article

Understanding the network-level behavior of spammers

Authors:

Anirudh Ramachandran,

Nick FeamsterAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 36, Issue 4

Pages 291 - 302

https://doi.org/10.1145/1151659.1159947

Published: 11 August 2006 Publication History

Abstract

This paper studies the network-level behavior of spammers, including: IP address ranges that send the most spam, common spamming modes (e.g., BGP route hijacking, bots), how persistent across time each spamming host is, and characteristics of spamming botnets. We try to answer these questions by analyzing a 17-month trace of over 10 million spam messages collected at an Internet "spam sinkhole", and by correlating this data with the results of IP-based blacklist lookups, passive TCP fingerprinting information, routing information, and botnet "command and control" traces.We find that most spam is being sent from a few regions of IP address space, and that spammers appear to be using transient "bots" that send only a few pieces of email over very short periods of time. Finally, a small, yet non-negligible, amount of spam is received from IP addresses that correspond to short-lived BGP routes, typically for hijacked prefixes. These trends suggest that developing algorithms to identify botnet membership, filtering email messages based on network-level properties (which are less variable than email content), and improving the security of the Internet routing infrastructure, may prove to be extremely effective for combating spam.

References

[1]

D. Bank and R. Richmond. Where the Dangers Are. The Wall Street Journal, July 2005. http://online.wsj.com/public/article/SB112128442038984802-4qR772hjUeqGT2W0FIcA3FNjE_20060717.html.

[2]

M. Casado, T. Garfinkel, W. Cui, V. Paxson, and S. Savage. Opportunistic measurement: Extracting insight from spurious traffic. In Proc. 4th ACM Workshop on Hot Topics in Networks (Hotnets-IV), College Park, MD, Nov. 2005.

[3]

CNN Technology News. Expert: Botnets No. 1 emerging Internet threat. http://www.cnn.com/2006/TECH/internet/01/31/furst/, Jan. 2006.

[4]

Description of coordinated spamming, Feb. 2005. http://www.waltdnes.org/spam.

[5]

J. Evers. Most spam still coming from the U.S. http://news.com.com/Most+spam+still+coming+from+the+U.S./2100-1029_3-6030758.html, Jan. 2006.

[6]

N. Feamster. Open problems in BGP anomaly detection. In CAIDA Workshop on Internet Signal Processing, San Diego, CA, Nov. 2004.

[7]

N. Feamster, D. Andersen, H. Balakrishnan, and M. F. Kaashoek. Measuring the Effects of Internet Path Faults on Reactive Routing. In Proc. ACM SIGMETRICS, pages 126--137, San Diego, CA, June 2003.

Digital Library

[8]

N. Feamster, J. Jung, and H. Balakrishnan. An Empirical Study of "Bogon" Route Advertisements. ACM Computer Communications Review, 35(1):63--70, Nov. 2004.

Digital Library

[9]

Goodmail Systems, 2006. http://www.goodmailsystems.com/.

[10]

J. Goodman. IP Addresses in Email Clients. In First Conference on Email and Anti-Spam, Mountain View, CA, July 2004.

[11]

S. Hansell. Postage is due for companies sending email, February 5, 2006. http://www.nytimes.com/2006/02/05/technology/05AOL.html.

[12]

Honeynet Project. Know Your Enemy: Tracking Botnets. http://www.honeynet.org/papers/bots/botnet-commands.html, 2006.

[13]

J. Jung and E. Sit. An Empirical Study of Spam Traffic and the Use of DNS Black Lists. In Proc. ACM SIGCOMM Internet Measurement Conference, pages 370--375, Taormina, Sicily, Italy, Oct. 2004.

Digital Library

[14]

A. Kumar, V. Paxson, and N. Weaver. Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event. In Proc. ACM SIGCOMM Internet Measurement Conference, Berkeley, CA, Oct. 2005.

Digital Library

[15]

R. Mahajan, D. Wetherall, and T. Anderson. Understanding BGP Misconfiguration. In Proc. ACM SIGCOMM, pages 3--17, Pittsburgh, PA, Aug. 2002.

Digital Library

[16]

MailAvenger, 2005. http://www.mailavenger.org/.

[17]

J. Mason. Spam Forensics: Reverse-Engineering Spammer Tactics. http://spamassassin.apache.org/presentations/2004-09-Toorcon/html/, Sept. 2004.

[18]

Microsoft security bulletin ms04-011. http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx, Apr. 2004.

[19]

D. Moore, C. Shannon, and J. Brown. Code-red: A case study on the spread and victims of an internet worm. In Proc. ACM SIGCOMM Internet Measurement Workshop, Marseille, France, Nov. 2002.

Digital Library

[20]

Operating System Market Shares. http://marketshare.hitslink.com/report.aspx?qprid=2, Jan. 2006.

[21]

The Open Relay Database, 2006. http://ordb.org/.

[22]

M. Prince, B. Dahl, L. Holloway, A. Keller, and E. Langheinrich. Understanding How Spammers Steal Your E-Mail Address: An Analysis of the First Six Months of Data from Project Honey Pot. In Second Conference on Email and Anti-Spam, Stanford, CA, July 2005.

[23]

Project Honey Pot. http://www.projecthoneypot.org/.

[24]

A. Ramachandran and N. Feamster. Understanding the Network-Level Behavior of Spammers. Technical Report GT-CSS-2006-001, Georgia Tech, Feb. 2006.

[25]

S. Ramasubramanian. Port 25 filters - how many here deploy them bidirectionally? http://www.merit.edu/mail.archives/nanog/2005-01/msg00127.html, Jan. 2005.

[26]

The Spam and Open Relay Blocking System (SORBS), 2006. http://www.sorbs.net/.

[27]

SpamAssassin, 2005. http://www.spamassassin.org/.

[28]

Spammer-X. Inside the Spam Cartel. Syngress, Nov 2004.

Digital Library

[29]

S. Staniford, V. Paxson, and N. Weaver. How to 0wn the Internet in Your Spare Time. In Proc. 11th USENIX Security Symposium, San Francisco, CA, Aug. 2002.

Digital Library

[30]

J. Todd. AS number inconsistencies, July 2002. http://www.merit.edu/mail.archives/nanog/2002-07/msg00259.html.

[31]

ZDNet Security News. Most spam genrated by botnets, expert says. http://news.zdnet.co.uk/internet/security/0,39020375,39167561,00.htm, Sept. 2004.

Cited By

Fronzetti Colladon AGloor P(2022)Measuring the impact of spammers on e-mail and Twitter networksInternational Journal of Information Management: The Journal for Information Professionals10.1016/j.ijinfomgt.2018.09.00948:C(254-262)Online publication date: 21-Apr-2022
https://dl.acm.org/doi/10.1016/j.ijinfomgt.2018.09.009
Pandit SLiu JPerdisci RAhamad M(2021)Applying Deep Learning to Combat Mass Robocalls2021 IEEE Security and Privacy Workshops (SPW)10.1109/SPW53761.2021.00018(63-70)Online publication date: May-2021
https://doi.org/10.1109/SPW53761.2021.00018
Wang MSong L(2021)Efficient defense strategy against spam and phishing emailJournal of Information Security and Applications10.1016/j.jisa.2021.10294761:COnline publication date: 1-Sep-2021
https://dl.acm.org/doi/10.1016/j.jisa.2021.102947
Show More Cited By

Index Terms

Understanding the network-level behavior of spammers
1. Networks
  1. Network services
    1. Network management

Recommendations

Understanding the network-level behavior of spammers
SIGCOMM '06: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications

This paper studies the network-level behavior of spammers, including: IP address ranges that send the most spam, common spamming modes (e.g., BGP route hijacking, bots), how persistent across time each spamming host is, and characteristics of spamming ...
Filtering spam with behavioral blacklisting
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

Spam filters often use the reputation of an IP address (or IP address range) to classify email senders. This approach worked well when most spam originated from senders with fixed IP addresses, but spam today is also sent from IP addresses for which ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet

Many of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 36, Issue 4

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications

October 2006

445 pages

ISSN:0146-4833

DOI:10.1145/1151659

Issue’s Table of Contents

SIGCOMM '06: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
September 2006
458 pages
ISBN:1595933085
DOI:10.1145/1159913
General Chair:
Luigi Rizzo
Università di Pisa, Italy
,
Program Chairs:
Tom Anderson
University of Washington, USA
,
Nick McKeown
Stanford University, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 August 2006

Published in SIGCOMM-CCR Volume 36, Issue 4

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

362
Total Citations
View Citations
3,235
Total Downloads

Downloads (Last 12 months)135
Downloads (Last 6 weeks)21

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Fronzetti Colladon AGloor P(2022)Measuring the impact of spammers on e-mail and Twitter networksInternational Journal of Information Management: The Journal for Information Professionals10.1016/j.ijinfomgt.2018.09.00948:C(254-262)Online publication date: 21-Apr-2022
https://dl.acm.org/doi/10.1016/j.ijinfomgt.2018.09.009
Pandit SLiu JPerdisci RAhamad M(2021)Applying Deep Learning to Combat Mass Robocalls2021 IEEE Security and Privacy Workshops (SPW)10.1109/SPW53761.2021.00018(63-70)Online publication date: May-2021
https://doi.org/10.1109/SPW53761.2021.00018
Wang MSong L(2021)Efficient defense strategy against spam and phishing emailJournal of Information Security and Applications10.1016/j.jisa.2021.10294761:COnline publication date: 1-Sep-2021
https://dl.acm.org/doi/10.1016/j.jisa.2021.102947
Giotsas VLivadariu IGigis P(2020)A First Look at the Misuse and Abuse of the IPv4 Transfer MarketPassive and Active Measurement10.1007/978-3-030-44081-7_6(88-103)Online publication date: 18-Mar-2020
https://doi.org/10.1007/978-3-030-44081-7_6
Ebadati OAhmadzadeh F(2019)Classification Spam Email with Elimination of Unsuitable Features with Hybrid of GA-Naive BayesJournal of Information & Knowledge Management10.1142/S0219649219500084(1950008)Online publication date: 22-Jan-2019
https://doi.org/10.1142/S0219649219500084
Azad MMorla R(2019)Rapid detection of spammers through collaborative information sharing across multiple service providersFuture Generation Computer Systems10.1016/j.future.2017.12.02695:C(841-854)Online publication date: 1-Jun-2019
https://dl.acm.org/doi/10.1016/j.future.2017.12.026
Tsai MWang MYang WLei C(2019)Uncovering Internal Threats Based on Open-Source IntelligenceNew Trends in Computer Technologies and Applications10.1007/978-981-13-9190-3_68(618-624)Online publication date: 11-Jul-2019
https://doi.org/10.1007/978-981-13-9190-3_68
Zhang ZWilliamson C(2018)A Campus-Level View of Outlook Email TrafficProceedings of the 2018 VII International Conference on Network, Communication and Computing10.1145/3301326.3301371(299-306)Online publication date: 14-Dec-2018
https://dl.acm.org/doi/10.1145/3301326.3301371
Sermpezis PKotronis VDainotti ADimitropoulos X(2018)A Survey among Network Operators on BGP Prefix HijackingACM SIGCOMM Computer Communication Review10.1145/3211852.321186248:1(64-69)Online publication date: 27-Apr-2018
https://dl.acm.org/doi/10.1145/3211852.3211862
Heo HShin SKim JAhn GKim SKim YLopez JKim T(2018)Who is knocking on the Telnet PortProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196537(625-636)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196537
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents