Trends Botnet Spam Rankings: Holding Steady By Ken Simpson | 2 minute read I read with interest Terry Zink’s latest blog post concerning the distribution of botnets since the Rustock botnet was taken down some time ago. According to Terry, specific countries play host to specific botnets. So when the Rustock botnet was taken down, some countries experienced a dramatic reduction in their spam emanation, while others saw almost no change. Since late last year, I have been keeping track of (on a daily basis) the number of IP addresses listed on the Composite Blocking List (CBL – this is the main component of Spamhaus’s widely used XBL list) for the absolute worst offenders on this list. I scrape my data from a helpful page the CBL maintains and then use Microsoft Excel to compile it into the pretty picture shown above. If we chart the same data using a cumulative area graph (rather than a percentage-based graph like the one shown above), we can see how the total number of CBL blocklistings from these networks has fluctuated over the same time period: Some interesting findings: India and Vietnam still have a huge share of the CBL, and this share seems to be holding very steady. asianet.co.th (True Internet) has done something to clean up its act. While it is still one of the largest sources of botnet spam, its share has plunged from 3% to nearly nothing. On the CBL, it is now ranked #97 – down from #10 several weeks ago. The overall stability of the relative CBL blocklist counts indicates that even though Rustock may have reduced global spam volume, the distribution of hosts infected with some kind of spamming bot remained fairly steady. The cumulative graph shows some variation, but clearly there has not been a fall in spam host infections – at least, not in these “top” networks. Here’s something worth considering: If the networks listed here installed outbound spam filtering technology, the number of blocklist entries in the CBL would drop by more than 50%. To make that scale of an impact on the global spam problem by cleaning up botnet infections on all the other networks in the world, one would need to deploy outbound spam filtering on more than 12,000 different networks! Clearly we should all focus on these “dirty 43”.