by      
If you are looking for a botnet design here is another that visited and gave me all the information needed. This is published for those that are using IP blocking. If you have one IP in this mix block them all because they all come from the same control system. FYI, it's not nice to send Pharma Spam to me. It is the spam of my choice to detect. Pick something like Vacation Spam or similar, Pharma spam is so boring.

Control 94.23.1.28 Date 7-19-2012 Active

This control has more than 2 small botnets and very creative story lines. 
Scrambles 1 word typically within the first 100 characters of each spam.
Very good English with reference to Dutch from time to time.
List is in order of post network usage.

94.23.1.28  7-19-2012
Proxy 198.101.225.45
Proxy 149.6.166.106
Proxy 218.241.153.43
Proxy 202.60.66.36
Proxy 201.211.218.232
Proxy 211.221.246.37
Proxy 1.34.93.100
Proxy 82.99.254.146

7-20-2012 37.130.230.217

That's all for this round and this small botnet.
The controller will return 3 times after the last bot then end the series.

Technical Notes: This network was detected by the XCtM Project Pattern Matching script. 

The pattern here was a 4th and 5th word spelling issue. Interesting enough the spam was a story and was perfect English except for the 4th sometimes the 5th word which was completely out of place. The pattern matched the Control and the IP sequence you see above. Which flag for follow up. The words were then pattern matched and discovered one word out of place. The story was then pattern matched to be "Human Related" until the last post which was a spam link. The stories used keywords of the site, offer empathy, reason, solution as a good sales pitch would be. This was used to attract readers to follow the thread. Very easy to overlook if not monitored. The next pattern match was time of day. Weekday, 11PM to 11:20PM which ended once it was blocked completely. The IP list alternated order but never changing useragent which I didn't publish in this article because of ongoing interest in the pattern used.

 

If you are looking for a botnet design here is another that visited and gave me all the information needed. This is published for those that are using IP blocking. If you have one IP in this mix block them all because they all come from the same control system. FYI, it's not nice to send Pharma Spam to me. It is the spam of my choice to detect. Pick something like Vacation Spam or similar, Pharma spam is so boring.