ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Botnet spam campaigns can be long lasting: evidence, implications, and analysis
Full text PdfPdf (1.13 MB)
Source
Joint International Conference on Measurement and Modeling of Computer Systems archive
Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems table of contents
Seattle, WA, USA
SESSION: Security table of contents
Pages 13-24  
Year of Publication: 2009
ISBN:978-1-60558-511-6
Authors
Abhinav Pathak  Purdue University, West Lafayette, USA
Feng Qian  University of Michigan, Ann Arbor, USA
Y. Charlie Hu  Purdue University, West Lafayette, USA
Z. Morley Mao  University of Michigan, Ann Arbor, USA
Supranamaya Ranjan  Narus, Inc., Mountain View, USA
Sponsors
ACM: Association for Computing Machinery
SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 75,   Downloads (12 Months): 157,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1555349.1555352
What is a DOI?

ABSTRACT

Accurately identifying spam campaigns launched by a large number of bots in a botnet allows for accurate spam campaign signature generation and hence is critical to defeating spamming botnets. The straight-forward approach of clustering all spam containing the same label such as an URL into a campaign can be easily defeated by techniques such as simple obfuscations of URLs. In this paper, we perform a comprehensive study of content-agnostic characteristics of spam campaigns, e.g. duration and source-network distribution of spammers, in order to ascertain whether and how they can assist the simple label-based clustering methods in identifying campaigns and generating campaign signatures. In particular, from a five-month trace collected by a relay sinkhole, we manually identified and then analyzed seven URL-based botnet spam campaigns consisting of 52 million spam messages sent over 2.09 million SMTP connections originated from over 150,000 non-proxy spamming hosts and destined to about 200,000 end domains. Our analysis shows that the spam campaigns, when observed from large destination domains, exhibit durations far longer than the five-day period as reported in a recent study. We analyze the implications of this finding on spam campaign signature generation. We further study other characteristics of these long-lasting campaigns. Our analysis reveals several new findings regarding workload distribution, sending patterns, and coordination among the spamming machines.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Route Views Project Page. http://www.routeviews.org.
 
2
David S. Anderson , Chris Fleizach , Stefan Savage , Geoffrey M. Voelker, Spamscatter: characterizing internet scam hosting infrastructure, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-14, August 06-10, 2007, Boston, MA
 
3
Bl: Spamcop blocking list. http://bl.spamcop.net.
 
4
Andrei Z. Broder , Steven C. Glassman , Mark S. Manasse , Geoffrey Zweig, Syntactic clustering of the Web, Computer Networks and ISDN Systems, v.29 n.8-13, p.1157-1166, Sep. 1997
 
5
Cbl: Composite blocking list. http://cbl.abuseat.org/.
 
6
R. Clayton. Do zebras get more spam than aardvarks? In Proc. of CEAS, 2008.
7
Marcel Dischinger , Andreas Haeberlen , Krishna P. Gummadi , Stefan Saroiu, Characterizing residential broadband networks, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA  [doi>10.1145/1298306.1298313]
 
8
Sorbs: Spam and open-relay blocking system. http://dnsbl.sorbs.net.
 
9
Dsbl: Distributed sender blackhole list. list.dsbl.org.
10
Chris Kanich , Christian Kreibich , Kirill Levchenko , Brandon Enright , Geoffrey M. Voelker , Vern Paxson , Stefan Savage, Spamalytics: an empirical analysis of spam marketing conversion, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA  [doi>10.1145/1455770.1455774]
 
11
Maria Konte , Nick Feamster , Jaeyeon Jung, Dynamics of Online Scam Hosting Infrastructure, Proceedings of the 10th International Conference on Passive and Active Network Measurement, April 01-03, 2009, Seoul, Korea  [doi>10.1007/978-3-642-00975-4_22]
 
12
Christian Kreibich , Chris Kanich , Kirill Levchenko , Brandon Enright , Geoffrey M. Voelker , Vern Paxson , Stefan Savage, On the spam campaign trail, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
 
13
Maxmind -- ip geolocation and online fraud prevention. http://www.maxmind.com/.
 
14
Njabl: Spam blocking blacklist. http://www.njabl.org/.
 
15
Abhinav Pathak , Y. Charlie Hu , Z. Morley Mao, Peeking into spammer behavior from a unique vantage point, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
 
16
Pbl: The policy block list. http://www.spamhaus.org/pbl/.
17
Anirudh Ramachandran , Nick Feamster, Understanding the network-level behavior of spammers, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
18
Anirudh Ramachandran , Nick Feamster , Santosh Vempala, Filtering spam with behavioral blacklisting, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA  [doi>10.1145/1315245.1315288]
 
19
Super webscan. http://www.sharewareconnection.com/super-webscan.htm.
 
20
Joe st sauver: Evolving methods for sending spam and malware. http://www.ftc.gov/bcp/workshops/spamsummit/presentations/Evolving-Methods.pdf.
 
21
The spamhaus project. sbl-xbl.spamhaus.org.
22
Yinglian Xie , Fang Yu , Kannan Achan , Rina Panigrahy , Geoff Hulten , Ivan Osipkov, Spamming botnets: signatures and characteristics, Proceedings of the ACM SIGCOMM 2008 conference on Data communication, August 17-22, 2008, Seattle, WA, USA
 
23
Li Zhuang , John Dunagan , Daniel R. Simon , Helen J. Wang , J. D. Tygar, Characterizing botnets from email spam records, Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p.1-9, April 15-15, 2008, San Francisco, California
 
24
2006 spam trends report: Year of the zombies. http://www.commtouch.com/downloads/Commtouch_2006_Spam_Trends_Year_of_the_Zombies.pdf.

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations
          Subjects: Network management

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)


General Terms:
Measurement, Security


Keywords:
botnet, burstiness, distributedness, open relay, spam campaign

Collaborative Colleagues:
Abhinav Pathak: colleagues
Feng Qian: colleagues
Y. Charlie Hu: colleagues
Z. Morley Mao: colleagues
Supranamaya Ranjan: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player