Understanding the NetworkLevel Behavior of Spammers - PowerPoint PPT Presentation

About This Presentation
Title:

Understanding the NetworkLevel Behavior of Spammers

Description:

... for the purposes of a criminal investigation by application under PACE Schedule. ... true benefit to investigation of material; ... – PowerPoint PPT presentation

Number of Views:67
Avg rating:3.0/5.0
Slides: 33
Provided by: kzh
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: Understanding the NetworkLevel Behavior of Spammers


1
Understanding the Network-Level Behavior of
Spammers
  • Author
  • Anirudh Ramachandran, Nick Feamster
  • SIGCOMM 06, September 11-16, 2006, Pisa, Italy
  • Presenter
  • Tao Li

2
Questions
  • What IP ranges send the most spam?
  • Common spamming modes? How much spam comes from
    botnets versus other techniques? (open relays,
    short-lived route announcements)
  • How persistent across time each spamming host
    is?
  • Characteristics of spamming botnets?

3
Motivation
  • 17-month trace over 10 million spam messages at
    spam sinkhole
  • Joint analysis with IP-based blacklist lookups,
    passive TCP fingerprinting info, routing info,
    botnet CC traces
  • To find the network-level properties to design
    more robust network-level spam filters.

4
Outline
  • Background Information
  • Data Collection
  • Data Analysis
  • Network-level Characteristics of Spammers
  • Spam from Botnets
  • Spam from Transient BGP Announcements
  • Discussion

5
Outline
  • Background Information
  • Data Collection
  • Data Analysis
  • Network-level Characteristics of Spammers
  • Spam from Botnets
  • Spam from Transient BGP Announcements
  • Discussion

6
Spamming Methods
  • Direct spamming
  • Buy connectivity from spam-friendly ISPs
  • Open relays and proxies
  • Allow unauthenticated hosts to relay email
  • Botnets
  • Infected hosts as mail relay
  • BGP Spectrum Agility
  • Hijack? send spam? withdrawal routes

7
Mitigation techniques
  • Content filter
  • Continually update filtering rules
  • large corpuses for training
  • Spammers easy to change content
  • Blacklist lookup
  • Stolen IP address to send spam
  • Many bot IP addresses are short-lived

8
Outline
  • Background
  • Data Collection
  • Data Analysis
  • Network-level Characteristics of Spammers
  • Spam from Botnets
  • Spam from Transient BGP Announcements
  • Discussion

9
Spam Email Traces
  • Sinkhole corpus domain 8/5/20051/6/2006
  • No legitimate email addresses
  • DNS Main Exchange (MX) record
  • Run Mail AvengerSMTP sever
  • IP address of the relay
  • A traceroute to that IP address
  • A passive p0f TCP fingerprintingOS
  • Result of DNS blacklist (DNSBL) lookups

10
Spam Email Traces
  • Number of spam and distinct IP address rising

11
Data Collection
  • Legitimate Email Traces
  • 700,000 legitimate form a large email provider
  • Botnet Command and Control Data
  • A trace of hosts infected by Bobax
  • Hijacked authoritative DNS server running the CC
    of the botnet, redirect it to a honeypot ,
  • BGP Routing Measurements
  • Colocate a BGP monitor in the same network as
    sinkhole

12
Outline
  • Background
  • Data Collection
  • Data Analysis
  • Network-level Characteristics of Spammers
  • Spam from Botnets
  • Spam from Transient BGP Announcements
  • Discussion

13
Network-level Characteristics of Spammers
  • Distribution Across Networks
  • Distribution across IP address space
  • Distribution across ASes
  • Distribution by country
  • The Effectiveness of Blacklists

14
Distribution Across Networks
  • Distribution across IP address space
  • The majority of spam is from a relative small
    fraction of IP address space and the
    distribution is persistent.

15
Distribution Across Networks
  • About 85 of client IP addresses sent less than
    10 emails to the sinkhole.
  • Important for spam filter design.

16
Distribution Across Networks
  • Distribution across ASes
  • Over 10 from 2 ASes 36 from 20 ASes

17
Distribution Across Networks
  • Distribution by country
  • Although the top 2 ASes from which spam were
    received were from Asia, 11 of top 20 were from
    USA compromising 40 of all of the spam received
    from the top 20.
  • Assigning a higher level of suspicion according
    to an emails country of origin maybe effective
    in filtering.

18
The Effectiveness of Blacklists
  • Nearly 80 relays in the 8 blacklists

19
The Effectiveness of Blacklists
  • Spamcop only lists 50 spam received
  • Blacklists have high false positive
  • Ineffective when IP address using more
    sophisticated cloaking techniques

20
Outline
  • Background
  • Data Collection
  • Data Analysis
  • Network-level Characteristics of Spammers
  • Spam from Botnets
  • Spam from Transient BGP Announcements
  • Discussion

21
Spam from Botnets
  • Bobax Topology
  • Spamming hosts and bobax drones have similar
    distribution across IP address spacemuch of the
    spam may due to botnets

22
Spam from Botnets
  • Operating Systems of Spamming Hosts
  • 4 not Windows but sent 8 spam

23
Spam from Botnets
  • Spamming Bot Activity Profile
  • over 65 bot single shot, 75 of which less than
    2 minutes

24
Spam from Botnets
  • Spamming Bot Activity Profile
  • Regardless of persistence, 99 of bots sent fewer
    than 100 pieces of spam

25
Outline
  • Background
  • Data Collection
  • Data Analysis
  • Network-level Characteristics of Spammers
  • Spam from Botnets
  • Spam from Transient BGP Announcements
  • Discussion

26
Spam from Transient BGP Announcements
  • BGP Spectrum Agility
  • A small but persistent group of spammers appear
    to send spam by
  • Advertising (hijacking) large blocks of IP
    address space (ie. /8s)
  • Sending spam from IP address scattered throughout
    that space
  • Withdrawing the route for the IP address space
    shortly after the spam is sent

27
Spam from Transient BGP Announcements
  • Announcement, withdrawal and spam from 61.0.0.0/8
    and 82.0.0.0/8

28
Spam from Transient BGP Announcements
  • Prevalence of BGP Spectrum Agility
  • 1 spam from short-lived routes but sometimes
    10

29
Outline
  • Background
  • Data Collection
  • Data Analysis
  • Network-level Characteristics of Spammers
  • Spam from Botnets
  • Spam from Transient BGP Announcements
  • Discussion

30
Contribution
  • Suggest using network-level properties of
    spammers as an addition to spam mitigation
    techniques
  • Quantify and document spammers using BGP route
    announcements for the first time
  • Present the first study examining the interplay
    between spam, botnets and the Internet routing
    infrastructure
  • Lots of useful findings according to
    network-level properties of spam

31
Weakness
  • Use only a small sample, not providing general
    conclusions about the Interne-wide
    characteristics
  • Only studied spam sent by Bobax drones
  • Data collection in the Botnet Command and Control
    Data, assuming host not patched and not use
    dynamic addressing during the course.

32
How to improve
  • Design a better notion of host identity
  • Detection techniques based on aggregate behavior
  • Securing the Internet routing infrastructure
  • Incorporating some network-level properties of
    spam into spam filters
Write a Comment
User Comments (0)
About PowerShow.com