Detecting SPAM Bots on the Network - Thoughts?



The question came up today about using ExtraHop to detect SPAM bots on an internal network monitored by ExtraHop.

What approach would you take?

One thought is to use a trigger and look at the SMTP Request event and pull the Subject out of the SMTP.Header object. Look for a large number of a given subject over 30 seconds, the idea being one message being spammed out to hundreds of recipients quickly.

Any other thoughts?


A couple of additions to your good idea.


  1. Bots will use DNS to resolve.

  2. This could be either a local DNS server, or a hard-coded one that the spammers own

  3. The ExtraHop is able to see these resolution attempts on the data feed.

So a way to increase the probability of identifying a spam bot could include the following ideas:

  • If a bot is spamming, you’ll likely see a bunch of MX record lookups. Normal LAN hosts will usually do plain old A record lookups for their local mail host. So MX lookup spikes could tip off bad activity.

  • You could Geo map SMTP destinations. If you see patterns you don’t expect you could be looking at a spam bot.

That’s all that jump out at me, at least for now. Keep the ideas coming!