On the difficulty of counting spam sources

A great deal of spam comes from botnets and there is considerable interest in arranging for the bots (the compromised machines) to be made secure. In practice, the owner of the compromised machine can only be contacted via their ISP, and their helpfulness is known to vary. This variation has led to attempts to count the bots on particular networks and thereby assess the ISP’s reputation. This paper presents a model for bot incidence and explains the measurement difficulties that arise from not only from the ebb and flow of botnet membership, but also from the dynamic nature of the spam sending, and the use of dynamic IP addresses. It then considers three months of data (several million emails) sent from a very large O(10) ISP to a medium size O(10) ISP and attempts to calculate the daily incidence of spamsending bots at the large ISP. The wide disparity between the estimates of the upper and lower bounds was predictable from the model, and suggests that reputation values should only be considered to be rough approximations.