Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.

Slides:

Advertisements

Similar presentations

Nick Feamster Georgia Tech

Advertisements

Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Dynamics of Online Scam Hosting Infrastructure

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.

Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.

The Datapository Dave Andersen, CMU James Moss, CMU Nick Feamster, Georgia Tech

Network Security Highlights Nick Feamster Georgia Tech.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Network-Based Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Nadeem Syed, Alex Gray, Sven Krasser, Santosh Vempala.

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Methods for Stopping Spam James Lick

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

Spam Sagar Vemuri slides courtesy: Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Unconstrained Endpoint Profiling (Googling the Internet)‏ Ionut Trestian Supranamaya Ranjan Aleksandar Kuzmanovic Antonio Nucci Northwestern University.

Series DATA MANAGEMENT. 1 Why ? Alarm/Status Notification –Remote unattended sites »Pumping stations –Pharmaceutical/Plant maintenance.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Can DNS Blacklists Keep Up With Bots? Anirudh Ramachandran, David Dagon, and Nick Feamster College of Computing, Georgia Tech.

Fighting Spam, Phishing and Online Scams at the Network Level Nick Feamster Georgia Tech with Anirudh Ramachandran, Shuang Hao, Nadeem Syed, Alex Gray,

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

1 RedIRIS Reputation Block List September RedIRIS Reputation Block ListPágina 2 RedIRIS and mail services At the beginning, RedIRIS was directly.

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,

Revealing Botnet Membership Using DNSBL Counter-Intelligence David Dagon Anirudh Ramachandran, Nick Feamster, College of Computing,

Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

SMUCSE 4344 application layer. SMUCSE 4344 application vs. application-layer protocols application-layer protocol is just one piece –how the end hosts.

SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.

ProtectionProfiles. 2 Fortinet Technologies Protection Profiles Protection profiles control t the type of traffic protected t HTTP t FTP t IMAP t POP3.

Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.

Courtesy: Nick McKeown, Stanford More on IP and Packet Forwarding Tahir Azim.

Networking Functions of windows NT Sever

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.

Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)

1 Characterizing Botnet from Spam Records Presenter: Yi-Ren Yeh ( 葉倚任 ) Authors: L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten,

Application of Content Computing in Honeyfarm Introduction Overview of CDN (content delivery network) Overview of honeypot and honeyfarm New redirection.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

McGraw-Hill©The McGraw-Hill Companies, Inc., 2001 TCP/IP Application Layer.

Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Source pictures for document ”Thoughts about increasing spam annoyance” by License: This material may be distributed only subject.

Leveraging Delivery for Spam Mitigation.

Studying Spamming Botnets Using Botlab

Application of the Internet 1998/12/09 KEIO University, JAPAN Mikiyo

Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.

1 Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Speaker: Jun-Yi Zheng 2010/01/18.

A Lustrum of Malware Network Communication: Evolution and Insights

This is the Sign In page for the Dashboard

Unconstrained Endpoint Profiling (Googling the Internet)‏

Presentation transcript:

Spam Sinkholing Nick Feamster

Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely to contain bot activity (spam is a good candidate: > 85% of spam coming from bots as of 4Q 2005) Advantages: –Direct observation of behavior –Potentially very wide lens –Passive Disadvantage: No ground truth

Spam Collection Overview Trap mail sent to dead domains Log IPs Perform active and passive measurements –Traceroute –Passive SYN fingerprints –DNSBL lookups, etc.

Data Collection Overview Mail Avenger sendmail Spammer DNS MX lookups Resolve to sinkhole Blowtorch (GTISC) dynamo rsync (schema on wiki) O(100k) pieces of spam per week Hundreds of domains

Sample Mail Avenger Header Highly configurable SMTP server that collects many useful statistics

Database Schema Sample CREATE TABLE spamtrap_ ( entrytime timestamp with timezone default NULL, trap_domain text default NULL, client_ip ip4 default NULL, client_port smallint default NULL, traceroute_time timestamp with timezone default NULL, to_ text default NULL, delivered_to text default NULL, subject text default NULL, xmailer text default NULL, from_ text default NULL, id serial default NULL, FOREIGN KEY(dnsbl_id) on spamtrap_dnsbl(dnsbl_id), ) tablespace dataspace;

Uses for Data Identification: Low-confidence list of likely bot IPs Bootstrapping: Use as a starter set for some intractable analysis problems –Use this low-confidence list to prune DNSBL graph mining –Feed this information back to ISPs to focus mining Second-order effects –Analysis of hosting sites for URLs –Clustering

Analysis Within Spam Dataset Clustering to identify groups (coordination suggests likely bot) –Temporal-based correlation –Content-based correlation Based on URLs Analysis of hosting URLs: Perhaps useful for identifying phishing sites –Where hosted? –Transience?

Correlation: Across Datasets DNSBL datasets require bootstrapping –As per SRUTI paper –Use spam dataset as a graph pruning mechanism Possibility: Use spam sinkhole as a source for malware. Strip attachments. –Likely already being done by lots of others Get information about exfiltration addresses and domains from binary analysis –Look for those appearing in sinkhole to build confidence and monitor ongoing activity