I have been playing around with a little more statistics for the various botnets that I track. Just for fun, I decided to pick two of them – lethic and bobax, and see what types of TLDs they were using to send out spam.
This is kind of a tricky process, and is fairly complex (and I only have a small snapshot worth of data). Here’s how I did it:
Here are the results. Out of all the messages that I found, bobax sent messages with 50% of the gTLDs being .org and 50% .com. Lethic sent 11% with .com and 89% with .ru.
Eventually, I’ll start checking the IP addresses of where these bots are sending from and see if we can determine any interesting relationships.