Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.

Published byLily Barton Modified over 10 years ago

Similar presentations

Presentation on theme: "Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely."— Presentation transcript:

1 Spam Sinkholing Nick Feamster

2 Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely to contain bot activity (spam is a good candidate: > 85% of spam coming from bots as of 4Q 2005) Advantages: –Direct observation of behavior –Potentially very wide lens –Passive Disadvantage: No ground truth

3 Spam Collection Overview Trap mail sent to dead domains Log IPs Perform active and passive measurements –Traceroute –Passive SYN fingerprints –DNSBL lookups, etc.

4 Data Collection Overview Mail Avenger sendmail Spammer DNS MX lookups Resolve to sinkhole Blowtorch (GTISC) dynamo rsync (schema on wiki) O(100k) pieces of spam per week Hundreds of domains

5 Sample Mail Avenger Header Highly configurable SMTP server that collects many useful statistics

6 Database Schema Sample CREATE TABLE spamtrap_email ( entrytime timestamp with timezone default NULL, trap_domain text default NULL, client_ip ip4 default NULL, client_port smallint default NULL, traceroute_time timestamp with timezone default NULL, to_ text default NULL, delivered_to text default NULL, subject text default NULL, xmailer text default NULL, from_ text default NULL, emailid serial default NULL, FOREIGN KEY(dnsbl_id) on spamtrap_dnsbl(dnsbl_id), ) tablespace dataspace;

7 Uses for Data Identification: Low-confidence list of likely bot IPs Bootstrapping: Use as a starter set for some intractable analysis problems –Use this low-confidence list to prune DNSBL graph mining –Feed this information back to ISPs to focus mining Second-order effects –Analysis of hosting sites for URLs –Clustering

8 Analysis Within Spam Dataset Clustering to identify groups (coordination suggests likely bot) –Temporal-based correlation –Content-based correlation Based on URLs Analysis of hosting URLs: Perhaps useful for identifying phishing sites –Where hosted? –Transience?

9 Correlation: Across Datasets DNSBL datasets require bootstrapping –As per SRUTI paper –Use spam dataset as a graph pruning mechanism Possibility: Use spam sinkhole as a source for malware. Strip attachments. –Likely already being done by lots of others Get information about exfiltration email addresses and domains from binary analysis –Look for those appearing in sinkhole to build confidence and monitor ongoing activity

Download ppt "Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely."

Similar presentations

Nick Feamster Georgia Tech

Nick Feamster Georgia Tech
Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.

Revealing Botnet Membership Using DNSBL Counter-Intelligence Anirudh Ramachandran, Nick Feamster, David Dagon College of Computing, Georgia Tech.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Dynamics of Online Scam Hosting Infrastructure

Dynamics of Online Scam Hosting Infrastructure
11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.

11/20/09 ONR MURI Project Kick-Off 1 Network-Level Monitoring for Tracking Botnets Nick Feamster School of Computer Science Georgia Institute of Technology.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.

Spam and Botnets: Characterization and Mitigation Nick Feamster Anirudh Ramachandran David Dagon Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.

Network-Based Spam Filtering Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.

Network-Based Spam Filtering Nick Feamster Georgia Tech Joint work with Anirudh Ramachandran and Santosh Vempala.
The Datapository Dave Andersen, CMU James Moss, CMU Nick Feamster, Georgia Tech

The Datapository Dave Andersen, CMU James Moss, CMU Nick Feamster, Georgia Tech
Network Security Highlights Nick Feamster Georgia Tech.

Network Security Highlights Nick Feamster Georgia Tech.
1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.

1 Dynamics of Online Scam Hosting Infrastructure Maria Konte, Nick Feamster Georgia Tech Jaeyeon Jung Intel Research.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.

1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.

Spamming with BGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech.
Network-Based Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Nadeem Syed, Alex Gray, Sven Krasser, Santosh Vempala.

Network-Based Spam Filtering Nick Feamster Georgia Tech with Anirudh Ramachandran, Nadeem Syed, Alex Gray, Sven Krasser, Santosh Vempala.
A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics

Similar presentations

Ads by Google