On the Difficulty of Counting Spam Sources
A great deal of spam comes from botnets and there is considerable interest in arranging for the bots (the compromised machines) to be made secure. In practice, the owner of the compromised machine can only be contacted via their ISP, and their helpfulness is known to vary. This variation has led to attempts to count the bots on particular networks and thereby assess the ISP's reputation. This paper presents a model for bot incidence and explains the measurement difficulties that arise from not only from the ebb and flow of botnet membership, but also from the dynamic nature of the spam sending, and the use of dynamic IP addresses.