Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

Published byBarbra Page Modified over 8 years ago

Similar presentations

Presentation on theme: "Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari."— Presentation transcript:

1 Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari

2 Introduction  Spam, unsolicited bulk email, attained public recognition  In 2006, industry estimated that spam messages comprise 80% over all emails  However, money-making scams are the engine that drives such emails  Spam is only a way to drag the user to a website (scam)

3 Paper Contribution Performing some measurements to understand and characterize the scams infrastructure that derives the Spams

4 Methodology 1. Collect over one million spam messages 2. Identify the urls in spam messages and follow the links to the final destination 3. Collect all the web pages of those destinations servers 4. Perform “ Image Shingling ” to cluster the web pages and identify unique scams 5. Finally, probe the scam servers to characterize dynamic behaviors like availability and lifetime

5 Spam Feed  Spam Feed: All messages sent to any email address at a well-known four-letter top-level domain  Receives over 150,000 per day collecting more than one million in total  Any email sent is spam because no active users on the mail server for the domain  93% of the “ From ” addresses are used only once => use of random source address to defeat address-based spam blacklists  Disadvantage: Single Spam Feed may introduce bias and may not be representative

6 Spamscatter: Data Collection  Probing Tool  Input: Spam Feed, Then extracts sender and URLs and probes those hosts  Sender @: ping, trace-route, and DNSBL  URLs: ping, trace-route, DNSBL, HTML page, and a screen shot of browser window  Repeat probing of URLs every 3 hours for one week

7 Image Shingling  Depend on the webpage to identify unique scams Can ’ t depend on Host IPs, a host may serve multiple scams A scam may be hosted on multiple virtual servers with different ips  Depend on scam content and identify by using image shingling algorithm Why image shingling? Depend on the spam messages, but randomness is a problem Compare URLs, might change for the same scam to defeat URL blacklisting Compare HTML content, but many pages has insufficient textual information

8 Image Shingling (continue)  Compare screen shots of web browser  Divide image into fixed memory chunks (40 X 40 pixels best trade-off between granularity and shingling performance)  Hash each chunck to creat an image shingle  Similar if they share at least a threshold of similar images.  By manually inspecting, found that 70% threshold minimizes false negatives and false positives of determining equivalence

9 Results and Analysis Summary

10 Results and Analysis Categories

11 Results and Analysis (Distributed infrastructure)  Scams may use multiple hosts for fault-tolerance, resilience of blacklisting, and for load balancing  94 % of scams are hosted one a single IP addresses and 84% were hosted on single domain  10% uses 3 or more domains and 1% uses 15 or more  Of the 139 ip distributed scams, 86% were located on distinct /24 networks and 68% has host ips that are in different ASes, scammers concerned about resilience to defenses

12 Results & Analysis (distributed infrasturcture)

13 Shared Infrastructure (shared scams)  38% of the scams were hosted on machines hosting at least another scam  Ten servers hosted ten or more scams, top three are: 22, 18 and 15 => Either scammers run multiple different scams on the host they control or hosts are made available to multiple scammers

14 Sharing over time  96% of pairs overlapped in time

15 Shared between scam hosts and Relays  9.7 % between the scam hosts and relays

16 Life time

17 Life Time by category

18 Spam Campaign Life Time

19 Stability  Availability is the number of successful web page downloads divided by the number of attempts  Scam had excellent availability: over 90% had an availability of 99% or higher and most of the remaining had 98% or more availability  As fingerprinted by p0f, more unix servers (43%) than windows (30%) and all of them had reported good link connectivity

20 Scam Locations

21 Spam Relay Locations

22 Conclusion  Perform some measurements of the scam infrastructure  Identify the Spamscatter technique for identifying the scam infrastructure  2,000 unique scams are identified deployed over 7,000 different hosts  Life time of a scam is much longer than the spam

Download ppt "Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari."

Similar presentations

200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 BlueRedGreenPurpleOrange.

BlueRedGreenPurpleOrange.
A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
Click Trajectories: End-to-End Analysis of the Spam Value Chain Author : Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, M’ark F’elegyh’azi,

Click Trajectories: End-to-End Analysis of the Spam Value Chain Author : Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, M’ark F’elegyh’azi,
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
The Internet Useful Definitions and Concepts About the Internet.

The Internet Useful Definitions and Concepts About the Internet.
Detecting Near Duplicates for Web Crawling Authors : Gurmeet Singh Mank Arvind Jain Anish Das Sarma Presented by Chintan Udeshi 6/28/2011 1 Udeshi-CS572.

Detecting Near Duplicates for Web Crawling Authors : Gurmeet Singh Mank Arvind Jain Anish Das Sarma Presented by Chintan Udeshi 6/28/ Udeshi-CS572.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
IMC 2004Jeff Pang 1 Availability, Usage, and Deployment Characteristics of the Domain Name System Jeffrey Pang *, James Hendricks *, Aditya Akella *, Roberto.

IMC 2004Jeff Pang 1 Availability, Usage, and Deployment Characteristics of the Domain Name System Jeffrey Pang *, James Hendricks *, Aditya Akella *, Roberto.
Spamscatter 1 Aug. 9 th, 2007Usenix Security 2007 Spamscatter: David S. Anderson, Chris Fleizach, Stefan Savage, and Geoffrey M. Voelker University of.

Spamscatter 1 Aug. 9 th, 2007Usenix Security 2007 Spamscatter: David S. Anderson, Chris Fleizach, Stefan Savage, and Geoffrey M. Voelker University of.
Lesson 19 Internet Basics.

Lesson 19 Internet Basics.
Teach a man (person) to Phish Recognizing email scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.

Teach a man (person) to Phish Recognizing scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.
Internet Basics.

Internet Basics.
Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.

Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Visit www.EmailDelivered.com for Email Marketing and Deliverability Tips, Tools, & Trainingwww.EmailDelivered.com.

Visit for Marketing and Deliverability Tips, Tools, & Trainingwww. Delivered.com.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING

Similar presentations

Ads by Google