How Botnets Send Spam (In Layman's Terms)

This article comes from a mysterious guest author, who wishes to remain anonymous. The author is heavily involved with the Messaging, Mobile & Malware Anti-Abuse Working Group (M3AAWG), and has a number of botnet related papers to his name. Thank you, Mr/Mrs. Anonymous.

Spammers would like to spam directly from their own systems, but when they do that, Spamhaus quickly notices and blocklists those addresses, making it impossible for them to deliver mail from the blocklisted IP address.

What is the determined spammer to do? Answer: they’ll reroute their outbound spam through someone else’s address space. That way, it’s someone else who ends up with a blocklisted IP address, not them, and the outbound spam will look like it’s coming from somewhere else, thereby hindering backtracking and punishment by the authorities. But how to do this?

Most systems don’t ship in a way that will let random 3rd parties route mail through them (although obviously at one point, many systems did ship as promiscuous open relays, accepting email from anyone anywhere and routing it to anyone anywhere).

These days, if you want someone else’s computer to accept and route random email for you, you need to add software to the system to intentionally make it abusable in useful ways.

But who’d KNOWINGLY let you screw up their system this way? Answer: no one. So spammers need to be sneaky. They use malicious software (what most people think of as “computer viruses”) to intentionally misconfigure an innocent person’s computer so that they can surreptitiously abuse it.

The spammer gets that software on an innocent person’s computer in many different ways. Maybe they drop it on you via email, or drop the malware when you visit a tainted web page, or you download a “free game” that turns out to have malware as well.

The bad guy now has an inventory of compromised systems that they can use. But, it isn’t very efficient to just use one at a time. If they can use many compromised systems in parallel, they can really hose some spam out there in volume, right? Suddenly they may be able to send spam from hundreds or even thousands of systems at once. When they do that, those compromised systems are normally referred to as bots, and the guy operating that network of botted systems is called a “botmaster.”

The botted systems periodically check in with one of the botmaster’s web site for instructions every so often or listen on IRC, Twitter, or other one-to-many communication channels for work to do. At that point, like an army of mindless zombies, once the botmaster tells them what they’re to do, they unthinkingly execute those tasks.

Combatting the bots can happen at many different levels. Systems seen to be spewing outbound spam can be identified, and then hopefully cleaned up by their owners. Network operators can use intrusion detection systems to spot anomalous traffic on their network, and then block access to the command and control servers that would like to give the local botted hosts stuff to do. And there are many other techniques that can also be used to tackle these guys, including things as simple as requiring all outbound email from customer systems to be sent via the provider’s official email servers, where the ISP can scrutinize it and automatically block any spam.


Related articles:

Need help securing your hosting company against spammers?