Botnets are networks of compromised machines that are under the command and control (C&C) of one entity – the botnet master. They are typically used for crimes such as denial-of-service attacks, identity thefts, phishing and, most commonly, for sending spam. Current botnets have easy-to-use HTML-based interfaces and can be rented out by spammers for their various spamming campaigns. Researchers reported that during 2008, 85% of spam was generated by six botnets (Mega-D, Srizibi, Storm, Rustock, Pushdo and Cutwail).
A typical spamming botnet consists of the botnet master sending commands to controlling servers which in turn send various files to their lists of bots along with instructions to be carried out. The level of sophistication that has now been attained is really quite remarkable. For example, the spamming process can be carried out in collaboration between bots performing different tasks, with some working as spam harvesters while others as spam generators. Some bots act as content servers while others as SMTP servers. A spam campaign (workload) has at least three elements: message templates, a senders list and a receivers list. Spambots use these to produce vast quantities of spam.
Typical legitimate email flow consists of a client (Mail User Agent or MUA) connecting, via SMTP, to a server (the Mail Transfer Agent or MTA) to transfer a message. The MTA arranges for delivery by forwarding (or relaying) it to another MTA (again via SMTP) where the second MTA is typically the recipient’s mail exchange server (MX). Finally, the recipient gets the mail from the MX server through POP, for example. Botnet generated spam does not follow this path. The spam source must be kept anonymous to avoid being blacklisted.
Spam transmission methods typically come in three flavors: open relays, open proxies and direct-to-MX. Open relays are SMTP servers that accept relay requests from any source to any destination. This used to the most common method used by spammers but these days, mail servers are configured to have open relays disabled by default. Spammers consequently would configure one of their bots to become the open relay, but due to practices by ISPs managing port 25 (as recommended by MAAWG, where only authorized clients are allowed to connect from within the ISP’s hosts), open relays are now rarely used in today’s spamming.
An open proxy is a server that allows connections to be made from any client to any server on any port. These can be used by spambots to launder their spam traffic. Similar to open relays however, with good practices, ISPs with separate inbound and outbound mail servers can block spam traffic coming from the proxies, even for open proxies within the MX server’s domain (Proxylock). Lists of open proxies are typically downloaded from the controlling servers.
Direct-to-MX methods involve the bots connecting directly to the recipient domains’ MX server. This is done by performing DNS queries for the MX record to obtain the IP addresses of the MX servers. Smarter botnets save lookup time by downloading lists which are being maintained and updated by the controllers. Direct delivery has become the favored method of spamming botnets despite the risk of having the IP address of the spambot being blacklisted. If the ISP of the spambot manages port 25 however (as recommended by MAAWG), they can counter this type of traffic.
The contents of this blog are a summary of an excellent paper that was presented at Spam Conference 2009. Below is a link to the paper which goes into more detail. I’ve also included a link to the MAAWG recommendation for managing port 25. A recommendation, if followed diligently by all ISPs, could eliminate botnet spam.
Leave a Comment