Botnet spam campaigns can be long lasting: Evidence, implications, and analysis

Abhinav Pathak; Feng Qian; Y. Charlie Hu; Z. Morley Mao; Supranamaya Ranjan

doi:10.1145/1555349.1555352

Botnet spam campaigns can be long lasting: Evidence, implications, and analysis

Abhinav Pathak, Feng Qian, Y. Charlie Hu, Z. Morley Mao, Supranamaya Ranjan

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

40 Scopus citations

Abstract

Accurately identifying spam campaigns launched by a large number of bots in a botnet allows for accurate spam campaign signature generation and hence is critical to defeating spamming botnets. The straight-forward approach of clustering all spam containing the same label such as an URL into a campaign can be easily defeated by techniques such as simple obfuscations of URLs. In this paper, we perform a comprehensive study of content-agnostic characteristics of spam campaigns, e.g., duration and source-network distribution of spammers, in order to ascertain whether and how they can assist the simple label-based clustering methods in identifying campaigns and generating campaign signatures. In particular, from a five-month trace collected by a relay sinkhole, we manually identified and then analyzed seven URL-based botnet spam campaigns consisting of 52 million spam messages sent over 2.09 million SMTP connections originated from over 150,000 non-proxy spamming hosts and destined to about 200,000 end domains. Our analysis shows that the spam campaigns, when observed from large destination domains, exhibit durations far longer than the five-day period as reported in a recent study. We analyze the implications of this finding on spam campaign signature generation. We further study other characteristics of these long-lasting campaigns. Our analysis reveals several new findings regarding workload distribution, sending patterns, and coordination among the spamming machines.

Original language	English (US)
Title of host publication	SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems
Pages	13-24
Number of pages	12
Edition	1
DOIs	https://doi.org/10.1145/1555349.1555352
State	Published - 2009
Externally published	Yes
Event	11th International Joint Conference on Measurement and Modeling of Computer Systems, SIGMETRICS/Performance'09 - Seattle, WA, United States Duration: Jun 15 2009 → Jun 19 2009

Publication series

Name	SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems
Number	1
Volume	37

Conference

Conference	11th International Joint Conference on Measurement and Modeling of Computer Systems, SIGMETRICS/Performance'09
Country/Territory	United States
City	Seattle, WA
Period	6/15/09 → 6/19/09

Keywords

Botnet
Burstiness
Distributedness
Open relay
Spam campaign

Publisher link

10.1145/1555349.1555352

Find It

Find It at U of M Libraries

Cite this

Pathak, A., Qian, F., Hu, Y. C., Mao, Z. M., & Ranjan, S. (2009). Botnet spam campaigns can be long lasting: Evidence, implications, and analysis. In SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems (1 ed., pp. 13-24). Article 1555352 (SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems; Vol. 37, No. 1). https://doi.org/10.1145/1555349.1555352

Botnet spam campaigns can be long lasting: Evidence, implications, and analysis. / Pathak, Abhinav; Qian, Feng; Hu, Y. Charlie et al.
SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems. 1. ed. 2009. p. 13-24 1555352 (SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems; Vol. 37, No. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Pathak, A, Qian, F, Hu, YC, Mao, ZM & Ranjan, S 2009, Botnet spam campaigns can be long lasting: Evidence, implications, and analysis. in SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems. 1 edn, 1555352, SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems, no. 1, vol. 37, pp. 13-24, 11th International Joint Conference on Measurement and Modeling of Computer Systems, SIGMETRICS/Performance'09, Seattle, WA, United States, 6/15/09. https://doi.org/10.1145/1555349.1555352

Pathak A, Qian F, Hu YC, Mao ZM, Ranjan S. Botnet spam campaigns can be long lasting: Evidence, implications, and analysis. In SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems. 1 ed. 2009. p. 13-24. 1555352. (SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems; 1). doi: 10.1145/1555349.1555352

Pathak, Abhinav ; Qian, Feng ; Hu, Y. Charlie et al. / Botnet spam campaigns can be long lasting : Evidence, implications, and analysis. SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems. 1. ed. 2009. pp. 13-24 (SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems; 1).

@inproceedings{122b1aa09db24a108506575c91a0d36d,

title = "Botnet spam campaigns can be long lasting: Evidence, implications, and analysis",

abstract = "Accurately identifying spam campaigns launched by a large number of bots in a botnet allows for accurate spam campaign signature generation and hence is critical to defeating spamming botnets. The straight-forward approach of clustering all spam containing the same label such as an URL into a campaign can be easily defeated by techniques such as simple obfuscations of URLs. In this paper, we perform a comprehensive study of content-agnostic characteristics of spam campaigns, e.g., duration and source-network distribution of spammers, in order to ascertain whether and how they can assist the simple label-based clustering methods in identifying campaigns and generating campaign signatures. In particular, from a five-month trace collected by a relay sinkhole, we manually identified and then analyzed seven URL-based botnet spam campaigns consisting of 52 million spam messages sent over 2.09 million SMTP connections originated from over 150,000 non-proxy spamming hosts and destined to about 200,000 end domains. Our analysis shows that the spam campaigns, when observed from large destination domains, exhibit durations far longer than the five-day period as reported in a recent study. We analyze the implications of this finding on spam campaign signature generation. We further study other characteristics of these long-lasting campaigns. Our analysis reveals several new findings regarding workload distribution, sending patterns, and coordination among the spamming machines.",

keywords = "Botnet, Burstiness, Distributedness, Open relay, Spam campaign",

author = "Abhinav Pathak and Feng Qian and Hu, {Y. Charlie} and Mao, {Z. Morley} and Supranamaya Ranjan",

year = "2009",

doi = "10.1145/1555349.1555352",

language = "English (US)",

isbn = "9781605585116",

series = "SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems",

number = "1",

pages = "13--24",

booktitle = "SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems",

edition = "1",

note = "11th International Joint Conference on Measurement and Modeling of Computer Systems, SIGMETRICS/Performance'09 ; Conference date: 15-06-2009 Through 19-06-2009",

}

TY - GEN

T1 - Botnet spam campaigns can be long lasting

T2 - 11th International Joint Conference on Measurement and Modeling of Computer Systems, SIGMETRICS/Performance'09

AU - Pathak, Abhinav

AU - Qian, Feng

AU - Hu, Y. Charlie

AU - Mao, Z. Morley

AU - Ranjan, Supranamaya

PY - 2009

Y1 - 2009

N2 - Accurately identifying spam campaigns launched by a large number of bots in a botnet allows for accurate spam campaign signature generation and hence is critical to defeating spamming botnets. The straight-forward approach of clustering all spam containing the same label such as an URL into a campaign can be easily defeated by techniques such as simple obfuscations of URLs. In this paper, we perform a comprehensive study of content-agnostic characteristics of spam campaigns, e.g., duration and source-network distribution of spammers, in order to ascertain whether and how they can assist the simple label-based clustering methods in identifying campaigns and generating campaign signatures. In particular, from a five-month trace collected by a relay sinkhole, we manually identified and then analyzed seven URL-based botnet spam campaigns consisting of 52 million spam messages sent over 2.09 million SMTP connections originated from over 150,000 non-proxy spamming hosts and destined to about 200,000 end domains. Our analysis shows that the spam campaigns, when observed from large destination domains, exhibit durations far longer than the five-day period as reported in a recent study. We analyze the implications of this finding on spam campaign signature generation. We further study other characteristics of these long-lasting campaigns. Our analysis reveals several new findings regarding workload distribution, sending patterns, and coordination among the spamming machines.

AB - Accurately identifying spam campaigns launched by a large number of bots in a botnet allows for accurate spam campaign signature generation and hence is critical to defeating spamming botnets. The straight-forward approach of clustering all spam containing the same label such as an URL into a campaign can be easily defeated by techniques such as simple obfuscations of URLs. In this paper, we perform a comprehensive study of content-agnostic characteristics of spam campaigns, e.g., duration and source-network distribution of spammers, in order to ascertain whether and how they can assist the simple label-based clustering methods in identifying campaigns and generating campaign signatures. In particular, from a five-month trace collected by a relay sinkhole, we manually identified and then analyzed seven URL-based botnet spam campaigns consisting of 52 million spam messages sent over 2.09 million SMTP connections originated from over 150,000 non-proxy spamming hosts and destined to about 200,000 end domains. Our analysis shows that the spam campaigns, when observed from large destination domains, exhibit durations far longer than the five-day period as reported in a recent study. We analyze the implications of this finding on spam campaign signature generation. We further study other characteristics of these long-lasting campaigns. Our analysis reveals several new findings regarding workload distribution, sending patterns, and coordination among the spamming machines.

KW - Botnet

KW - Burstiness

KW - Distributedness

KW - Open relay

KW - Spam campaign

UR - http://www.scopus.com/inward/record.url?scp=70449652587&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70449652587&partnerID=8YFLogxK

U2 - 10.1145/1555349.1555352

DO - 10.1145/1555349.1555352

M3 - Conference contribution

AN - SCOPUS:70449652587

SN - 9781605585116

T3 - SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems

SP - 13

EP - 24

BT - SIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems

Y2 - 15 June 2009 through 19 June 2009

ER -

Botnet spam campaigns can be long lasting: Evidence, implications, and analysis

Abstract

Publication series

Conference

Keywords

Publisher link

Find It

Other files and links

Fingerprint

Cite this