So, it may be interesting to catch up on estimating some recent numbers for the ongoing Waledac spam operation. This afternoon’s Waledac spam blasts contained the usual content for this campaign:
1. Discount offer-related subject lines related to and links to ripped coupon themed pages serving up malicious executables
2. Pharma-related subject lines and links to pharmaceutical sites (screenshots above and below)
Subject lines and message content for category 1 (hyperlinks mangled intentionally):
Subject: “I sent you useful thing”
You probably wish to save your money, look at this
Subject: “Latest sales news and coupons”
I want to suggest this page to you hxxp:(slashslash)thecoupondiscount(dot)com(slash)sales.php
Subject: “We can go through the crisis with it”
It’ll be interesting for you hxxp:(slashslash)greatcouponclub(dot)com(slash)couponslist.php
Subject: “A good way to save money is to use these coupons”
New list with coupons in your city hxxp:(slashslash)greatsalesgroup(dot)com(slash)salelist.php
Subject: “All my friends have already used it”
I sent you useful listing hxxp:(slashslash)smartsalesgroup(dot)com(slash)couponslist.php
Subject: “I’ve already used these coupons”
Cool! You can save your money hxxp:(slashslash)greatsalestax(dor)com(slash)list.php
Subject lines and content for category 2, the pharma spam:
Subject: Get the most of your life!
Helloween sale hxxp:(slashslash)agreeslick(dot)com
Subject: Stimulate better growth
Make your body real TNT, exploding near girls with passion and desire.
Let’s assume that the botnet currently is 30,000-40,000 hosts, with ~30,000 spambots sending out messages every second. Because of fantastic efforts like spamhaus, and the fact that various free mail hosting services have tightened up the sources of email senders that they accept email from, let’s assume that each bot can successfully deliver approximately 1.7 messages per second. With 30,000 bots, that comes to 51,000 messages per second, at a rate of 3,060,000 spam successfully sent every minute (that’s from the bot to the destination smtp server).
Now let’s estimate that 10% of that mail arrives in the users’ inboxes (due to filters and scanners of all sorts). That’s still 306,000 messages getting to users’ inboxes. And 1% of that group may actually buy something or fall for a malicious link? Would it be overestimating to guess that ~3,000 users visit a malicious couponizer page or a phony online pharmaceutical link from a single minute of Waledac spamming?
What does your math look like?