Over at the site V3.co.uk, they have an article up today alleging that since the Rustock takedown two weeks ago, the bagle botnet has moved to take over as the botnet that is responsible for sending the most spam. They have not replaced Rustock’s total spam volume, only that they are now the number one spam sending botnet. This is based upon data that comes from Symantec’s hosted mail filtering vendor, MessageLabs.

MessageLabs does very good work and while the data that they collect frequently reflects what I collect, in this case I see different results. I measure the worst offending botnets using three different metrics—by number of distinct IPs, by number of message envelopes (individual mail connections) and by number of total messages (one envelope can contain multiple messages if you specify multiple recipients in the RCPT TO). I also track total size of the message in bytes but I do not report on it here. Below are my statistics since the Rustock takedown:

The Number One Botnet by Distinct IPs (March 17 – March 28)

1. Lethic
2. Maazben
3. Grum
4. Cutwail
5. Bagle-cb
6. Bobax
7. Festi
8. Fivetoone
9. Xarvester
10. Darkmailer

The Number One Botnet by Total Message Envelopes (March 17—March 28)

1. Lethic
2. Darkmailer
3. Cutwail
4. Maazben
5. Grum
6. Bobax
7. Bagle-cb
8. Festi
9. Xarvester
10. Fivetoone

The Number One Botnet by Total Messages (March 17—March 28)

1. Lethic
2. Darkmailer
3. Cutwail
4. Maazben
5. Bobax
6. Grum
7. Bagle-cb
8. Festi
9. Donbot
10. Xarvester

The takeaway from this is that bagle is not the new Rustock (at least not from our data). Instead, that place is occupied by Lethic. In reality, Lethic never really left the number one position because it has always been number one in terms of the total number of spam messages it sends because it crams so much into each mail transaction whereas Rustock was merely a one-to-one type of spammer (one recipient per email transaction), but it sent the most number of individual mail transactions by a very wide margin (it also sent from the most distinct IPs).

So where is bagle? Back when I first started tracking this about a year and a half ago, Bagle regularly showed up in the top three. But now I’d say it’s closer to a middle of the road botnet and while it is substantial, by no means is it the worst or anywhere close to the worst. To put it in perspective, if I normalize this against the top 10 (by total envelopes), then for every 1 spam message that Xarvester sends, Bagle sends 6 and Lethic sends 185.

MessagesLabs and ourselves see different types of customers so obviously there is going to be some discrepancies between them and us. In addition, all of my traffic is on non-IP blocked traffic. I have always believed that what we see past the network edge is the same as what we see before it but I have never verified those assumptions.

But for now, the new number one is Lethic.