ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Understanding the network-level behavior of spammers
Full text PdfPdf (411 KB)
Source Applications, Technologies, Architectures, and Protocols for Computer Communication archive
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications table of contents
Pisa, Italy
SESSION: Security table of contents
Pages: 291 - 302  
Year of Publication: 2006
ISBN:1-59593-308-5
Also published in ...
Authors
Anirudh Ramachandran  Georgia Tech
Nick Feamster  Georgia Tech
Sponsors
SIGCOMM: ACM Special Interest Group on Data Communication
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 57,   Downloads (12 Months): 419,   Citation Count: 39
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1159913.1159947
What is a DOI?

ABSTRACT

This paper studies the network-level behavior of spammers, including: IP address ranges that send the most spam, common spamming modes (e.g., BGP route hijacking, bots), how persistent across time each spamming host is, and characteristics of spamming botnets. We try to answer these questions by analyzing a 17-month trace of over 10 million spam messages collected at an Internet "spam sinkhole", and by correlating this data with the results of IP-based blacklist lookups, passive TCP fingerprinting information, routing information, and botnet "command and control" traces.We find that most spam is being sent from a few regions of IP address space, and that spammers appear to be using transient "bots" that send only a few pieces of email over very short periods of time. Finally, a small, yet non-negligible, amount of spam is received from IP addresses that correspond to short-lived BGP routes, typically for hijacked prefixes. These trends suggest that developing algorithms to identify botnet membership, filtering email messages based on network-level properties (which are less variable than email content), and improving the security of the Internet routing infrastructure, may prove to be extremely effective for combating spam.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
D. Bank and R. Richmond. Where the Dangers Are. The Wall Street Journal, July 2005. http://online.wsj.com/public/article/SB112128442038984802-4qR772hjUeqGT2W0FIcA3FNjE_20060717.html.
 
2
M. Casado, T. Garfinkel, W. Cui, V. Paxson, and S. Savage. Opportunistic measurement: Extracting insight from spurious traffic. In Proc. 4th ACM Workshop on Hot Topics in Networks (Hotnets-IV), College Park, MD, Nov. 2005.
 
3
CNN Technology News. Expert: Botnets No. 1 emerging Internet threat. http://www.cnn.com/2006/TECH/internet/01/31/furst/, Jan. 2006.
 
4
Description of coordinated spamming, Feb. 2005. http://www.waltdnes.org/spam.
 
5
J. Evers. Most spam still coming from the U.S. http://news.com.com/Most+spam+still+coming+from+the+U.S./2100-1029_3-6030758.html, Jan. 2006.
 
6
N. Feamster. Open problems in BGP anomaly detection. In CAIDA Workshop on Internet Signal Processing, San Diego, CA, Nov. 2004.
7
Nick Feamster , David G. Andersen , Hari Balakrishnan , M. Frans Kaashoek, Measuring the effects of internet path faults on reactive routing, Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, June 11-14, 2003, San Diego, CA, USA
8
Nick Feamster , Jaeyeon Jung , Hari Balakrishnan, An empirical study of "bogon" route advertisements, ACM SIGCOMM Computer Communication Review, v.35 n.1, January 2005  [doi>10.1145/1052812.1052826]
 
9
Goodmail Systems, 2006. http://www.goodmailsystems.com/.
 
10
J. Goodman. IP Addresses in Email Clients. In First Conference on Email and Anti-Spam, Mountain View, CA, July 2004.
 
11
S. Hansell. Postage is due for companies sending email, February 5, 2006. http://www.nytimes.com/2006/02/05/technology/05AOL.html.
 
12
Honeynet Project. Know Your Enemy: Tracking Botnets. http://www.honeynet.org/papers/bots/botnet-commands.html, 2006.
13
Jaeyeon Jung , Emil Sit, An empirical study of spam traffic and the use of DNS black lists, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy  [doi>10.1145/1028788.1028838]
 
14
A. Kumar, V. Paxson, and N. Weaver. Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event. In Proc. ACM SIGCOMM Internet Measurement Conference, Berkeley, CA, Oct. 2005.
15
Ratul Mahajan , David Wetherall , Tom Anderson, Understanding BGP misconfiguration, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
 
16
MailAvenger, 2005. http://www.mailavenger.org/.
 
17
J. Mason. Spam Forensics: Reverse-Engineering Spammer Tactics. http://spamassassin.apache.org/presentations/2004-09-Toorcon/html/, Sept. 2004.
 
18
Microsoft security bulletin ms04-011. http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx, Apr. 2004.
19
David Moore , Colleen Shannon , k claffy, Code-Red: a case study on the spread and victims of an internet worm, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637244]
 
20
Operating System Market Shares. http://marketshare.hitslink.com/report.aspx?qprid=2, Jan. 2006.
 
21
The Open Relay Database, 2006. http://ordb.org/.
 
22
M. Prince, B. Dahl, L. Holloway, A. Keller, and E. Langheinrich. Understanding How Spammers Steal Your E-Mail Address: An Analysis of the First Six Months of Data from Project Honey Pot. In Second Conference on Email and Anti-Spam, Stanford, CA, July 2005.
 
23
Project Honey Pot. http://www.projecthoneypot.org/.
 
24
A. Ramachandran and N. Feamster. Understanding the Network-Level Behavior of Spammers. Technical Report GT-CSS-2006-001, Georgia Tech, Feb. 2006.
 
25
S. Ramasubramanian. Port 25 filters - how many here deploy them bidirectionally? http://www.merit.edu/mail.archives/nanog/2005-01/msg00127.html, Jan. 2005.
 
26
The Spam and Open Relay Blocking System (SORBS), 2006. http://www.sorbs.net/.
 
27
SpamAssassin, 2005. http://www.spamassassin.org/.
 
28
Spammer-X. Inside the Spam Cartel. Syngress, Nov 2004.
 
29
Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
 
30
J. Todd. AS number inconsistencies, July 2002. http://www.merit.edu/mail.archives/nanog/2002-07/msg00259.html.
 
31
ZDNet Security News. Most spam genrated by botnets, expert says. http://news.zdnet.co.uk/internet/security/0,39020375,39167561,00.htm, Sept. 2004.

CITED BY  40
David S. Anderson , Chris Fleizach , Stefan Savage , Geoffrey M. Voelker, Spamscatter: characterizing internet scam hosting infrastructure, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-14, August 06-10, 2007, Boston, MA
Shobha Venkataraman , Subhabrata Sen , Oliver Spatscheck , Patrick Haffner , Dawn Song, Exploiting network structure for proactive spam mitigation, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-18, August 06-10, 2007, Boston, MA
Guofei Gu , Phillip Porras , Vinod Yegneswaran , Martin Fong , Wenke Lee, BotHunter: detecting malware infection through IDS-driven dialog correlation, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
Mengjun Xie , Heng Yin , Haining Wang, An effective defense against email spam laundering, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
Ying Zhang , Evan Cooke , Z. Morley Mao, Internet-scale malware mitigation: combining intelligence of the control and data plane, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
Zhenhai Duan , Yingfei Dong , Kartik Gopalan, DMTP: Controlling spam through message delivery differentiation, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.10, p.2616-2630, July, 2007
Hitesh Ballani , Paul Francis , Xinyang Zhang, A study of prefix hijacking and interception in the internet, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
Haifeng Yu , Michael Kaminsky , Phillip B. Gibbons , Abraham Flaxman, SybilGuard: defending against sybil attacks via social networks, ACM SIGCOMM Computer Communication Review, v.36 n.4, October 2006
Michael Walfish , Mythili Vutukuru , Hari Balakrishnan , David Karger , Scott Shenker, DDoS defense by offense, ACM SIGCOMM Computer Communication Review, v.36 n.4, October 2006
Luiz Henrique Gomes , Cristiano Cazita , Jussara M. Almeida , Virgílio Almeida , Wagner Meira, Jr., Workload models of spam and legitimate e-mails, Performance Evaluation, v.64 n.7-8, p.690-714, August, 2007
Gautam Singaraju , Brent ByungHoon Kang, RepuScore: collaborative reputation management framework for email infrastructure, Proceedings of the 21st conference on 21st Large Installation System Administration Conference, p.1-9, November 11-16, 2007, Dallas
Yu Jin , Esam Sharafuddin , Zhi Li Zhang, Identifying dynamic IP address blocks serendipitously through background scanning traffic, Proceedings of the 2007 ACM CoNEXT conference, December 10-13, 2007, New York, New York
Christian Kreibich , Chris Kanich , Kirill Levchenko , Brandon Enright , Geoffrey M. Voelker , Vern Paxson , Stefan Savage, On the spam campaign trail, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
Li Zhuang , John Dunagan , Daniel R. Simon , Helen J. Wang , J. D. Tygar, Characterizing botnets from email spam records, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
Abhinav Pathak , Y. Charlie Hu , Z. Morley Mao, Peeking into spammer behavior from a unique vantage point, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
D. Kevin McGrath , Minaxi Gupta, Behind phishing: an examination of phisher modi operandi, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-8, April 15-15, 2008, San Francisco, California
Haifeng Yu , Michael Kaminsky , Phillip B. Gibbons , Abraham D. Flaxman, SybilGuard: defending against sybil attacks via social networks, IEEE/ACM Transactions on Networking (TON), v.16 n.3, p.576-589, June 2008
Guofei Gu , Roberto Perdisci , Junjie Zhang , Wenke Lee, BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection, Proceedings of the 17th conference on Security symposium, p.139-154, July 28-August 01, 2008, San Jose, CA
Yinglian Xie , Fang Yu , Kannan Achan , Eliot Gillum , Moises Goldszmidt , Ted Wobber, How dynamic are IP addresses?, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
Changxi Zheng , Lusheng Ji , Dan Pei , Jia Wang , Paul Francis, A light-weight distributed scheme for detecting ip prefix hijacks in real-time, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
Rhiannon Weaver , M. Patrick Collins, Fishing for phishes: applying capture-recapture methods to estimate phishing populations, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.14-25, October 04-05, 2007, Pittsburgh, Pennsylvania
Sharon Goldberg , Shai Halevi , Aaron D. Jaggard , Vijay Ramachandran , Rebecca N. Wright, Rationality and traffic attraction: incentives for honest path announcements in bgp, ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
Anirudh Ramachandran , Nick Feamster , Santosh Vempala, Filtering spam with behavioral blacklisting, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
Anirudh Ramachandran , Srinivasan Seetharaman , Nick Feamster , Vijay Vazirani, Fast monitoring of traffic subpopulations, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, October 20-22, 2008, Vouliagmeni, Greece
Zheng Zhang , Ying Zhang , Y. Charlie Hu , Z. Morley Mao , Randy Bush, Ispy: detecting ip prefix hijacking on my own, ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
David G. Andersen , Hari Balakrishnan , Nick Feamster , Teemu Koponen , Daekyeong Moon , Scott Shenker, Accountable internet protocol (aip), ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
David G. Andersen , Hari Balakrishnan , Nick Feamster , Teemu Koponen , Daekyeong Moon , Scott Shenker, Accountable internet protocol (aip), ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
Yinglian Xie , Fang Yu , Kannan Achan , Rina Panigrahy , Geoff Hulten , Ivan Osipkov, Spamming botnets: signatures and characteristics, ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
Josh Karlin , Stephanie Forrest , Jennifer Rexford, Autonomous security for autonomous systems, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.15, p.2908-2923, October, 2008
Xin Liu , Xiaowei Yang , Yanbin Lu, To filter or to authorize: network-layer DoS defense against multimillion-node botnets, ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
Mengjun Xie , Heng Yin , Haining Wang, Thwarting E-mail Spam Laundering, ACM Transactions on Information and System Security (TISSEC), v.12 n.2, p.1-32, December 2008
Zhichun Li , Anup Goyal , Yan Chen , Vern Paxson, Automating analysis of large-scale botnet probing events, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
Wayne Liu , Sudhir Aggarwal , Zhenhai Duan, Incorporating accountability into internet email, Proceedings of the 2009 ACM symposium on Applied Computing, March 08-12, 2009, Honolulu, Hawaii
Yao Zhao , Yinglian Xie , Fang Yu , Qifa Ke , Yuan Yu , Yan Chen , Eliot Gillum, BotGraph: large scale spamming botnet detection, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.321-334, April 22-24, 2009, Boston, Massachusetts
Andreas Haeberlen , Ioannis Avramopoulos , Jennifer Rexford , Peter Druschel, NetReview: detecting when interdomain routing goes wrong, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.437-452, April 22-24, 2009, Boston, Massachusetts
John P. John , Alexander Moshchuk , Steven D. Gribble , Arvind Krishnamurthy, Studying spamming botnets using Botlab, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.291-306, April 22-24, 2009, Boston, Massachusetts
Abhinav Pathak , Feng Qian , Y. Charlie Hu , Z. Morley Mao , Supranamaya Ranjan, Botnet spam campaigns can be long lasting: evidence, implications, and analysis, Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems, June 15-19, 2009, Seattle, WA, USA
Yinglian Xie , Fang Yu , Martin Abadi, De-anonymizing the internet using unreliable IDs, ACM SIGCOMM Computer Communication Review, v.39 n.4, October 2009
Enrico Blanzieri , Anton Bryl, A survey of learning-based techniques of email spam filtering, Artificial Intelligence Review, v.29 n.1, p.63-92, March 2008
Paulo Cortez , Clotilde Lopes , Pedro Sousa , Miguel Rocha , Miguel Rio, Symbiotic Data Mining for Personalized Spam Filtering, Proceedings of the 2009 IEEE/WIC/ACM International Joint Conference on Web Intelligence and Intelligent Agent Technology, p.149-156, September 15-18, 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations
          Subjects: Network management


General Terms:
Design, Management, Reliability, Security


Keywords:
BGP, botnet, network management, security, spam

Collaborative Colleagues:
Anirudh Ramachandran: colleagues
Nick Feamster: colleagues
This Article has also been published in:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player