Botnet spam campaigns can be long lasting: Evidence, implications, and analysis

Abhinav Pathak, Feng Qian, Y. Charlie Hu, Z. Morley Mao, Supranamaya Ranjan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

38 Scopus citations

Abstract

Accurately identifying spam campaigns launched by a large number of bots in a botnet allows for accurate spam campaign signature generation and hence is critical to defeating spamming botnets. The straight-forward approach of clustering all spam containing the same label such as an URL into a campaign can be easily defeated by techniques such as simple obfuscations of URLs. In this paper, we perform a comprehensive study of content-agnostic characteristics of spam campaigns, e.g., duration and source-network distribution of spammers, in order to ascertain whether and how they can assist the simple label-based clustering methods in identifying campaigns and generating campaign signatures. In particular, from a five-month trace collected by a relay sinkhole, we manually identified and then analyzed seven URL-based botnet spam campaigns consisting of 52 million spam messages sent over 2.09 million SMTP connections originated from over 150,000 non-proxy spamming hosts and destined to about 200,000 end domains. Our analysis shows that the spam campaigns, when observed from large destination domains, exhibit durations far longer than the five-day period as reported in a recent study. We analyze the implications of this finding on spam campaign signature generation. We further study other characteristics of these long-lasting campaigns. Our analysis reveals several new findings regarding workload distribution, sending patterns, and coordination among the spamming machines.

Original languageEnglish (US)
Title of host publicationSIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems
Pages13-24
Number of pages12
Edition1
DOIs
StatePublished - Nov 23 2009
Externally publishedYes
Event11th International Joint Conference on Measurement and Modeling of Computer Systems, SIGMETRICS/Performance'09 - Seattle, WA, United States
Duration: Jun 15 2009Jun 19 2009

Publication series

NameSIGMETRICS/Performance'09 - Proceedings of the 11th International Joint Conference on Measurement and Modeling of Computer Systems
Number1
Volume37

Conference

Conference11th International Joint Conference on Measurement and Modeling of Computer Systems, SIGMETRICS/Performance'09
CountryUnited States
CitySeattle, WA
Period6/15/096/19/09

Keywords

  • Botnet
  • Burstiness
  • Distributedness
  • Open relay
  • Spam campaign

Fingerprint Dive into the research topics of 'Botnet spam campaigns can be long lasting: Evidence, implications, and analysis'. Together they form a unique fingerprint.

Cite this