Trends Spammers continue to suffer from “premature disconnection” By Ken Simpson | 2 minute read Today we compiled a graph showing the effectiveness of traffic shaping against botnet spam traffic. The graph above shows how long it took for different spambots to disconnect when they were trying to deliver mail to one of our large customers. This customer slows down traffic from any host identified on the Spamhaus Zen RBL, so this data represents a fairly pure profile of the traffic shaped behavior of spam sources. What’s this all mean? Spammers continue to rely on the timely delivery of tens of millions of email messages to make a profit from their spamming activity. If a spam bot (i.e. spam sending software) encounters a mail server that won’t take its mail quickly, there’s the profit from that receiver is vastly reduced. It makes more sense to spam someone who will at least receive a message quickly, even if that message will later be discarded with 99% certainty. Identifying botnets by how long they last on a slow connection For extra credit, we cross-referenced hosts in each of the “disconnect spikes” in the above diagram with the CBL’s (Composite Block List) excellent database of spam sources and found that each spike corresponds with particular spambot software. For instance, members of the climbot botnet invariably disconnect at the 100 second mark, whereas rustock hosts only last 21 seconds. Could these mean that rustock suffers from premature disconnection?