Today, out of curiosity, I decided to take a look at which botnets were sending us spam and then doing a breakdown of highest offending botnets.
This is a simple snapshot and not necessarily representative of our entire network. Since we block so much of our mail at the network edge, we don't keep stats on those IPs. But we do have a small proportion that we block with our content filter. To check this, I had to take an older version of the CBL (about 10 hours old) and map those IPs to botnets. I then compared against our post-edge-blocked traffic. This is not network wide for a period of time but only a 1-day comparison of July 23. The data is going to be a little stale but I think that the general trends are going to hold up. In other words, if I did this day-after-day, week-after-week, my guess is that little would change.
In terms of unique IPs, I took the biggest 7 identifiable botnets sending us mail, with the results below. Cutwail is the largest, followed by Rustock.
However, in terms of how much mail these guys actually send, the order changes. While Cutwail has more unique IPs, Rustock sends more spam. Waledac, which has about 5% of the total IPs, sees its spam volume drop to zero, excluding mail sent with a null sender which I track separately.
But if I separate out mail sent with a null sender <>, Waledac clearly accounts for the most amount of this type of spam. I've known for a while that Waledac's modus operandi is to send out spam with null senders, different from other botnets. The other stats I have on Waledac is that it tends to hide its mail; the spam % of Waledac IPs is not nearly as high as the other botnets which implies that it likes to shield itself behind hosts with good or questionable reputation.
Can you advise what some of the methods are for attributing spam to specific botnets?