What were they thinking? It’s a natural question to ask. There are scientists and then there are mad scientists, so you might be forgiven for reading this headline and assuming that we’re speaking of the latter; but things are never quite that simple, and for a group of researchers at the University of California at Santa Barbara, finding out what makes a spam campaign tick like a well-maintained clock has a deeper purpose.
According to The Register, a group of researchers, including PhD and Yahoo! contractor Gianluca Stringhini, researched spam’s inner workings and the methodology behind successful spamming campaigns. Of great interest to the researchers was the relationship between email harvesters, botmasters, and spammers. It goes like this: cybercriminals (spammers) purchase emails lists and bot services from vendors, who provide manuals that spell out how spam can most effectively be dumped into inboxes.
Turns out, though, that you get what you pay for…er, or in this case, maybe you don’t. According to El Reg, “Research by Stringhini and others found that spammers could significantly improve their campaigns by largely ignoring the manuals’ recommendations and instead using a series of mathematical models they published.” What they found was that the mathematical model provided in the manual for Cutwail was flawed, and perhaps the model was only provided to “prop up the technical chops of the writer for ‘marketing’ purposes.”
Stringhini co-authored a paper with his fellow researchers, entitled “The Tricks of the Trade: What Makes Spam Campaigns Successful?” and in it, the scientists pooh-pooh the usefulness of the provided manuals, suggesting that they’re “of little if any help for spammers.”
The paper examines Cutwail’s manual, which provides guidelines that “fall into three categories: those that apply to the message contained in the emails, those that refer to the email database management, and those that apply to the technical settings.” Put together, these instructions are meant to be a roadmap to making our lives a living hell of spam. For example, Cutwail’s creators have “estimated that having 1,000 bots online at the same time generates a good throughput of emails, and that for the best delivery performance the number should be between 2,000 and 3,000 online bots.” The manual also points out that “The botnet creators claim that other malware installers tend to download different malware alongside the Cutwail bots, and that this affects the bandwidth available to the bot and, therefore, the bulk quality,” And we feel so badly for them.
The scientists propose an alternative model. “The Cutwail manual includes an extensive mathematical analysis of the botnet operation and the spam delivery process, and it provides spammers with guidelines on how to dimension their botnet and their bulks to obtain optimal delivery results.” The model looks interesting, the scientists note, “however, after studying it we found out that the model is invalid. It is possible that it was included to make the work of the botmaster look more professional and trustworthy.”
They get into the math after that, and that’s where you might get a little lost, but the point is that there’s a whole lot going on under the hood to get those nasty spam messages to your inboxes.
The scientists conclude that using their model, spammers can get a lot more bang for their buck. “Experience seems to be what matters most for a spammer, and by manually tuning a botnet parameters a cybercriminal can dramatically increase the outcome of his spam operations.”
So spammers might want to tweak their settings, as it were. The most interesting result, the scientists say, “is that the location of the bots does not inﬂuence the success of a spam campaign. A consequence of this is that the prices of malware infections that are offered in the underground market are inﬂated, since there is no advantage for a cybercriminal to purchase the most expensive bots and have them sending spam.”
But why point out that their methods might be flawed? Well, the researchers plan to use this information to leverage possible techniques for fighting spam. As one example, they note that “successful spammers will have their bots retrying multiple times after receiving an error, one could leverage previous work to identify a spambot and keep sending them errors until they give up. This would decrease the performance of a bulk, because bots would keep connecting to a certain server instead of sending emails to other victims.”
We’re okay with that. Keep up the good work.