Researchers have made a huge dent in a major variant of the Pushdo botnet, virtually crippling the network by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet.

Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now, researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet’s spam operations.

After doing an analysis of Pushdo’s command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for a variant of the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said.

Recommended Reads

• Researchers Cripple Pushdo Botnet
• New Storm Botnet Variant Making Spam
• Where Are We A Year After McColo Shutdown?

“We identified a total of 30 servers used as part of the Pushdo/Cutwail infrastructure, located at eight different hosting providers all over the world. The information about the activity was extracted from Anubisreports, which contain details about the system and network activities, including a pcap file that contains the network traffic we observed while doing the analysis. We contacted all hosting providers and worked with them on taking down the machines, which lead to the take-down of almost 20 servers. Unfortunately, not all providers were responsive and thus several Command & Control servers are still online at this point,” researcher Thorsten Holz wrote.

The result is that the volume of spam that Pushdo is producing has dropped to nearly zero.

At the time of Pushdo’s appearance several years ago, researchers found evidence that Pushdo’s creators had gone to some lengths to avoid detection and prevent removal of the malware associated withthe botnet. The creators had changed the way that Pushdo made HTTP requests, creating overly long GET requests to make them less identifiable.

“The length of the request will likely change between different service pack levels of Windows. IDS/IPS signatures can still be written around such a request, taking advantage of the fact that no other HTTP headers are sent as one characteristic to key in on. However, even with this approach, false positives may still occur,” SecureWorks researcher Joe Stewart wrote in an analysis in 2007. “Clearly the author of Pushdo is intent on evading detection for as long as possible, in order to have the maximum amount of time to seed Cutwail spambots into the wild.”

One of the interesting aspects of the original version of Pushdo is that its creator was using it not just to send spam, but also to spread other pieces of malware. This has become a more common business model in recent years as bot herders have looked for new ways to make money from the millions of compromised PCs under their control.

The original post is available at ThreatPost

Spam volume graph from M86 Security Labs.

The Article:

Consumers Don’t Relate Bot Infections to Risky Behavior As Millions Continue to Click on Spam

San Francisco, March 24, 2010 –A significant percentage of consumers continue to interact with spam despite their awareness of how bots and viruses spread through risky email behavior, according to the Messaging Anti-Abuse Working Group (MAAWG) based on a new survey it released today covering North America and Western Europe. Even though over eighty percent of email users are aware of the existence of bots, tens of millions respond to spam in ways that could leave them vulnerable to a malware infection, according to the 2010 MAAWG Email Security Awareness and Usage Survey.

In the new survey, half of users said they had opened spam, clicked on a link in spam, opened a spam attachment, replied or forwarded it – activities that leave consumers susceptible to fraud, phishing, identity theft and infection. While most consumers said they were aware of the existence of bots, only one-third believed they were vulnerable to an infection. “Consumers need to understand they are not powerless bystanders.

They can play a key role in standing up to spammers by not engaging and just marking their emails as junk,” said Michael O’Reirdan, MAAWG chairman. “When consumers respond to spam or click on links in junk mail, they often set themselves up for fraud or to have their computers compromised by criminals who use them to deliver more spam, spread viruses and launch cyber attacks,” O’Reirdan said. The research findings on awareness of bots, email security practices, and attitudes toward controlling spam were generally consistent with the first MAAWG consumer survey in 2009 covering North America.

The new 2010 survey was expanded to cover Western Europe and looks at consumers’ attitudes in Canada, France, Germany, Spain, the United Kingdom and the United States. It Won’t Happen to Me Syndrome Less than half of the consumers surveyed saw themselves as the entity who should be most responsible for stopping the spread of viruses. Yet, only 36% of consumers believe they might get a virus and 46% of those who opened spam did so intentionally. This is a problem because spam is one of the most common vehicles for spreading bots and viruses. The malware is often unknowingly installed on users’ computers when they open an attachment in a junk email or click on a link that takes them to a poisoned Web site, according to O’Reirdan. Younger consumers tend to consider themselves more security savvy, possibly from having grown up with the Internet, yet they also take more risks. Among the survey’s key findings:

• Almost half of those who opened spam did so intentionally. Many wanted to unsubscribe or complain to the sender (25%), to see what would happen (18%) or were interested in the product (15%).
• Overall, 11% of consumers have clicked on a link in spam, 8% have opened attachments, 4% have forwarded it and 4% have replied to spam.
• On average, 44% of users consider themselves “somewhat experienced” with email security. In Germany, 33% of users see themselves as “expert” or “very experienced,” followed by around 20% in Spain, the U.K. and the U.S.A., 16% in Canada and just 8% in France.
• Men and email users under 35 years, the same demographic groups who tend to consider themselves more experienced with email security, are more likely to open or click on links or forward spam. Among email users under 35 years, 50% report having opened spam compared to 38% of those over 35. Younger users also were more likely to have clicked on a link in spam (13%) compared to less than 10% of older consumers.
• Consumers are most likely to hold their Internet or email service provider most responsible for stopping viruses and malware. Only 48% see themselves as most responsible, though in France this falls to 30% and 37% in Spain.
• Yet in terms of anti-virus effectiveness, consumers ranked themselves ahead of all others, except for anti-virus vendors: 56% of consumers rated their own ability to stop malware and 67% rated that of anti-virus vendors’ as very or fairly good. Government agencies, consumer advocacy agencies and social networking sites were among those rated most poorly.

It Won’t Happen to Me Syndrome

Less than half of the consumers surveyed saw themselves as the entity who should be most responsible for stopping the spread of viruses. Yet, only 36% of consumers believe they might get a virus and 46% of those who opened spam did so intentionally.

This is a problem because spam is one of the most common vehicles for spreading bots and viruses. The malware is often unknowingly installed on users’ computers when they open an attachment in a junk email or click on a link that takes them to a poisoned Web site, according to O’Reirdan.

Younger consumers tend to consider themselves more security savvy, possibly from having grown up with the Internet, yet they also take more risks. Among the survey’s key findings:

The survey was conducted online between January 8 and 21, 2010 among over a thousand email users in the United States and over 500 email users in each of the other five countries. Participants were general consumers responsible for managing the security for their personal email address.

Both the survey’s key findings and the full report are available at the MAAWG Web site, www.MAAWG.org. The 2010 research was conducted by Ipsos Public Affairs, and the full report includes country comparisons for many of the questions along with detailed charts.

About the Messaging Anti-Abuse Working Group (MAAWG)
The Messaging Anti-Abuse Working Group (MAAWG) is where the messaging industry comes together to work against spam, viruses, denial-of-service attacks and other online exploitation. MAAWG (www.MAAWG.org) represents almost one billion mailboxes from some of the largest network operators worldwide. It is the only organization addressing messaging abuse holistically by systematically engaging all aspects of the problem, including technology, industry collaboration and public policy. MAAWG leverages the depth and experience of its global membership to tackle abuse on existing networks and new emerging services. Headquartered in San Francisco, Calif., MAAWG is an open forum driven by market needs and supported by major network operators and messaging providers.

You can also read the original post at MAAWG (Messaging Anti-Abuse Working Group)

• Date: February 25th, 2010
• Author: Michael Kassner

Latest reports have spam accounting for more than 95 percent of all email messages. You can thank botnets for most of that. Here’s what we’re up against.

While doing research for this project, I came across a blog series (first,
second, download that includes a PDF version and a PowerPoint presentation.

1: Grum (Tedroo)

Grum is the future for spam botnets. It’s a kernel-mode rootkit and thus hard to detect. It’s also sneaky, infecting files used by Autorun registries. That guarantees it will be activated. This botnet is of special interest to researchers. It’s relatively small, only 600,000 members. Yet it accounts for almost 25 percent, or 40 billion spam-emails a day.

Grum focuses on pharmaceutical spam. You know the kind. There must be money in this, as most spam botnets are involved with it to some degree.

2: Bobax (Kraken/Oderoor/Hacktool.spammer)

Bobax confuses botnet hunters, being somewhat related to the Kraken botnet. Recently, Bobax went through a rewrite. The authors converted command and control traffic to HTTP, making it more difficult to block and trace.

Right now, Bobax has only 100,000 members, yet it produces 27 billion spam messages a day. That’s 15 percent. Or more impressively, 1,400 spam email messages per bot per minute. Bobax appears to be a botnet for hire, as the type of spam varies.

3: Pushdo (Cutwail/Pandex)

Pushdo started at the same time asStorm, in 2007. Storm is all but gone. But Pushdo is still going strong, sending out approximately 19 billion spam email messages a day from one and a half million bots. Pushdo is thedownloader, which gains access to the victim computer. It then downloads Cutwail, the spamming software.

The Pushdo/Cutwail botnet spews spam with a wide variety of subject matter, including pharmaceuticals, online casinos, phishing schemes, and links to malware-laced Web sites.

4: Rustock (Costrat)

Rustock is another survivor. It was almost destroyed when
McColo was shuttered in 2008. But it’s back and currently the largest botnet, with almost two million bots. Before McColo, Rustock’s trademark was to generate huge amounts of spam, then go dormant for several months. Today, Rustock’s signature is to deliver spam only from 3 a.m. to 7 a.m. EST (GM-5) daily.

Rustock is also known for forging legitimate email newsletters using image files.Image spam is undetectable by most filtering software. In addition, Rustock does the usual pharmaceutical and Twitter-based spam to the tune of 17 billion spam messages a day.

5: Bagle (Beagle/Mitglieder/Lodeight)

Bagle
is an interesting botnet because of its industrious author. Since 2004, it has gone through hundreds of iterations. Two years ago, the developer decided to start making money, using Bagle to cultivate and sell email address databases.

Now, Bagle bots act as relay proxies, forwarding spam email messages to their final destination. Bagle has at most 500,000 bots, but it still moves 14 billion pieces of spam each day.

6: Mega-D (Ozdok)

Mega-D is famous — or infamous, depending on your point of view. In November 2009, researchers at FireEye were able to shut the botnet down by registering its command and control domains ahead of the botmasters. But the malware is programmed to constantly generate new domains, allowing the botmasters to eventually regain control.

Of the top 10 botnets, Mega-D is the smallest, consisting of 50,000 members. That’s not very many, considering it pushes out 11 billion pieces of spam daily. It’s second only to Bobax, when considering spam per bot per minute. Mega-D’s spam consists of advertisements for an online pharmacy and, of course, male-enhancement drugs.

7: Maazben

Maazben has been around only since June 2009. Yet it’s of special interest to researchers. Maazben is the first botnet that can use either proxy-based or template-based bots. Spammers prefer proxy-based bots because the spam source remains hidden. But proxy-based bots don’t work if the infected computer is behind a NAT device.

The new technique must be working. Maazben is the fastest-growing botnet of the top 10, increasing membership five percent in one month. With 300,000 bots, Maazben spreads two and a half billion casino-related spam messages per day.

8: Xarvester (Rlsloup/Pixoliz)

Xarvester came into the picture after the McColo shutdown. Researchers feel the Xarvester botnet picked up a few customers from the closure. Researchers also see many similarities between Xarvester and the infamous Srizbi botnet, one of the botnets affected by the closing of the McColo data center.

Currently, the Xarvester botnet contains 60,000 members, sending out approximately two and a half billion spam messages a day. The email messages could contain spam for pharmaceuticals, fake diplomas, replica watches, and Russian-specific spam.

9: Donbot (Buzus)

The Donbot botnet is unique. It is one of the first botnets to useURL shortening, in an attempt to hide malicious links in the spam email. The thought is to increase the likelihood of someone clicking on the link. Donbot also seems to be divided into multiple individually run networks, each one pushing different types of spam.

Donbot has 100,000 members and sends out about 800 million spam emails a day. Spam content varies from weight loss drugs to stock pump-and-dump to debt settlement offers.

10: Gheg (Tofsee/Mondera)

Three things stand out about the number 10 botnet. First, almost 85 percent of the spam from it originates in South Korea. Second,Gheg is one of the few botnets that encrypt traffic from the command and control servers using a nonstandard SSL connection on port 443.

Third, Gheg has options in how it sends spam email. It can act as a conventional proxy spambot. Or it can route spam messages through the victim’s Internet provider’s mail server. Gheg has 60,000 members and pushes out about 400 million spam emails daily, concentrating on pharmaceutical spam.

Grand total

Daren Lewis of Symantec keeps tabs on many of the botnets for MessageLabs and has come up with some startling numbers. Here are the overall statistics:

• 80 percent of all spam is sent by these 10 botnets.
• These 10 botnets send 135 billion spam messages a day.
• Five million computers belong to the 10 botnets.

The statistics are probably worse now, as I do not see any reduction in any of the spam filtering houses.

Final thoughts

Well, there you have it. I wouldn’t get rid of spam filtering devices or services just yet. To make matters worse, I keep close tabs on anti-spam research and do not see any solutions in the near future.

[UPDATE]: I just received an email from MessageLabs. The research arm of Symantec released the February 2010 Intelligence Report, and it’s full of valuable information. I thought it would be a good idea to share the link and mention some of the highlights.

The paper pointed out that Grum and Rustock are the current heavyweights, accounting for 32 percent of all spam delivered. The following figure (courtesy of MessageLabs) shows the output from the 10 most active spam-sending botnets. That’s a lot of green (Rustock) and purple (Grum).

You can view the original posts here.

original post:

In part 1 of my series, I looked at which botnet sends the most spam, by total number of messages sent at the recipient level and not the envelope level. In part 2, I looked at which one sends the most spam by total amount of bytes that they emit. Now, I’d like to put it all together; if we normalize the values, which botnet is responsible for sending out the most spam on a daily basis? Depending on how we measure it, there are a couple of answers.

To check this, first I took a look at the average number of message envelopes each botnet sends per day. I then normalized the value and used the lowest sending botnet as a base, assigning it a value of 1. I have removed lethic from this count because it seems to have fallen off the radar (is something wrong with my script?). The table is below:

Looking at this table here, sorting by the average amount of total envelopes each botnet sends per day, it isn’t even close (for the month of January). Rustock, by far, sends more individual spam messages than any other botnet by a factor of 10. Its net is so wide and the other botnets aren’t even in the running. Mega-d is next followed by cutwail2.

But if we measure the amount of bandwidth the individual receiving mail servers have to process, the numbers change. If we take the average number of messages/envelope, multiple by the average message size (kb) and multiple by the average number of message envelopes per day, then we get the total amount of traffic, in bytes, that each botnet sends. Doing this, the numbers change (remember that these are normalized values, not absolute values):

Looking at it this way, the worst botnet is cutwail followed by cutwail2. Rustock drops down to 3rd in the list, a distant 3rd but not far behind cutwail1. The other botnets bring up the rear, only looking out into the distance and wishing they were as cool as the others.

So there you have it, my study on which botnet sends out the most spam. I’ve shown my work and therefore these results should be reproducible in the future. I’m not totally convinced that my scripts are completely accurate and capturing all of the required information, however, as time passes I should be able to refine them and provide an even more accurate analysis on which botnet is the worst.

You can view the original post here.

original post:

Following up from my previous post, there are a couple of ways to measure which botnet sends the most spam. On the one hand, botnets can send 1 spam message but address it to a lot of different recipients, thus putting the cost of delivery heavily onto the recipient. This means that the spammer can have a small amount of nodes and the recipient has to assume the overhead of splitting the message up and delivery to multiple recipients. On the other hand, a botnet can be very wide and send a lot of messages to a lot of different people, but only address each message to one recipient. In this case, the overhead of delivery is shifted onto the sender since the spammer/botnet has to support and maintain a lot of different nodes.

But the total number of messages is only one way of looking at it. What about the total size of the message? If one botnet sends a 10 messages at 30 kb each, and other sends 100 messages at 3 kb each, the way we measure who sends the most spam varies. They are each sending the same amount of data. Regarding the 10 botnets I have been tracking this month, below is the botnet and the average size per message in kb that they send:

From here, we can see that cutwail1/2 send very large messages, and combining that with my previous post, we can see that they send a lot of messages per email envelope and the messages tend to be quite large. Cutwail imposes a very large strain onto the overall Internet infrastructure. Rustock, conversely, remains very hard to detect in terms of its footprint. It sends on average 1 message per email envelope, and these messages are quite small.

Lethic sends lots of messages per email, but the messages are small. Gheg doesn’t send very email emails per envelope either, but its messages tend to be larger.

So, what can we conclude from these figures? Rustock is a very efficient spammer, and cutwail is very inefficient (where efficiency is defined as how easy they hide themselves and the costs they impose on the recipient). Lethic is a new kid on the block but doesn’t impose large bandwidth costs, while the others are a mixture between the rustock/cutwail contrast.

Of course, can I definitively state which botnet sends the most spam? The answer is that it depends. While the Holy Grail of many businesses is that the more data you have, the better, I have found that this is not the case. Often times, more data only serves to make you more confused and unable to give a straight up answer.

You can view the original post here.

original post:

Around the Internet, and even on this blog, various analyses have been done on botnets and which one is responsible for sending the most spam. Whether it’s Rustock, Cutwail, or one of the new kids on the block (grum, gheg, or donbot), I don’t really see any consensus on which one is the spammiest.

There are a couple of ways to measure which botnet sends the most spam. You could do it by which one is sending spam from the most distinct IPs. You could also do it by which one sends the most amount of messages. But the most amount of messages has a couple of different ways of measuring it – by total number of envelopes, total number of messages, and total number of bytes.

The envelope level is different from the message level. For you see, a message envelope can have multiple messages. A message might be addressed to multiple recipients, in other words:

From: Guy Incognito
To: Frank Grimes, Lenny Leonard, Carl Carlson

This particular email would be one envelope and three messages, because the message has to get delivered to 3 people. So, at the message level, it is more costly to process a message with multiple recipients. You could scan the message before branching it out, but afterwards when it comes time to deliver the message, you would have to fork it out into each individual messages, and each of these messages costs bandwidth and storage.

At the message level, here are 10 botnets that I have been tracking for around a month along with the average number of recipients per message:

From this perspective, cutwail and lethic are the spammiest botnets. They send spam messages to lots of different recipients which results in higher infrastructure costs for the recipient (not to mention the filterer of the spam). Lethic is a fairly new botnet, I don’t have a lot of stats for it before November 2009. I wonder whether or not it is related to cutwail1/2 at all, seeing as how the behavior is so similar. I’d have to dig into our logs and see what the messages look like in order to see if there are enough similarities.

Rustock is way down the list. Rustock is a very clever botnet, contrasting it from cutwail1/2 and lethic. Rustock’s strategy is to have a botnet base a mile wide and an inch deep. In other words, the number of distinct IPs is far higher in Rustock than any other botnet (it isn’t even close). But the number of messages it sends per envelope is small, approaching 1.0. This allows it to have a wider footprint that is harder to detect. A bursty emission of spam from a small number of IPs is easier to detect than a scattered distribution of it coming from many, many more IPs. On the other hand, while the latter is harder to detect, the former does more damage to a network because of the additional load put onto a network during the peak traffic times.

The original post from Wednesday, February 03, 2010 can be viewed here

Note: We’re following various posts by different authors on this subject so keep checking back for more information.

‘Follow the money’ With the recent stock market volatility creating interest and opportunity for a savvy investor the lure of all that money is attracting the attention of malware writers.

Michael Kassner the Manager of IT for Getinge LaCalhene and a well certified IT Professional recently ran into a piece of malware with a twist. Called Tigger/Syzor it appeared on the PC of a friend of Michael’s who is a day trader and deals with companies like E-Trade, ING Direct, Vanguard, Options Xpress, TD Ameritrade and Scottrade.

Guess what? Tigger/Syzor likes the same friends as it is a safe mode rootkit password stealing Trojan that targets day traders. Michael was able to use tools like Malware Bytes Anti-Malware (MBAM) to find and remove some files that were identified as malware but ultimately he went with a full clean re-install of the operating system and all applications just to be sure.

The day trader does keep his computer up to date with patches and program updates so what else could he have done? How about running in a virtual environment? With tools like VMWare Server being offered for free and giving you the ability to run an isolated second complete copy of the operating system and programs he could have run the tools that are critical to his job in one and done his research (web browsing) in a second. This isolates the whole system so that if one aspect of his system get’s infested he can just roll back to a previous version or snapshot without the infection and continue running with only a few minutes downtime and not a whole panic filled weekend.

He would even be able to turn off the day trading virtual system after the markets close and let his kids (I don’t know if he has any – just speculating) use a separate dedicated kids only virtual machine that was locked down and set to clear all changes when it was rebooted. This may require that a few additional licenses of Windows be purchased and a little discipline to not get lazy and browse from his critical virtual machine but as they say an ounce of prevention is worth a pound of cure. The day trading tools that he uses also have to be able to run in a virtualized environment and be supported by the vendor when running in such a way.

A second thing this day trader should do is run his home network like a corporate network with similar hardware (http://www.firewallshop.com) and protective measures in place. I’d hazard a guess that he is running a consumer level firewall (with unprotected wireless on too I’d bet) that acts as a one way valve using Network Address Translation (NAT) and very little else.

He makes his living by day trading so treat this network like the office it is and install a corporate level firewall like a FortiGate that does layer 7 anti-virus scanning at the edge. With the recent introduction of the FortiGate 30B Bundle the price of a very capable corporate level firewall has dropped to the $500.00 range with one year of updates and basic support. When your living depends on your trading thousands of dollars daily doesn’t it make sense to protect your investment and passwords with an enterprise level firewall?

Tigger.A: Sophisticated trojan that likes stockbrokers
http://blogs.techrepublic.com.com/security/wp-trackback.php?p=960

Michael Kassner
http://techrepublic.com.com/5213-6257-0.html?id=4730583

FortiGate 30B
http://www.firewallshop.com/detail.aspx?ID=257

What does this have to do with spam? Spam is one way that they try to infect your PC so be on the lookout for simple, hard to block e-mail’s with a catchy subject line and a simple link to a website.

The CudaMail System has been seeing and blocking a rise in emails with simple links to malware sites, and even the occasional iframe. They’re definitely trying various ways to sneak malicious links into your inbox.

It bears repeating that if you don’t know where the e-mail came from or if you weren’t expecting it and can’t confirm that the supposed sender really sent it to you be very careful opening the website or better yet don’t open it at all.

MS09-002 exploit in the wild (via Sans)
http://isc.sans.org/diary.html?storyid=5884

- Shaun

The first report is from Message Labs and it reports that with spam volume up another 5% so far in January 2009 the top 10 Botnets, while consisting of between 10 thousand to 1 Million bots (estimated), were capable of sending out between 131 Million to almost 40 BILLION Spam messages PER DAY per Botnet. Total Volume from just the top 10 Botnets totalled almost 65 Billion messages per day! Are you getting your fair share?

It is interesting to see that the largest Botnet Cutwail/Pandex placed second behind Mega-D/Ozdok in spam volume per day category (7 Billion to 38 Billion) even though it had more compromised PC’s (1 Million bots to 660,000). This is double interesting as the latest estimates for the recent Conflicker/Downadup botnet size is at 10 million PC’s and they are not sending any spam yet.  With 10 million bots and assuming an aggressive and efficient spam engine Conflicker/Downadup could be capable of sending over half a Trillion (575 Million) messages per day by itself. Are you ready to see your spam volume jump to 10 times its current volume or even higher?

According to Barracuda Central Pharmacy spam still leads with almost 50% of the total volume while Gambling, Illegal Advertizing, ‘Amazing Deals on Software’ and ‘Genuine Replica’s’ round out the top 5 spots and over 90% of the total volume of spam.

If you don’t know how effective your anti-spam measures are or how close they are to running at capacity (out of sight = out of mind) then now is the time to take a serious look at these solutions in your organization and how they are going to handle the new surge of spam that is waiting on the horizon.

It might just be time to invest in a new firewall solution and anti-spam solution.

Don’t say we didn’t warn you!

Other Graphs and reports.

MessageLabs Intelligence: January 2009
http://www.messagelabs.com/mlireport/MLIReport_2009.01_Jan_Final.pdf

Conficker botnet at 10m infections
http://www.theregister.co.uk/2009/01/26/conficker_botnet/

DCC e-mail and spam volume graph last 12 months.
http://www.dcc-servers.net/dcc/graphs/

SpamCop – last 12 months spam volume.
http://www.spamcop.net/spamgraph.shtml?spamyear

Barracuda Central – Spam data last 24 hours
http://www.barracudacentral.org/data/spam

Shaun Sturby

This is in contrast to the 2.2 Million dollar USD fine assessed against Atkinson by the FTC in 2005.

The Spamhaus article points out that Australia has very strict anti-spam laws
(http://scaleplus.law.gov.au/html/ems/0/2003/0/2003092501.htm) and the maximum fines for a ‘body corporate with a prior record’ could be as high as 1.1 million (AUS) or $220,000 (AUS) for ‘a individual with prior record’, just for sending the spam messages.

If you add in the maximum fines for not including accurate sender information ($550,000 corporate / $110,000 personal) for not having a functional unsubscribe facility ($550,000 corporate / $110,000 personal) and supplying, acquiring and using address-harvesting software or harvested-address lists ($550,000 corporate / $110,000 personal) these fines could have been much higher for Lance.

Sydney Morning Herald.
http://www.smh.com.au/news/technology/security/kiwis-nail-big-time-spammer/2008/12/22/1229794316883.html

Herbal King
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7802

While this is great that Lance has been fined if we take a step back and look at the bigger picture we have to ask. If fines worked why didn’t Lance and the whole Herbal King group stop spamming in 2005?

While the laws applied in this particular case are very strict they have not stopped the flow of spam. It looks like one solution may be to add confinement in addition to the monetary fines for repeat spammers with additional time for repeat offences similar to how other criminals are treated.

While the botnets are very automated and will continue for a while after the masters are incarcerated eventually with no new commands the botnets will go dark.

But what do I know? Your thoughts on this issue?

- Shaun