Title:
Understanding the Network­-Level Behavior of Spammers

Thumbnail Image
Author(s)
Ramachandran, Anirudh
Feamster, Nick
Authors
Advisor(s)
Advisor(s)
Editor(s)
Associated Organization(s)
Organizational Unit
Organizational Unit
School of Computer Science
School established in 2007
Supplementary to
Abstract
This paper studies the network-level behavior of spammers, including: IP address ranges that send the most spam, common spamming modes (e.g., BGP route hijacking, bots), how persistent (in time) each spamming host is, botnet spamming characteristics, and techniques for harvesting email addresses. This paper studies these questions by analyzing an 18-month trace of over 10 million spam messages collected at one Internet "spam sinkhole", and by correlating these messages with the results of IP-based blacklist lookups, passive TCP fingerprinting information, routing information, and botnet "command and control" traces. We find that a small, yet non-negligible, amount of spam is received from IP addresses that correspond to short-lived BGP routes, typically for hijacked addresses. Most spam was received from a few regions of IP address space. Spammers appear to make use of transient "bots" that send only a few pieces of email over the course of a few minutes at most. These patterns suggest that developing algorithms to identify botnet membership, filtering email messages based on network-level properties (which are less variable than an email's contents), and improving the security of the Internet routing infrastructure, may be prove extremely effective for combating spam.
Sponsor
Date Issued
2006
Extent
Resource Type
Text
Resource Subtype
Technical Report
Rights Statement
Rights URI