Spam sent from compromised (web)hosts vs botnet spam
Martijn Grooten <martijn.grooten <at> virusbtn.com>
2013-03-20 16:59:07 GMT
A few people (Chris a.o.) have mentioned the large volume of spam sent from compromised webhosts.
Here someone looked at CBL's stats and found that the ten worst senders of spam are all hosting companies:
I think this isn't just an interesting statistic about spam (like reports listing the ten worst
spam-sending countries), but it may indicate a problem. I suspect most of these senders are normal MTAs,
running Sendmail or Postfix, against which many anti-botspam techniques won't work as well - as such,
these emails may be more likely to slip through filters.
Now I have this setup where I can measure this sort of thing. And I intend to do so. But: any suggestions as to
how to easily and automatically distinguish (web)hosts from bots?
The simplest thing to do would be to check if these machines are listening on port 80. That may be good enough,
but port scanning feels a bit wrong, even if the volumes are pretty small (and I can do it through Tor). I can
also check ASNs, or whois records, but I'm worried I'll end up having to decide whether small Bulgarian or
Brazilian companies are ISPs or hosting providers, or both.
Suggestions are welcome. (As always, "your research idea is flawed" and "you're making wrong
assumptions" are valid suggestions too.)
Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.