Title:
Understanding the Network-Level Behavior of Spammers
Understanding the Network-Level Behavior of Spammers
Author(s)
Ramachandran, Anirudh
Feamster, Nick
Feamster, Nick
Advisor(s)
Editor(s)
Collections
Supplementary to
Permanent Link
Abstract
This paper studies the network-level behavior of spammers,
including: IP address ranges that send the most spam, common
spamming modes (e.g., BGP route hijacking, bots), how
persistent (in time) each spamming host is, botnet spamming
characteristics, and techniques for harvesting email addresses.
This paper studies these questions by analyzing an
18-month trace of over 10 million spam messages collected
at one Internet "spam sinkhole", and by correlating these
messages with the results of IP-based blacklist lookups, passive
TCP fingerprinting information, routing information,
and botnet "command and control" traces.
We find that a small, yet non-negligible, amount of spam
is received from IP addresses that correspond to short-lived
BGP routes, typically for hijacked addresses. Most spam
was received from a few regions of IP address space. Spammers
appear to make use of transient "bots" that send only
a few pieces of email over the course of a few minutes at
most. These patterns suggest that developing algorithms to
identify botnet membership, filtering email messages based
on network-level properties (which are less variable than an
email's contents), and improving the security of the Internet
routing infrastructure, may be prove extremely effective for
combating spam.
Sponsor
Date Issued
2006
Extent
Resource Type
Text
Resource Subtype
Technical Report