The research paper Spamming Botnets: Signatures and Characteristics describes a forensic method for analyzing email server traffic to recognize spam originating from botnets and to detect botnet-infected hosts. While no effort had been made as of the paper's publishing to create a real-time version of the algorithm, the uses of such a tool are very intriguing. Some possible uses include:
- An email service could better screen spam email as it arrives. The researchers found that the email patterns of botnet spam campaigns were highly correlated with recent campaigns occuring within a month earlier.
- Researchers or whitehat hackers could use the information to discover botnet control servers and help bring them down faster.
- An ISP could learn which hosts it provides services to that are under botnet influence. It could contact its customers directly about the issue or otherwise add firewall rules to disrupt the communication between infected hosts and their control servers.
- an email service could contact a host suspected to be infected by a botnet and warn them that they recently sent a fishy email. The user could then verify with the email service that they did in fact send a legitimate email or otherwise take steps to purge his or her machine of botnet influence.
Of all the uses of such a botnet detector, the latter two seem the most interesting because they allow ISPs and other services to potentially deal with the botnet problem from the end of the victims of infected hosts in a legal and ethical manner. The increase in accurate spam filtering and the reconnaissance information that could be provided to security researchers also seems very valuable.