Evaluating email’s feasibility for botnet command and control

The usefulness of email has been tempered by its role in the widespread distribution of spam and malicious content. Security solutions have focused on filtering out malicious payloads and weblinks from email; the potential dangers of email go past these boundaries: harmless-looking emails can carry dangerous, hidden botnet content. In this paper, we evaluate the suitability of email communication for botnet command and control. What makes email-based botnets interesting is the lack of clear detection and mitigation strategies that defenders could use to disrupt the botnet. We first demonstrate that botnet commands can remain hidden in spam due to its enormous volume. If email providers deploy specialized detection of spam-based botnets, botmasters can alternatively communicate with bots via non-spam email that cannot be safely discarded. We show the viability of such communication by means of simulations and a prototype, and we discuss the limited prospects for detection of email botnets.