Conservative estimates indicate that well over half of all emails sent worldwide are spam emails. In the United States alone, it has been determined that spam email cost organizations more than $13 billion in 2007, including lost productivity and the additional equipment, software, and manpower needed to combat spam email. One factor exacerbating the problem is the ability of spammers to create and use “botnets.” Botnets are networks of zombie computers that have been infected with malicious code (a bot) allowing a spammer to send spam through these bot host computers, unknown to the computer owners.
Recently, a particularly malicious botnet spamming method has evolved, where spammers use a botnet to sign up large numbers of user accounts (bot-user accounts) on the public webmail services such as Hotmail® web-based e-mail service. While security protocols, such as CAPTCHA, exist to prevent this practice, spammers are becoming more sophisticated in their methods to defeat such security protocols. As one example, a large number of bots are used to sign up a large number of fake bot-user email accounts. These bots retrieve the signup forms and pass the CAPTCHA (usually images or audio files) back to a central server. This central server is connected to a number of CAPTCHA solvers, which may be human beings and/or bot CAPTCHA breakers. The solution of the CAPTCHA, once found, is sent back to the corresponding bot which then fills the signup form and finishes the signup. Trojan.Spammer.HotLan is one example of a typical worm for email account signup discovered by BitDefender.
Once created, these bot-user accounts are then used by spammers to send out large numbers of spam emails. Using this method, millions of fake email accounts have been created during a short period, and then these bot-user accounts have been used to send out billions of spam emails.
Detecting and defending against this new type of attack has been challenging. Bot-users send spam emails through legitimate Web email providers, making the widely used mail server reputation-based approach to spam detection ineffective. Furthermore, bot-users are sharing computers with legitimate users, making it difficult to detect them individually. Making the problem even harder to detect is the fact that the spammers are using an entire botnet of bot-user accounts. Thus, no single account is sending out high volumes of spam.