Title:
Understanding the Network-Level Behavior of Spammers
Understanding the Network-Level Behavior of Spammers
| dc.contributor.author | Ramachandran, Anirudh | |
| dc.contributor.author | Feamster, Nick | |
| dc.contributor.corporatename | Georgia Institute of Technology. College of Computing | |
| dc.date.accessioned | 2007-05-08T16:45:30Z | |
| dc.date.available | 2007-05-08T16:45:30Z | |
| dc.date.issued | 2006 | |
| dc.description.abstract | This paper studies the network-level behavior of spammers, including: IP address ranges that send the most spam, common spamming modes (e.g., BGP route hijacking, bots), how persistent (in time) each spamming host is, botnet spamming characteristics, and techniques for harvesting email addresses. This paper studies these questions by analyzing an 18-month trace of over 10 million spam messages collected at one Internet "spam sinkhole", and by correlating these messages with the results of IP-based blacklist lookups, passive TCP fingerprinting information, routing information, and botnet "command and control" traces. We find that a small, yet non-negligible, amount of spam is received from IP addresses that correspond to short-lived BGP routes, typically for hijacked addresses. Most spam was received from a few regions of IP address space. Spammers appear to make use of transient "bots" that send only a few pieces of email over the course of a few minutes at most. These patterns suggest that developing algorithms to identify botnet membership, filtering email messages based on network-level properties (which are less variable than an email's contents), and improving the security of the Internet routing infrastructure, may be prove extremely effective for combating spam. | |
| dc.identifier.uri | http://hdl.handle.net/1853/14332 | |
| dc.language.iso | en_US | en |
| dc.publisher | Georgia Institute of Technology | en |
| dc.relation.ispartofseries | SCS Technical Report ; GIT-CSS-06-01 | en |
| dc.subject | BGP routing | |
| dc.subject | Blacklists | |
| dc.subject | Botnet | |
| dc.subject | Datasets | |
| dc.subject | Spammers | |
| dc.subject | TCP fingerprinting | |
| dc.subject | Traceroutes | |
| dc.title | Understanding the Network-Level Behavior of Spammers | en |
| dc.type | Text | |
| dc.type.genre | Technical Report | |
| dspace.entity.type | Publication | |
| local.contributor.corporatename | College of Computing | |
| local.contributor.corporatename | School of Computer Science | |
| local.relation.ispartofseries | College of Computing Technical Report Series | |
| local.relation.ispartofseries | School of Computer Science Technical Report Series | |
| relation.isOrgUnitOfPublication | c8892b3c-8db6-4b7b-a33a-1b67f7db2021 | |
| relation.isOrgUnitOfPublication | 6b42174a-e0e1-40e3-a581-47bed0470a1e | |
| relation.isSeriesOfPublication | 35c9e8fc-dd67-4201-b1d5-016381ef65b8 | |
| relation.isSeriesOfPublication | 26e8e5bc-dc81-469c-bd15-88e6f98f741d |