E-mail spam, also known as unsolicited bulk E-mail or unsolicited commercial E-mail, is the practice of sending unwanted E-mail messages using Simple Mail Transfer Protocol (SMTP), frequently with commercial content in large quantities to an indiscriminate set of recipients.
Spammers sometimes employ compromised machines, called Botnet hosts (i.e., bots), to send spam email to target destination domains. A botnet or robot network is a group of computers running a computer application controlled and manipulated only by the owner or the software source. Usually the computers are infected with a malicious kind of robot software which present a security threat to unsuspecting computer owners. Once the robot software (also known as malicious software or malware) has been successfully installed in a computer, this computer becomes a zombie or a drone, unable to resist the commands of the bot commander.
A botnet may be small or large depending on the complexity and sophistication of the bots used. A large botnet may be composed of ten thousand individual zombies. A small botnet, on the other hand may be composed of only a thousand drones. Usually, the owners of the zombie computers do not know that their computers and their computers' resources are being remotely controlled and exploited by an individual or a group of malware runners through an Internet Relay Chat (IRC)
There are various types of malicious bots that have already infected and are continuing to infect the internet. Some bots have their own spreaders—the script that lets them infect other computers (this is the reason why some people dub botnets as computer viruses)—while some smaller types of bots do not have such capabilities.
A botnet's originator (aka “bot herder”) can control the group remotely, usually through the IRC, and usually for nefarious purposes. Often the command-and-control takes place via an IRC server or a specific channel on a public IRC network. This server is known as the command-and-control server (“C&C”). Though rare, more experienced botnet operators program their own commanding protocols from scratch themselves. The constituents of these protocols include a server program, client program for operation, and the program that embeds itself on the victim's machine (bot). All three of these usually communicate with each other over a network using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet network.
A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community. The process of stealing computing resources as a result of a system being joined to a “botnet” is sometimes referred to as “scrumping.”
Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections and network types. Sometimes a controller will hide an IRC server installation on an educational or corporate site where high-speed connections can support a large number of other bots.
A botnet can also be used to take advantage of an infected computer's TCP/IP's SOCKS proxy protocol for networking applications. After compromising a computer, the botnet commander can use the infected unit (a zombie) in conjunction with other zombies in his botnet (robot network) to harvest email addresses or to send massive amounts of spam or phishing mails.
When a botnet is used to send email spam, a botnet operator first sends out viruses or worms, infecting ordinary users' computers, whose payload is a malicious application—the bot. The bot then logs into a particular C&C server (often an IRC server, but, in some cases a web server) to receive instructions. A spammer purchases access to the botnet from the operator. The spammer then sends its instructions via the IRC server to the infected PCs causing them to send out spam messages to mail servers.
The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the most “high-quality” infected machines, like university, corporate, and even government machines.
Although Bots may also reside within a common address block (due to unclean networks) such hosts may not all submit E-mail spam at the same point in time so that not all address block members will be submitting E-mail spam at any instance in time.
Alternatively, E-mail spammers can also relay spam E-mail through a Spam Farm (i.e., hosts that are devoted solely to be sending E-mail spam). The Spam Farm utilizes Mail Transfer Agents (MTA) called open relays to accept responsibility for delivering E-mail from unauthenticated IP hosts. Thus, these open relays will themselves be able to be authenticated and authorized to submit mail by receiving MTAs. Additionally, a Spam Farm can have custom MTA software installed on their machines and initiate spam E-mail directly.
Spam Farmers may reside within a common address block and submit E-mail continuously with all Farmers participating in the submission. Thus, at any given time, all SMTP Clients within the address block will be submitting Spam E-mail at the same traffic volume. It is important to note that spam farmers are not involved in any other activities other than sending spam and are therefore much less of a security risk then a member of a Bot network.
Therefore, there is a need to distinguish E-mail Spammers that are not Botnet members (e.g., Spammer who are members of a Spam Farm) from E-mail Spammers that are Botnet members, for security purposes.