Spammers operations: A multifaceted strategic analysis

O. Thonnard, Pierre Antoine Vervier, M. Dacier

Research output: Contribution to journalArticlepeer-review

3 Scopus citations

Abstract

There is a consensus in the anti-spam community regarding the prevalence of spam botnets and the significant role they play in the worldwide spam problem. Nevertheless, far less attention has been devoted to studying the strategic behavior of spammers on a long-term basis. This paper explores several facets of spammers operations by providing three essential perspectives: (i) we study the inter-relationships among spam botnets through their aggregate spam campaigns, and we focus on identifying similarities or differences in their modus operandi; (ii) we look at the impact of the Rustock takedown on the botnet ecosystem; and (iii) we study the conjecture about spammers hijacking unused IP space to send spam in a stealthy way. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly MessageLabs) through worldwide distributed spamtraps. Our methodology leverages techniques relying on data fusion and multi-criteria decision analysis to extract intelligence from large spam data sets by automatically correlating spam campaigns according to various combinations of spam features. We also take advantage of node-link visualizations developed in the context of VIS-SENSE, a research project aiming at developing Visual Analytics technologies for the security domain. Using these visualizations, we illustrate the tight relationships that exist among different botnet families (such as Rustock/Grum or Lethic/Maazben). Regarding the disruption of Rustock on 17 March 2011, our experimental results provide substantial evidence indicating that part of the botnet activity may have been offloaded to Grum shortly after the takedown operation. Finally, we analyzed over 1year of spam data enriched with Border Gateway Protocol data and found that an increasing amount of spam may have been sent from IP blocks hijacked for several weeks or months, even though this phenomenon remains marginal at this time compared with spam sent from large botnets.
Original languageEnglish (US)
Pages (from-to)336-356
Number of pages21
JournalSecurity and Communication Networks
Volume9
Issue number4
DOIs
StatePublished - Mar 10 2016
Externally publishedYes

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Spammers operations: A multifaceted strategic analysis'. Together they form a unique fingerprint.

Cite this