Gianluca Stringhini
ABSTRACT
A spammer needs three elements to run a spam operation: a list of victim email addresses, content to be sent, and a botnet to send it. Each of these three elements are critical for the success of the spam operation: a good email list should be composed of valid email addresses, a good email content should be both convincing to the reader and evades anti-spam filters, and a good botnet should efficiently sent spam. Given how critical these three elements are, figures specialized on one of these elements have emerged in the spam ecosystem. Email harvesters crawl the web and compile email lists, botmasters infect victim computers and maintain efficient botnets for spam dissemination, and spammers rent botnets and buy email lists to run spam campaigns. Previous research suggested that email harvesters and botmasters sell their services to spammers in a prosperous underground economy. No rigorous research has been performed, however, on understanding the relations between these three actors. This paper aims to shed some light on the relations between harvesters, botmasters, and spammers. By disseminating email addresses on the Internet, fingerprinting the botnets that contact these addresses, and looking at the content of these emails, we can infer the relations between the actors involved in the spam ecosystem. Our observations can be used by researchers to develop more effective anti-spam systems.
- RFC 821: Simple Mail Transfer Protocol. http://tools.ietf.org/html/rfc821.Google Scholar
- U. Bayer, A. Moser, C. Kruegel, and E. Kirda. Dynamic analysis of malicious code. Journal in Computer Virology, 2(1):67--77, 2006.Google ScholarCross Ref
- J. Caballero, C. Grier, C. Kreibich, and V. Paxson. Measuring Pay-per-Install: The Commoditization of Malware Distribution. In USENIX Security Symposium, 2011. Google ScholarDigital Library
- J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling Active Botnet Infiltration Using Automatic Protocol Reverse-Engineering. In ACM Conference on Computer and Communications Security (CCS), 2009. Google ScholarDigital Library
- C. Cho, J. Caballero, C. Grier, V. Paxson, and D. Song. Insights from the Inside: A View of Botnet Management from Infiltration. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2010. Google ScholarDigital Library
- eMarkSofts. Fast email harvester 1.2. http://fast-email-harvester.smartcode.com/info.html, 2009.Google Scholar
- G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-independent Botnet Detection. In USENIX Security Symposium, 2008. Google ScholarDigital Library
- S. Hao, N. A. Syed, N. Feamster, A. G. Gray, and S. Krasser. Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine. In USENIX Security Symposium, 2009. Google ScholarDigital Library
- O. Hohlfeld, T. Graf, and F. Ciucu. Longtime Behavior of Harvesting Spam Bots. In ACM SIGCOMM Conference on Internet Measurement, 2012. Google ScholarDigital Library
- J. Iedemska, G. Stringhini, R. Kemmerer, C. Kruegel, and G. Vigna. The Tricks of the Trade: What Makes Spam Campaigns Successful? In International Workshop on Cyber Crime, 2014.Google ScholarDigital Library
- C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Spamalytics: An Empirical Analysis of Spam Marketing Conversion. In ACM Conference on Computer and Communications Security (CCS), 2008. Google ScholarDigital Library
- C. Kanich, N. Weaver, D. McCoy, T. Halvorson, C. Kreibich, K. Levchenko, V. Paxson, G. Voelker, and S. Savage. Show Me the Money: Characterizing Spam-advertised Revenue. USENIX Security Symposium, 2011. Google ScholarDigital Library
- C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. On the Spam Campaign Trail. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2008. Google ScholarDigital Library
- C. Kreibich, C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamcraft: An Inside Look at Spam Campaign Orchestration. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2009. Google ScholarDigital Library
- K. Levchenko, A. Pitsillidis, N. Chachra, B. Enright, M. Félegyházi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, et al. Click trajectories: End-to-end analysis of the spam value chain. In IEEE Symposium on Security and Privacy, 2011. Google ScholarDigital Library
- MaxMind. GeoIP. http://www.maxmind.com/app/ip-location.Google Scholar
- Northworks Solutions Ltd. Ecrawl v2.63. http://www.northworks.biz/software.html, 2012.Google Scholar
- C. Nunnery, G. Sinclair, and B. B. Kang. Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier Botnet Infrastructure. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2010. Google ScholarDigital Library
- A. Pitsillidis, K. Levchenko, C. Kreibich, C. Kanich, G. M. Voelker, V. Paxson, N. Weaver, and S. Savage. botnet Judo: Fighting Spam with Itself. In Symposium on Network and Distributed System Security (NDSS), 2010.Google Scholar
- M. Prince, B. Dahl, L. Holloway, A. Keller, and E. Langheinrich. Understanding how spammers steal your e-mail address: An analysis of the first six months of data from project honey pot. In Collaboration, Electronic messaging, Anti-Abuse and Spam Conference (CEAS), 2005.Google Scholar
- B. Stone-Gross, T. Holz, G. Stringhini, and G. Vigna. The Underground Economy of Spam: A Botmaster's Perspective of Coordinating Large-Scale Spam Campaigns. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), 2011. Google ScholarDigital Library
- G. Stringhini, M. Egele, A. Zarras, T. Holz, C. Kruegel, and G. Vigna. B@BEL: Leveraging Email Delivery for Spam Mitigation. In USENIX Security Symposium, 2012. Google ScholarDigital Library
- G. Stringhini, T. Holz, B. Stone-Gross, C. Kruegel, and G. Vigna. BotMagnifier: Locating Spammers on the Internet. In USENIX Security Symposium, 2011. Google ScholarDigital Library
- Symantec Corp. State of spam & phishing report. http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_02--2013.en-us.pdf?om_ext_cid=biz_socmed_AR_pv_180313_scom_socialmedia_SIRFeb13, 2013.Google Scholar
- VirusTotal. Free Online Virus, Malware and URL Scanner. https://www.virustotal.com/.Google Scholar
- P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, and E. Kirda. Automatically Generating Models for Botnet Detection. In European Symposium on Research in Computer Security (ESORICS), 2009. Google ScholarDigital Library
- Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov. Spamming Botnets: Signatures and Characteristics. SIGCOMM Comput. Commun. Rev., 38, August 2008. Google ScholarDigital Library
Index Terms
- The harvester, the botmaster, and the spammer: on the relations between the different actors in the spam landscape
Recommendations
What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild
IMC '16: Proceedings of the 2016 Internet Measurement ConferenceCybercriminals steal access credentials to webmail accounts and then misuse them for their own profit, release them publicly, or sell them on the underground market. Despite the importance of this problem, the research community still lacks a ...
Filtering spam with behavioral blacklisting
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securitySpam filters often use the reputation of an IP address (or IP address range) to classify email senders. This approach worked well when most spam originated from senders with fixed IP addresses, but spam today is also sent from IP addresses for which ...
News Briefs
Researchers Develop New Chip-Making TechniqueLinda Daily PaulsonScientists have developed an approach for extending current chip-making techniques so that manufacturers can produce semiconductors with smaller feature sizes without expensively retooling ...
Comments