Home / Blogs

Who Has Taken Over As the Most Prolific Botnet Since Rustock Was Taken Down?

Over at the site V3.co.uk, they have an article up today alleging that since the Rustock takedown two weeks ago, the bagle botnet has moved to take over as the botnet that is responsible for sending the most spam. They have not replaced Rustock’s total spam volume, only that they are now the number one spam sending botnet. This is based upon data that comes from Symantec’s hosted mail filtering vendor, MessageLabs.

MessageLabs does very good work and while the data that they collect frequently reflects what I collect, in this case I see different results. I measure the worst offending botnets using three different metrics—by number of distinct IPs, by number of message envelopes (individual mail connections) and by number of total messages (one envelope can contain multiple messages if you specify multiple recipients in the RCPT TO). I also track total size of the message in bytes but I do not report on it here. Below are my statistics since the Rustock takedown:

The Number One Botnet by Distinct IPs (March 17 – March 28)

  1. Lethic
  2. Maazben
  3. Grum
  4. Cutwail
  5. Bagle-cb
  6. Bobax
  7. Festi
  8. Fivetoone
  9. Xarvester
  10. Darkmailer

The Number One Botnet by Total Message Envelopes (March 17—March 28)

  1. Lethic
  2. Darkmailer
  3. Cutwail
  4. Maazben
  5. Grum
  6. Bobax
  7. Bagle-cb
  8. Festi
  9. Xarvester
  10. Fivetoone

The Number One Botnet by Total Messages (March 17—March 28)

  1. Lethic
  2. Darkmailer
  3. Cutwail
  4. Maazben
  5. Bobax
  6. Grum
  7. Bagle-cb
  8. Festi
  9. Donbot
  10. Xarvester

The takeaway from this is that bagle is not the new Rustock (at least not from our data). Instead, that place is occupied by Lethic. In reality, Lethic never really left the number one position because it has always been number one in terms of the total number of spam messages it sends because it crams so much into each mail transaction whereas Rustock was merely a one-to-one type of spammer (one recipient per email transaction), but it sent the most number of individual mail transactions by a very wide margin (it also sent from the most distinct IPs).

So where is bagle? Back when I first started tracking this about a year and a half ago, Bagle regularly showed up in the top three. But now I’d say it’s closer to a middle of the road botnet and while it is substantial, by no means is it the worst or anywhere close to the worst. To put it in perspective, if I normalize this against the top 10 (by total envelopes), then for every 1 spam message that Xarvester sends, Bagle sends 6 and Lethic sends 185.

MessagesLabs and ourselves see different types of customers so obviously there is going to be some discrepancies between them and us. In addition, all of my traffic is on non-IP blocked traffic. I have always believed that what we see past the network edge is the same as what we see before it but I have never verified those assumptions.

But for now, the new number one is Lethic.

By Terry Zink, Program Manager

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC


Sponsored byVerisign

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global