If you have access to a server-side spam mailbox, you're likely to find it filled with sets of messages that are variations on a theme: similar products, similar sites offering them, but a dizzying variety of variations in the precise wording. According to security researchers, there's a simple reason for this: to simplify out spam campaigns to a botnet, spammers are using templates for messages, with the variations in the body created by text macros that insert random characters or words from a limited dictionary (think Mad Libs meets Viagra). Now, researchers are turning this feature against the spammers by creating software, called Botnet Judo, that uses collections of spam to reverse-engineer the template, then filters anything that matches it.

In a few cases, such as the Storm botnent, which the researchers have worked on previously, security experts have been able to reconstruct the use of templates and macros. The material is generally sent by the botnet's command and control system, and then used to generate hundreds of thousands of messages. In some cases, the macros simply produce random characters in specific locations in the body or header information. In others, it places a word from a limited dictionary in specific locations—the paper describing Botnet Judo gives the example of placing one of "gucci", "prada", or "chanel" in a specific location of a spam for counterfeit luxury goods.