I have been playing around with a little more statistics for the various botnets that I track.  Just for fun, I decided to pick two of them – lethic and bobax, and see what types of TLDs they were using to send out spam.

This is kind of a tricky process, and is fairly complex (and I only have a small snapshot worth of data).  Here’s how I did it:

  • We have some mechanisms to track the total number of messages that hit certain gTLD’s - .com, .net, .org, .biz, .info, .cn and .ru.  There are others, but these are the most common.

  • Each day I track the various IP addresses, post IP block, that each botnet that sends mail to us and store them each day in a text file.  There are more IPs associated with these bots, but I only track the ones that hit our mail servers.

  • I go through and I find how many messages each bot sent by total messages, not total envelopes.  An envelope can have multiple To addresses, and therefore I count all of the To addresses to get total messages.

  • For each IP address, I add up all of the To addresses to get a total count of messages per IP address.  I then check to see what TLDs each message hit.  Not every message is associated with a TLD.  Sometimes we don’t catch it, other times we don’t record the specific URL.

  • In the end, what I am left with is how many TLDs each message contains per bot.

Here are the results.  Out of all the messages that I found, bobax sent messages with 50% of the gTLDs being .org and 50% .com.  Lethic sent 11% with .com and 89% with .ru.

Eventually, I’ll start checking the IP addresses of where these bots are sending from and see if we can determine any interesting relationships.