Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 Spamcraft: An Inside Look At Spam Campaign Orchestration Reporter: 林佳宜 Advisor: Chun-Ying Huang 2016/6/3.

Published byGarry Smith Modified over 8 years ago

Similar presentations

Presentation on theme: "11 Spamcraft: An Inside Look At Spam Campaign Orchestration Reporter: 林佳宜 Advisor: Chun-Ying Huang 2016/6/3."— Presentation transcript:

1 11 Spamcraft: An Inside Look At Spam Campaign Orchestration Reporter: 林佳宜 Advisor: Chun-Ying Huang Email: M98570015@mail.ntou.edu.tw 2016/6/3

2 References C. Kreibich et al., "Spamcraft: An Inside Look At Spam Campaign Orchestration," LEET'09 2

3 3 Outline Introduction Storm Botnet Analysis Conclusion

4 Introduction Unsolicited bulk email  “spam”-evolved dramatically in its volume  90% of all email is considered spam. But not understood about the spammer’s viewpoint  In particular: spam campaign In this paper ◦ present an inside look at how such campaign orchestration takes place 4

5 Storm Botnet Four-tiered architecture  botmaster  HTTP proxies  proxy bots  worker bots Storm locate proxy bots  UDP-based Overnet protocol Issues work requests  TCP-based command and control (C&C) protocol 5

6 Spam message consist Worker bots acquire new spamming instructions – pull-based fashion Issue requests for spam material – (i) template material – (ii) sets of dictionaries – (iii) lists of target email addresses 6

7 Worker bot work Once spamming completes, workers send – delivery reports – listing addresses for delivered successfully – error codes for failed deliveries Worker bots also search for email addresses – on the compromised computer – send to the botmaster – activity called “harvesting” Syntactically resembling an email address – string matching the pattern“*@*.*” 7

8 Harvested To investigate the use of harvested email addresses by the botmaster ◦ inject “marker” to email addresses ◦ injected 3 unique email addresses A format that allowed us to track their subsequent use: ◦ [harvest].[worker]@[random].[domain] 8

9 Methodology Two separate platforms to conduct the measurements ◦ C&C crawler  tapped into Storm’s network to collect update messages ◦ C&C rewriter  using proxy bots in a controlled environment 9

10 C&C crawler 10

11 C&C rewriter 11

12 Collected datasets Three data sets we collected for this study ◦ crawl-based (CB) dataset ◦ proxy-based (PB) dataset ◦ Harvest injection (HI) dataset 12

13 Terminology Talk about campaigns at three levels of abstraction: ◦ CLASSES of campaigns  correspond to the broad intended  such as phishing, pharmaceutical offers, stock scams ◦ TYPES of campaigns  sets of spam messages.  For example , templates containing the string “linksh” ◦ INSTANCES of campaigns  multiple campaign instances continuously during a period of time 13

14 Campaign classes Revealed a rich set of campaigns ◦ grouped into ten classes 14

15 Instance duration Instances are often short ◦ 65% of them last less than 2 hours The longest-running instances ◦ Pharmaceutica: running months at a time 12 days without interruption ◦ self-propagation instances 15

16 Instance duration(cout.) 16

17 Address harvesting Added to the spammer’s distribution ◦ five days: show on the Pharma campaign Make the following observations ◦ addresses are not used repeatedly ◦ addresses are picked in a round-robin fashion ◦ grouping of addresses harvested together  Triple : 40.2%  Pair : 26.3%  Single : 33.4% 17

18 Average address retrieval rate 570 addresses per minute 18

19 Evasive maneuvers These approaches use to evade spam filters ◦ Dictionaries ◦ Template diversity  Bodies  headers ◦ Header diversity ◦ Domain diversity 19

20 Header diversity Template headers are diversified  (i) the simulated user-agent  (ii) theMTA responsible for the MessageID header  (iii)the (possibly empty) sequence of Received-By headers MTA message identifiers, Macros are delineated start marker “%ˆ” and a corresponding end marker “ˆ%” 20

21 Compares the distribution Templates, unique templates, unique headers, unique bodies 21

22 Noteworthy encounters Commonly assumed that spam is mostly driven by insidious motives Observed 670 instances of pharma links Web messages included a SpamIt.com copyright notice  believe to be a pharmacy affiliate program 22

23 23 Conclusion Presented a detailed study of spam campaign orchestration as observed Confirms that today’s spamming business operates at a frightening scale Requiring truly sophisticated mechanisms to conquer the hurdles put in place by the anti- spam industry

24 Questions 24

Download ppt "11 Spamcraft: An Inside Look At Spam Campaign Orchestration Reporter: 林佳宜 Advisor: Chun-Ying Huang 2016/6/3."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Kalpesh Vyas & Seward Khem

Kalpesh Vyas & Seward Khem
Basic Communication on the Internet:

Basic Communication on the Internet:
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing emails are designed.

Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
Introduction to Web Crawling and Regular Expression CSC4170 Web Intelligence and Social Computing Tutorial 1 Tutor: Tom Chao Zhou

Introduction to Web Crawling and Regular Expression CSC4170 Web Intelligence and Social Computing Tutorial 1 Tutor: Tom Chao Zhou
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.

Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.
CS 415 N-Tier Application Development By Umair Ashraf July 6,2013 National University of Computer and Emerging Sciences Lecture # 9 Introduction to Web.

CS 415 N-Tier Application Development By Umair Ashraf July 6,2013 National University of Computer and Emerging Sciences Lecture # 9 Introduction to Web.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.

Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.
1 Simple Object Access Protocol (SOAP) by Kazi Huque.

1 Simple Object Access Protocol (SOAP) by Kazi Huque.

Similar presentations

Ads by Google