Inside The Big Business Of Spam Botnets

Inside The Big Business Of Spam Botnets

Spam emails are usually so crude that it might seem impossible that spammers make money from them, but the sheer volume of messages sent every day makes spamming a profitable industry – most emails sent worldwide are spam.

This constant stream of cheap drug offers and other scams is pumped out by botnets, networks of computers that have been hijacked without their owners’ knowledge, which are rented out to spammers as a mass email delivery service. In August last year, researchers at the International Secure Systems Lab were able to take over of one of these botnets, known as Cutwail, and have now published a paper on its inner workings.

Cutwail botmasters market their services as “0bulk Psyche Evolution”, offering customers a web interface in Russian and English that lets them create spam campaigns with a few clicks. There’s even an instruction manual and an online support team for spammers who need assistance.

The researchers took control of 16 servers used to operate the Cutwail botnet, which in May 2009 was estimated to be responsible for nearly half of all email spam. They analysed the software used to infect computers and add them to the botnet, and identified which servers the bots contacted for instructions. Working with internet service providers, they shut down the botnet servers and gained unprecedented access to the botmasters’ data.

Their findings demonstrate the huge scale of a botnet operation. On an average day the botnet contained more than 120,000 individual computers, 38 per cent of which were in India. The researchers believe that botmasters specifically target Indian machines because they are cheaper to recruit – there is an entire sub-industry of online groups who install botnet malware on thousands of computers, for a fee.

Records found on the Cutwail servers show they sent more than 1.7 trillion emails between June 2009 and August 2010. Such high numbers are necessary for the spammers to get their messages through. The researchers found that factors such as invalid or blacklisted email addresses mean that only 30 per cent of spam emails reach their destination server, and the number seen by users is likely to be much lower once client-side spam filters are taken in to account.

Even with so few messages getting through, this email bombardment eventually pays off. The researchers say that botmasters typically rent out their services for between $US100 and $US500 per million emails sent, or offer bulk discounts of 100 million emails per day for $US10,000 per month. Depending on the discounts sold, the researchers estimate Curtwail controllers made a profit of between $US1.7 million and $US4.2 million since June 2009 – in other words, around one ten-thousandth of a cent per email sent.

Image Credit: James Cridland/(CC BY 2.0)

New Scientist reports, explores and interprets the results of human endeavour set in the context of society and culture, providing comprehensive coverage of science and technology news.