March 24, 2018

Who'll Stop the Spam-Bots?

The FTC has initiated Operation Spam Zombies, a program that asks ISPs to work harder to detect and isolate spam-bots on their customers’ computers. Randy Picker has a good discussion of this.

A bot is a malicious, long-lived software agent that sits on a computer and carries out commands at the behest of a remote badguy. (Bots are sometimes called zombies. This makes for more colorful headlines, but the cognoscenti prefer “bot”.) Bots are surprisingly common; perhaps 1% of computers on the Internet are infected by bots.

Like any successful parasite, a bot tries to limit its impact on its host. A bot that uses too many resources, or that too obviously destabilizes its host system, is more likely to be detected and eradicated by the user. So a clever bot tries to be unobtrusive.

One of the main uses of bots is for sending spam. Bot-initiated spam comes from ordinary users’ machines, with only a modest volume coming from each machine; so it is difficult to stop. Nowadays the majority of spam probably comes from bots.

Spam-bots exhibit the classic economic externality of Internet security. A bot on your machine doesn’t bother you much. It mostly harms other people, most of whom you don’t know; so you lack a sufficient incentive to find and remove bots on your system.

What the FTC hopes is that ISPs will be willing to do what users aren’t. The FTC is urging ISPs to monitor their networks for telltale spam-bot activity, and then to take action, up to and including quarantining infected machines (i.e., cutting off or reducing their network connectivity).

It would be good if ISPs did more about the spam-bot problem. But unfortunately, the same externality applies to ISPs as to users. If an ISP’s customer hosts a spam-bot, most the spam sent by the bot goes to other ISPs, so the harm from that spam-bot falls mostly on others. ISPs will have an insufficient incentive to fight bots, just as users do.

A really clever spam-bot could make this externality worse, by making sure not to direct any spam to the local ISP. That would reduce the local ISP’s incentive to stop the bot to almost zero. Indeed, it would give the ISP a disincentive to remove the bot, since removing the bot would lower costs for the ISP’s competitors, leading to tougher price competition and lower profits for the ISP.

That said, there is some hope for ISP-based steps against bot-spam. There aren’t too many big ISPs, so they may be able to agree to take steps against bot-spam. And voluntary steps may help to stave off unpleasant government regulation, which is also in the interest of the big ISPs.

There are interesting technical issues here too. If ISPs start monitoring aggressively for bots, the bots will get stealthier, kicking off an interesting arms race. But that’s a topic for another day.


  1. 1) Your definition of bot is overly broad. A bot can also be a helpful device that sits on IRC, doling out information as needed/requested. Certainly, this is a different definition, but it’s important to avoid overly broad definitions as we’ve seen with relationt to “spyware”.

    2) I think ISPs will have far more incentive than individual users. As you say, there are few major ISPs, and even if a spam-bot sent no spam to the same domain, it’s still in the ISPs interest to kill it off. It’s in everyone’s interest, in the long-run, to kill these, but it’s far more difficult to convince 1 billion people of that than 500 (1000? 5000?) ISPs around the country.

    3) This sort of filtering can already be seen on campuses around the country (and probably the world). At Tufts University where I used to work IT, machines are routinely quarantined until they can be cleansed of viruses. Perhaps the most amusing part of this is that the quantine pool led to extremely rapid cross-contamination, such that once a machine was quarantined there was little left to do but wipe the whole thing.

  2. Avoiding being tagged as a source of spam seems like a pretty significant disincentive to host a spambot, both for users and ISPs.

  3. Avi Flamholz says:

    In addition to Joe’s point, I would like to point out the following.

    If ISP X has some number of customers infected with spam bots, ISP Y assuredly has a similar number of such customers. If all those bots send spam only externally, both ISPs X & Y will feel similar effects from spam bots. In order stave off such spamming attacks, the only possible solution is one involving cooperation.

    ISP X cannot say ‘well, this is only hurting ISPs W,Y, and Z, so I need not address the problem,’ since then all the other ISPs could ignore the problem as well (or worse yet form a coalition without X, allowing only spam directed to ISP X to propagate).

    This is one of those real-life manifestations of the prisoner’s dilemma. Perhaps one ISP (if it is big enough) can cause harm to the competition by ignoring those clever bots on it’s network, and in this way it can ‘win’. But no ISP is big enough to ignore incoming spam from all others, so this win is inconsequential compared to the load from all that spam. If the ISPs can get together on this issue, they can all win big.

  4. An interesting paper on spam-blocking economic incentives was presented at WEIS05 by Richard Clayton (co-authored by Andrei Serjantov). They specifically consider the incentive structure facing ISPs considering the blocking of Spam sent by bot-infected hosts on their networks. It is (IMHO) an excellent paper.



  5. Paradoxically, blocklists are one of the least popular anti-spam measures, but also one of the most effective in terms of influencing ISPs directly, according to this model.

    By listing ISP X in response to massive spam origination, the blocklist both helps other ISPs and recipients avoid the X-originated spam pollution, and also gives X a compelling economic reason to clean things up (because their mail is no longer getting through).

    The more reckless blocklists have occasionally taken the approach of listing ISPs’ entire IP ranges; Spamhaus, as a more considered blocklist, generally just lists the ISP’s corporate mailservers (in other words, not blocking customer traffic, just the corporate stuff). By blocking the corporate traffic, the only ones who feel the economic pressure are the ISP’s own staff.

    An interesting recent development is that AOL is now taking this action, too. A poorly-policed ISP “neighbourhood” is likely to find itself unable to communicate with AOL via email — and that’s possibly the most serious problem an ISP can face in the email world, when it comes to their customers’ satisfaction levels.

  6. “since removing the bot would lower costs for the ISP’s competitors, leading to tougher price competition and lower profits for the ISP.”

    Prof. Felton, you either must be speaking to dial-up ISPs where there is still competition, or you are assuming competition in the broadband area – in reality, most of the U.S. only has a choice of one or two broadband ISPs, three if they are lucky.

    I don’t think there are enough competitors in broadband space to make that comment true.

  7. Of course, all of this assumes that the ISP can unintrusively detect what traffic is due to a spam bot.

    I imagine spam bots will evolve to generate a diverse sequence of messages. That will make it hard for the ISP to distinguish from actual email from the user. For example, think of a bot that connects back to some central server(s) that have 5000 different ads on them. The bot picks up an ad, inserts it in the email message and sends it out. User 1 sends out 50 distinct ads. User 2 sends out a different 50 ads. And so on. What’s the ISP going to pick up on?

  8. i believe we have more than 2 computers infected with spam bots in out local network. advertising is being recieved by other machines with the ip address prefixes that match our web sites and firewall. does anyone have any information on how to locate the infected machines and how to remove the bot? it is now starting to overload our e-mail server

  9. Log the IP address of the offending spammer. You can then block that IP from spamming through your IP.