Understanding the Network Level Behaviour of Spammers
A paper by Anirudh Ramachandran and Nick Feamster.
This paper studies the network level behaviour of spammers, including: IP address ranges that send the most spam, common spamming modes, persistence of each spamming host across time and characteristics of botnets sending spam. It is very descriptive in nature and gives a good background of previous related work in this area.
The researchers studied and analyzed a 17 month trace of over 10 million spam messages collected from the internet by creating what they call a "spam sinkhole". They then correlated this data with the results of IP-based blacklist lookups, routing information and botnet "command and control" traces.
Towards the goal of developing techniques for designing more robust network-level spam filters, the researchers attempt to characterize the network level behaviour of spammers as observed at at the "spam sinkhole" created by them for testing purposes; with complete logs of all spam received from August 2004 through December 2005.
It goes on to explain the previous work which has been done in this field and explains spamming methods and mitigation techniques for the same. Reading these parts proves extremely useful as one gets a good insight into the topic being dealt with.
The paper further goes on to explain the method used for collecting data by the "sinkhole". The researchers had configured the sinkhole to accept all mail, regardless of the username it was destined for, and also to gather the network-level properties about the mail relay from which spam is received. The following information is collected about the mail relay once spam is received:
1. The IP address of the relay that established a connection to the sinkhole when the spam was received.
2. A traceroute to that IP address, to estimate the network location of the mail relay
3. a passive "p0f" TCP fingerprint, based on the properties of the TCP stack, to allow them to determine the operating system of the mail relay.
4. The result of a DNS blacklist lookups for that mail relay at eight different mail relays.
The paper then goes on to present the collected data in various formats and to derive a set of conclusions, which are listed as follows:
1. The vast majority of received spam arrives from a few concentrated portions of IP address space.
2. Most received spam is sent by windows hosts. Most bots sending spam are active for a simgle time period of less than two minutes.
3. A small sets of spammers continually use short-lived route announcements to remain untraceable.
This paper studies the network level behaviour of spammers, including: IP address ranges that send the most spam, common spamming modes, persistence of each spamming host across time and characteristics of botnets sending spam. It is very descriptive in nature and gives a good background of previous related work in this area.
The researchers studied and analyzed a 17 month trace of over 10 million spam messages collected from the internet by creating what they call a "spam sinkhole". They then correlated this data with the results of IP-based blacklist lookups, routing information and botnet "command and control" traces.
Towards the goal of developing techniques for designing more robust network-level spam filters, the researchers attempt to characterize the network level behaviour of spammers as observed at at the "spam sinkhole" created by them for testing purposes; with complete logs of all spam received from August 2004 through December 2005.
It goes on to explain the previous work which has been done in this field and explains spamming methods and mitigation techniques for the same. Reading these parts proves extremely useful as one gets a good insight into the topic being dealt with.
The paper further goes on to explain the method used for collecting data by the "sinkhole". The researchers had configured the sinkhole to accept all mail, regardless of the username it was destined for, and also to gather the network-level properties about the mail relay from which spam is received. The following information is collected about the mail relay once spam is received:
1. The IP address of the relay that established a connection to the sinkhole when the spam was received.
2. A traceroute to that IP address, to estimate the network location of the mail relay
3. a passive "p0f" TCP fingerprint, based on the properties of the TCP stack, to allow them to determine the operating system of the mail relay.
4. The result of a DNS blacklist lookups for that mail relay at eight different mail relays.
The paper then goes on to present the collected data in various formats and to derive a set of conclusions, which are listed as follows:
1. The vast majority of received spam arrives from a few concentrated portions of IP address space.
2. Most received spam is sent by windows hosts. Most bots sending spam are active for a simgle time period of less than two minutes.
3. A small sets of spammers continually use short-lived route announcements to remain untraceable.
posted by Ankur Bhamri at 4:37 PM
0 Comments:
Post a Comment
<< Home