from BT/Openreach that even a significant proportion of urban users do not have download speeds that exceed 400 kbps so they would definitely notice the traffic levels mentioned.
    Those with fibre services, whether FTTC or FTTP or even FTTRn, would be less likely to notice unless they use network traffic monitoring software on each and every 'computer system', whether PC or laptop or smart phone or tablet etc., that connects to the internet.

    • Paul Ducklin · 430 days ago

      Really? A significant proportion of urban ADSL users can't exceed 0.4MBit/sec downstream? Are you sure you don't mean 400K*byte*/sec, which is more like 4Mbits/sec?

      I've used several different ADSL-based internet services in numerous countries, and in my experience, anything at 4MBit/sec or below requires special throttling effort by the ISP. (Some sell lower-rated services at a cheaper price, which involves rate limiting your connection; others have a monthly data cap that cuts your speed back after you exceed a certain data allowance.)

      From memory, ADSL2+ gives up to 24Mbit/sec downstream, but typical figures are 8-12Mbit/sec, plus 1Mbit/sec upstream, with typical figures of 1Mbit/sec.

      • Mike B · 430 days ago

        By way of background, I've always found it more convenient to do calculations with bytes rather than bits, with two exceptions -- x86 vs. x64 in my OS, and display color depth. And I've tried to stick with what I thought was a standard for notation, upper-case B referring to bytes and lower-case b meaning bits.

        With that in mind, I'm in an urban region in south-central Ont., Canada, and have ADSL service through a large regional independent ISP which offers "up to" 15 mb/sec downloads. With a good connection and good server at the other end, I can typically get around 1.5 MB/sec, which is reasonably close to the advertised speed. They don't do any throttling, as far as I know, but simply add a $1/GB surcharge for anything over my 100 GB/mo. cap. And I don't think I've ever gone beyond around 50 GB, so no point paying extra for unlimited service.

        • Paul Ducklin · 429 days ago

          I used to do the B-versus-b thing until I figured I might as well write "Byte" and "bit" instead :-)

      • 4caster · 429 days ago

        This exchange is a bit off the subject, and admittedly I live in rural Lincolnshire, 6 Km from the roadside cabinet. 2 months ago I was getting 0.25 to 0.4 Mbps downstream on each of two lines. I complained to both ISPs, and different OpenReach engineers visited on different days. The first one managed to raise it to 0.5 Mbps. The second engineer transferred us to a more direct line from the exchange. We are 4 Km from the roadside cabinet in that direction, and he improved the speed to 1.0 Mbps.

    • David · 429 days ago

      If your computer was sending out spam, it would increase your upload utilization, which you might not notice because it would not affect your download speed. (This assumes that your ADSL modem is full duplex, which most are.) If you do a lot of uploading, you might notice the difference.

  2. Andrew · 430 days ago

    wow I think I have had this pharmacy online store, originating from Canada hmm now I am panicked. If anyone knows how to be rid of this help please.

    • Paul Ducklin · 430 days ago

      If you received the spam linking to that page, and indeed clicked through, you should be OK. It's just trying to sell you hookey pharmaceuticals, as far as I can see, not to infect you.

      If you're worried, perhaps give the free Sophos Virus Removal Tool a spin, see if it detects anything:

      • Andrew · 430 days ago

        Thanks Paul Just did that with the virus tool supplied by Sophos and low and behold virus detected and removed

        thanks for all the hard work guys

  3. On a related note...

    David said above that upload would not affect your download speed. I would tend to agree, BUT I have a client who had Google Drive on a few computers and it was continually uploading for some reason. When it was uploading, the DOWNLOADS slowed to a crawl and the 20 people on the LAN could not reliable connect to SaaS server and email and streaming music. They had a 16Mbps DSL and a 3Mbps T1.

    I can't figure out why the uploads would cripple the downloads. Has anyone experienced this?

    Once Google Drive was stopped, things worked fine.

    • Anon · 429 days ago

      Indeed, on ADSL when the upload is maxed download slows to a crawl (and upload is easier to cap given you get less of it compared to downloads). We had this at work with someone on dropbox.

  4. Jason · 424 days ago


    You spelled delivered as delviered - just letting you know.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog