What could a spammer or phisher do with a botnet of a thousand machines? a hundred thousand? a million? Send lots of email is the least worrisome answer to these questions. As anti-spam and anti-phishing defenses improve, there is more than sufficient financial motivation for spammers and phishers to consider what they can accomplish with enormous scale. We begin by looking at a wide range of anti-spam defenses. Many of these, like rate limiting and port 25 blocking, will simply no longer work against big botnets; we explain why. Further, the basic cryptographic assumptions underlying the implementation of SSL certificates and DomainKeys/DKIM need re-examination in light of the massive computing power of big botnets. We describe possible attacks by spammers and phishers, and the implications these attacks have in terms of defense.