Ratware: What It Is and How It Works

How spammers are using software to hijack your email

Rat standing on hind feet on black and white floor
Alexander W Helin/Getty Images

Ratware is the colorful name that refers to any software that automates, generates, and sends spam email in bulk. Professional spammers use this tool to send email messages that advertise products and services or attempt to lure you into email phishing scams.

Ratware usually falsifies (spoofs) the email address from which it sends the spam. These false source addresses often use a legitimate person's email address (e.g. FrankGillian@comcast.net), or an impossible format like twpvhoeks@ or qatt8303@. Spoof source addresses are one of the telltale signs that you've been attacked by ratware.

The Purpose of Ratware

Ratware exists to achieve four objectives:

  1. Furtively connect to internet servers or private internet-connected computers, and take over their email systems temporarily.
  2. Send massive numbers of emails in a very short time from those hijacked computers.
  3. Disconnect and mask any digital trail of their actions.
  4. Do the above three actions automatically and repeatedly.

Ratware is often used in conjunction with other types of malicious software, such as botnet remote control software, harvesting software, and dictionary software.

Examples of Ratware Subject Lines

Once you see some examples of email subject lines generated by ratware, you'll be able to recognize them more easily. Here are a few:

  • "We carry the most popular medications" (peddling pharmaceuticals)
  • "You've been sent an Insta-Kiss" (phishing scam to steal your identity information)
  • "STEAMY HOT LESBIAN ACTION LIVE ON CAMERA" (peddling pornography)
  • "F R E E 60-Second MORTGAGE qualification" (identity theft)
  • "HURRY HURRY hot stock about to go through the roof" (pump and dump email scams)

How Ratware Works

To be most effective, ratware needs to be covert, and it needs to send mass volumes of messages. To achieve secrecy, ratware has in the past used port 25 to bypass most internet service provider (ISP) email blocks. In the last five years, port 25 has become tightly monitored and controlled by about half of the private ISPs.

However, locking down port 25 restricts business customers from running their own email services for their employees. Many ISPs with large business customers have opted to leave port 25 open for their legitimate customers, and use other firewall techniques to thwart spammers who attempt to get onto their networks and send spam.

Because of port 25 and other defenses, spammers have had to evolve to other means to send their insidious emails. Forty percent of successful ratware spammers also deploy zombie and bot computers, which are personal computers that are temporarily converted into spam tools without the knowledge or permission of their owners.

With worm programs like Sobig, MyDoom, and Bagle, spammers sneak onto people's private computers and infect their machines. These worm programs open secret "doorways" that allow spammer-commissioned hackers to take remote control of victims' machines and turn them into robotic spam weapons. The hackers get paid from 15 cents to 40 cents for each zombie computer they can acquire for their spammer employer. Ratware is then unleashed via these zombie machines.

Because less than 0.25 percent of spam emails are ever successful in winning a customer or deceiving a reader, ratware must send mass amounts of spam emails before it becomes effective. That's why ratware uses text-generation programs that take massive lists of email addresses, and send them spam messages. The minimum successful batch is about 50,000 emails in a single burst. Some ratware, depending on the kinds of computers it hijacks, can send over two million messages in ten minutes. Only at these volumes does spamming become profitable in peddling its pharmaceuticals, pornography, or phishing scams.

Where Ratware Comes From

You won't find ratware tools by googling them or searching on Amazon. These products are secret, often custom-made applications created by talented but unethical programmers. Once developed, successful ratware programs are sold privately.

Because ratware software is illegal and contravenes the CAN-SPAM Act, programmers only give it to those who pay them enough to make the illegal venture worthwhile.

While many spammers get away with their crimes, Jeremy Jaynes and Alan Ralsky are two famous spammers who were convicted. Before they did, though, they earned over one million dollars in illegal profit from spam.