On Fri, Dec 14, 2012 at 10:08:48AM -0500, Chris Lewis wrote:
Compromised Linux machines (mostly servers) are now responsible for ~40%
of all spam.
The actual _count_ of compromised Linux machines is indeed quite low.
Say 62K out of 8.6M observed compromised machines. About .72%. Two 9's ;-)
I believe you. This suggests two possibilities:
1. Somethings's broken somewhere in my experimental design between data
acquisition and statistical analysis.
or
2. We're talking apples and oranges and that's why our numbers are so
different. To clarify: I'm not trying to measure spam volume, just
the number of systems (and their OS types). And to clarify further:
I classify a system as a bot if it meets a set of criteria that includes
more than sending spam: I may also classify it as a bot if it's doing
brute-force SSH/FTP/IMAP/etc. attacks, if it's doing port scans, etc.
(The "may" is there because some systems engaged in these activities don't
appear to be bots. Of course that's a judgment call and I'm sure I make
FP and FN mistakes.)
For example, if 190.147.78.102 (Static-IP-cr19014778102.cable.net.co,
thus probably in Colombia) makes 133 different IMAP login attempts,
I'm going to conclude that it's not a bored user in Bogota with
nothing better to do, it's most likely a bot doing that.
Do you think #2 explains the difference in our numbers, or do I have
to make a LOT of coffee and dig into #1?
---rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg