Re: the world of botnets article and wrong numbers

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear Toby McKay,

Number of 12000 is absolutely impossible. Actual number is much higher.

Let's  look on daily statistics for messages rejected as SPAM on my mail
system.  Month  statistics requires to much information to be processed,
sorry.

On August, 13     150419 messages from 24244 unique IPs
On September, 12  160054 messages from 32882 unique  IPs
On September, 13  175573 messages from 35834 unique  IPs

New hosts between August, 13 and September, 13: 34952 (97%)
New hosts between September, 12 and September, 13: 27988 (78%)

In  suggestion  average lifetime of spamming IP is higher than 1 day, we
can  approximate  number of spamming IPs on the whole net during one day
as  150000 with 40% rotation within 1 week. That is 240000 new IPs every
month.  The  problem  is,  most of these IPs are dynamic. So, we have to
divide  this  number  on  average number of IPs infected host had during
infection  period.  It's impossible to discover this number. My expert's
mark  is 3-5. That is, we have 50000-80000 new spamming bots every month
with  average  life  of  2 weeks. Looks reasonable, but again it's taken
from nowhere. And we only counted bots used for spamming :)

--Thursday, September 14, 2006, 3:05:42 PM, you wrote to full-disclosure () lists grok org uk:

TM> hi guys
TM> i ask gadi on the botnets listserv on where he got the number 12K for bots
TM> every month on his the world of botnets article [
TM> http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf] .. he gave
TM> no real answer.
TM> does that number sound right to anybody? where did you come up with it gadi?

TM> ./mcktoby


-- 
~/ZARAZA
You know my name - look up my number (Beatles)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/