Hi, #Let's assume that 75% of spam is sent via hijacked zombie machines. This #would mean that to get 7.5 billion spams/day at 20 msgs/day/zombie, #you'd need several hundred million compromised machines. 20 messages/day/zombie is way too low an estimate (by multiple orders of magnitude). #And even though the average machine is woefully insecure, there's not THAT #many zombies. I'm currently tracking right around 2.5 million listed open proxies/spam zombies. Data I'm receiving from typical mid sized ISPs includes 300K or so unique blocked dotted quads/week, of which maybe half are listed on one or more of the open proxy/spam zombie DNSBLs I track. So take the number from that you like best: -- 2.5 million listed open hosts -- 300K unique blocked dotted quads/week -- 150K or so of those unique blocked dotted quads which are listed on DNSBLs I see no indication that the number of compromised hosts seen per week is decreasing, and of course, because compromised hosts are not getting cleaned and taken off the air in many cases, the total pool of compromised hosts is steadily increasing. (And those "old timer"/"well known" compromised hosts, while blocked from sending email to most sites that use DNSBLs, still represent a source of potential attack traffic, etc.) #On the other hand, 20K msgs/day/zombie is only about 1 ever 4 seconds, #not enough to make the average cablemodem user notice - and reduces the #number of zombies down to several million - a much more plausible number. As a lower bound, assume modem-like throughput of 40Kbps, and typical spam message size of what, maybe 5K? That would amount to a message a second, or 86,400/day/host assuming an around-the-clock uniform distribution (probably not a valid assumption, but then again, upstream throughput from broadband connected hosts will generally exceed 40Kbps). If you wanted to deliver 7,500,000,000 pieces of spam a day at that rate, that would imply use of order(~100,000) freshly compromised hosts at any given time, a figure which I find quite plausible/conservative/consistent with the data I'm seeing. (And in fact, you can model the release of new virii/worms (intended to create new batches of compromised hosts) based on compromised host "harvest requirements," just like forecasting the demand for soybeans or steel or any other commodity) Spam's a big business, and compromised hosts are a fundamental input which are being efficiently supplied by the market as far as I can tell. Regards, Joe