Anirudh Ramachandran
Abstract
This paper studies the network-level behavior of spammers, including: IP address ranges that send the most spam, common spamming modes (e.g., BGP route hijacking, bots), how persistent across time each spamming host is, and characteristics of spamming botnets. We try to answer these questions by analyzing a 17-month trace of over 10 million spam messages collected at an Internet "spam sinkhole", and by correlating this data with the results of IP-based blacklist lookups, passive TCP fingerprinting information, routing information, and botnet "command and control" traces.We find that most spam is being sent from a few regions of IP address space, and that spammers appear to be using transient "bots" that send only a few pieces of email over very short periods of time. Finally, a small, yet non-negligible, amount of spam is received from IP addresses that correspond to short-lived BGP routes, typically for hijacked prefixes. These trends suggest that developing algorithms to identify botnet membership, filtering email messages based on network-level properties (which are less variable than email content), and improving the security of the Internet routing infrastructure, may prove to be extremely effective for combating spam.
- D. Bank and R. Richmond. Where the Dangers Are. The Wall Street Journal, July 2005. http://online.wsj.com/public/article/SB112128442038984802-4qR772hjUeqGT2W0FIcA3FNjE_20060717.html.Google Scholar
- M. Casado, T. Garfinkel, W. Cui, V. Paxson, and S. Savage. Opportunistic measurement: Extracting insight from spurious traffic. In Proc. 4th ACM Workshop on Hot Topics in Networks (Hotnets-IV), College Park, MD, Nov. 2005.Google Scholar
- CNN Technology News. Expert: Botnets No. 1 emerging Internet threat. http://www.cnn.com/2006/TECH/internet/01/31/furst/, Jan. 2006.Google Scholar
- Description of coordinated spamming, Feb. 2005. http://www.waltdnes.org/spam.Google Scholar
- J. Evers. Most spam still coming from the U.S. http://news.com.com/Most+spam+still+coming+from+the+U.S./2100-1029_3-6030758.html, Jan. 2006.Google Scholar
- N. Feamster. Open problems in BGP anomaly detection. In CAIDA Workshop on Internet Signal Processing, San Diego, CA, Nov. 2004.Google Scholar
- N. Feamster, D. Andersen, H. Balakrishnan, and M. F. Kaashoek. Measuring the Effects of Internet Path Faults on Reactive Routing. In Proc. ACM SIGMETRICS, pages 126--137, San Diego, CA, June 2003. Google ScholarDigital Library
- N. Feamster, J. Jung, and H. Balakrishnan. An Empirical Study of "Bogon" Route Advertisements. ACM Computer Communications Review, 35(1):63--70, Nov. 2004. Google ScholarDigital Library
- Goodmail Systems, 2006. http://www.goodmailsystems.com/.Google Scholar
- J. Goodman. IP Addresses in Email Clients. In First Conference on Email and Anti-Spam, Mountain View, CA, July 2004.Google Scholar
- S. Hansell. Postage is due for companies sending email, February 5, 2006. http://www.nytimes.com/2006/02/05/technology/05AOL.html.Google Scholar
- Honeynet Project. Know Your Enemy: Tracking Botnets. http://www.honeynet.org/papers/bots/botnet-commands.html, 2006.Google Scholar
- J. Jung and E. Sit. An Empirical Study of Spam Traffic and the Use of DNS Black Lists. In Proc. ACM SIGCOMM Internet Measurement Conference, pages 370--375, Taormina, Sicily, Italy, Oct. 2004. Google ScholarDigital Library
- A. Kumar, V. Paxson, and N. Weaver. Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event. In Proc. ACM SIGCOMM Internet Measurement Conference, Berkeley, CA, Oct. 2005. Google ScholarDigital Library
- R. Mahajan, D. Wetherall, and T. Anderson. Understanding BGP Misconfiguration. In Proc. ACM SIGCOMM, pages 3--17, Pittsburgh, PA, Aug. 2002. Google ScholarDigital Library
- MailAvenger, 2005. http://www.mailavenger.org/.Google Scholar
- J. Mason. Spam Forensics: Reverse-Engineering Spammer Tactics. http://spamassassin.apache.org/presentations/2004-09-Toorcon/html/, Sept. 2004.Google Scholar
- Microsoft security bulletin ms04-011. http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx, Apr. 2004.Google Scholar
- D. Moore, C. Shannon, and J. Brown. Code-red: A case study on the spread and victims of an internet worm. In Proc. ACM SIGCOMM Internet Measurement Workshop, Marseille, France, Nov. 2002. Google ScholarDigital Library
- Operating System Market Shares. http://marketshare.hitslink.com/report.aspx?qprid=2, Jan. 2006.Google Scholar
- The Open Relay Database, 2006. http://ordb.org/.Google Scholar
- M. Prince, B. Dahl, L. Holloway, A. Keller, and E. Langheinrich. Understanding How Spammers Steal Your E-Mail Address: An Analysis of the First Six Months of Data from Project Honey Pot. In Second Conference on Email and Anti-Spam, Stanford, CA, July 2005.Google Scholar
- Project Honey Pot. http://www.projecthoneypot.org/.Google Scholar
- A. Ramachandran and N. Feamster. Understanding the Network-Level Behavior of Spammers. Technical Report GT-CSS-2006-001, Georgia Tech, Feb. 2006.Google Scholar
- S. Ramasubramanian. Port 25 filters - how many here deploy them bidirectionally? http://www.merit.edu/mail.archives/nanog/2005-01/msg00127.html, Jan. 2005.Google Scholar
- The Spam and Open Relay Blocking System (SORBS), 2006. http://www.sorbs.net/.Google Scholar
- SpamAssassin, 2005. http://www.spamassassin.org/.Google Scholar
- Spammer-X. Inside the Spam Cartel. Syngress, Nov 2004. Google ScholarDigital Library
- S. Staniford, V. Paxson, and N. Weaver. How to 0wn the Internet in Your Spare Time. In Proc. 11th USENIX Security Symposium, San Francisco, CA, Aug. 2002. Google ScholarDigital Library
- J. Todd. AS number inconsistencies, July 2002. http://www.merit.edu/mail.archives/nanog/2002-07/msg00259.html.Google Scholar
- ZDNet Security News. Most spam genrated by botnets, expert says. http://news.zdnet.co.uk/internet/security/0,39020375,39167561,00.htm, Sept. 2004.Google Scholar
Index Terms
- Understanding the network-level behavior of spammers
Recommendations
Understanding the network-level behavior of spammers
SIGCOMM '06: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communicationsThis paper studies the network-level behavior of spammers, including: IP address ranges that send the most spam, common spamming modes (e.g., BGP route hijacking, bots), how persistent across time each spamming host is, and characteristics of spamming ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the InternetMany of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
Spamming botnets: signatures and characteristics
In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and ...
Comments