Anti-Spam Router -- opinions?

• Previous message (by thread): Anti-Spam Router -- opinions?
• Next message (by thread): Anti-Spam Router -- opinions?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

#Let's assume that 75% of spam is sent via hijacked zombie machines.  This
#would mean that to get 7.5 billion spams/day at 20 msgs/day/zombie,
#you'd need several hundred million compromised machines.  

20 messages/day/zombie is way too low an estimate (by multiple orders of 
magnitude). 

#And even though the average machine is woefully insecure, there's not THAT 
#many zombies.

I'm currently tracking right around 2.5 million listed open proxies/spam
zombies. Data I'm receiving from typical mid sized ISPs includes 300K or
so unique blocked dotted quads/week, of which maybe half are listed on one
or more of the open proxy/spam zombie DNSBLs I track. So take the number
from that you like best:

-- 2.5 million listed open hosts
-- 300K unique blocked dotted quads/week
-- 150K or so of those unique blocked dotted quads which are listed on DNSBLs

I see no indication that the number of compromised hosts seen per week is
decreasing, and of course, because compromised hosts are not getting cleaned
and taken off the air in many cases, the total pool of compromised hosts is
steadily increasing. (And those "old timer"/"well known" compromised hosts,
while blocked from sending email to most sites that use DNSBLs, still
represent a source of potential attack traffic, etc.)

#On the other hand, 20K msgs/day/zombie is only about 1 ever 4 seconds,
#not enough to make the average cablemodem user notice - and reduces the
#number of zombies down to several million - a much more plausible number.

As a lower bound, assume modem-like throughput of 40Kbps, and typical spam
message size of what, maybe 5K? That would amount to a message a second,
or 86,400/day/host assuming an around-the-clock uniform distribution
(probably not a valid assumption, but then again, upstream throughput 
from broadband connected hosts will generally exceed 40Kbps).

If you wanted to deliver 7,500,000,000 pieces of spam a day at that
rate, that would imply use of order(~100,000) freshly compromised hosts at 
any given time, a figure which I find quite plausible/conservative/consistent
with the data I'm seeing. (And in fact, you can model the release of new
virii/worms (intended to create new batches of compromised hosts) based on 
compromised host "harvest requirements," just like forecasting the demand 
for soybeans or steel or any other commodity)

Spam's a big business, and compromised hosts are a fundamental input
which are being efficiently supplied by the market as far as I can tell.

Regards,

Joe

• Previous message (by thread): Anti-Spam Router -- opinions?
• Next message (by thread): Anti-Spam Router -- opinions?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]