Home / Blog / Botnet detection: SPAM analysis

Botnet detection: SPAM analysis

Posted on 02/10/2015, by David Cantón (INCIBE)
Botnet SPAM

Sending spam is a classic operation performed by botnets, which is why it is logical to use SPAM analysis methods in botnet detection techniques. Instead of observing and analyzing all of the network traffic, as in the case of package analysis techniques or traffic flow analysis, these techniques only analyze communications relating to email deliveries, reducing the amount of information that needs analyzing.

Botnet detection techniques

-Botnet detection techniques-

Botnets and SPAM

When botnets send spam, using compromised computers such as SMTP relay nodes, have two main objectives:

  • Expansion, they send mass emails to increase the number of bots. The email addresses used can be facilitated by the C&C, generated randomly or obtained from the address lists on compromised computers. Infection methods include send emails with malicious files attached or messages with links to malicious sites that take advantage of users’ vulnerabilities. Examples of these types of botnets are Bamital, Bankpatch or Gamut.

Botnet detection techniques

-Source: Botnet detection techniques: review, future trends and issues -

  • Monetization, the mass delivery of emails with the objective of selling different types of products has become a prosperous business for botnet creators. There are estimations from the year 2008 that suggest that online pharmaceuticals earned up to 12,000 million dollars, over three times more than in the previous year. Thanks to this type of business, botnet owners can hire the services of bulk email senders or directly take part in affiliate programs. Although the conversion rate of spam is relatively low, the colossal amount of emails that are sent daily mean that it has become a very profitable business.

The economical cycle of Pharmaceutical Spam

The economical cycle of Pharmaceutical Spam SOURCE: Damballa

Percentage of spam in email traffic, 2013

-Percentage of spam in email traffic, 2013 (Fuente: securelist.com) -

Detection techniques

As a result of this situation, methods and functions have been developed for security systems with the aim of providing the necessary capacity to identify if a computing environment is compromised by malware belonging to a botnet that sends spam and reduce the amount of data analyzed.

A characteristic of spam campaigns executed by botnets is that their messages tend to follow a similar pattern or are even identical. Due to these similarities, the statistical analysis of different data in an email, including the title and message, can be an indicator in an SMTP communication to determine whether a certain network is infected or not.

As indicated in ENISA’s report, the use of tools such as spamtraps leads to a more effective detection of spam. Spamtraps are email addresses created exclusively to receive undesired emails. To be effective, these email addresses must be advertised and registered on multiple sites such as internet forums, newslists, etc. Spamtraps are a type of honeypot but in contrast to most honeypots, spamtraps must be advertised.

Some of the studies or proposals based on spam analysis for the detection and/or characterization of botnets are:

  • BotGraph: Large Scale Spamming Botnet Detection. BotGraph is a botnet detection system that is geared towards performing attacks against major Web email providers. BotGraph detects suspicious activity by calculating correlations between botnet activities by constructing large user-user graphs and looking for tightly connected subgraph components. This technique enables the identification of stealthy bot users that are hard to detect when are viewed in isolation.
  • Detection of Spam Hosts and Spam Bots Using Network Flow Traffic Modeling, introduces an approximation towards the detection of hosted spam, spam bots and their corresponding C&C based on network flow data and DNS metadata. Its proposal firstly consists in establishing legitimate SMTP traffic models versus SMTP clients that act as spammers, in order to then classify unknown SMTP clients based on their distance with both traffic models. A first phase will identify hosted spam using an entropy-based algorithm, and then they will be analyzed to determine their command-and-control.
  • Spamcraft: An Inside Look At Spam Campaign Orchestration, performs an analysis of the Storm botnet, describing its "modus operandi": gathering victims’ email addresses, email templates and modifications made, as well as the success rate of different types of campaigns.

We can sum up that botnet detection through spam analysis on a network is a useful although limited technique, since not all botnets send spam as their main activity. However, what makes this analysis useful is that sending spam is currently a way of making these types of threats profitable, and therefore it is expected for their creators to continue using it in the future. Therefore, as mentioned previously, this botnet detection technique is a method worth keeping in mind but must be complemented with other detection methods.