Ratware: What It Is and How It Works

How spammers are using software to hijack your email

Rat standing on hind feet on black and white floor
Alexander W Helin/Getty Images

Ratware is software that automates, generates, and sends spam email in bulk. Spammers use this tool to send email messages that advertise products and services or attempt to lure recipients into phishing scams. Ratware falsifies (or spoofs) the email address from which it sends the spam. These false source addresses use a legitimate email address or an impossible address format.

The Purpose of Ratware

Ratware is often used in conjunction with other types of malicious software, such as botnet remote control software, harvesting software, and dictionary software to:

  • Furtively connect to internet servers or private internet-connected computers, and take over their email systems temporarily.
  • Send massive numbers of emails in a very short time from those hijacked computers.
  • Disconnect and mask any digital trail of their actions.
  • Do the above three actions automatically and repeatedly.

Examples of Ratware Subject Lines

Once you see some email subject lines generated by ratware, you'll recognize them easily. Here are a few examples:

  • We carry the most popular medications (peddling pharmaceuticals)
  • You've been sent an Insta-Kiss (phishing scam to steal your identity information)
  • F R E E 60-Second MORTGAGE qualification (identity theft)
  • HURRY HURRY hot stock about to go through the roof (pump and dump email scams)

How Ratware Works

To be most effective, ratware needs to be covert, and it needs to send mass volumes of messages. To achieve secrecy, ratware has used port 25 to bypass most internet service provider (ISP) email blocks. Port 25 has become tightly monitored and controlled by about half of the private ISPs.

However, locking down port 25 restricts business customers from running their own email services for their employees. Many ISPs with large business customers have opted to leave port 25 open for their legitimate customers, and use other firewall techniques to thwart spammers who attempt to get onto their networks and send spam.

Because of port 25 and other defenses, spammers have evolved to other means to send their spam and phishing emails. Forty percent of successful ratware spammers also deploy zombie and bot computers, which are personal computers that are temporarily converted into spam tools without the knowledge or permission of their owners.

With worm programs such as Sobig, MyDoom, and Bagle, spammers sneak onto private computers and infect those machines. These worm programs open secret doorways that allow spammer-commissioned hackers to take remote control of machines and turn them into robotic spam weapons. The hackers get paid from 15 cents to 40 cents for each zombie computer they acquire for their spammer employer. Ratware is then unleashed through these zombie machines.

Because less than 0.25 percent of spam emails are successful in winning a customer or deceiving a reader, ratware must send large amounts of spam emails before it becomes effective. That's why ratware uses text generation programs that send spam messages to lists of email addresses. The minimum successful batch is about 50,000 emails in a single burst. Some ratware, depending on the kinds of computers it hijacks, can send over two million messages in ten minutes.

Where Ratware Comes From

Ratware tools can't be found by searching Google or Amazon. These products are secret and are often custom-made applications created by talented but unethical programmers. Once developed, successful ratware programs are sold privately.

Because ratware software is illegal and violates the CAN-SPAM Act, programmers only give it to those who pay them enough to make the illegal venture worthwhile.

While many spammers get away with their crimes, Jeremy Jaynes and Alan Ralsky are two famous spammers who were convicted. Before they did, though, they earned over one million dollars in illegal profit from spam.