Spammers operations

A multifaceted strategic analysis

O. Thonnard, Pierre Antoine Vervier, Marc Dacier

Research output: Contribution to journalArticle

2 Citations (Scopus)

Abstract

There is a consensus in the anti-spam community regarding the prevalence of spam botnets and the significant role they play in the worldwide spam problem. Nevertheless, far less attention has been devoted to studying the strategic behavior of spammers on a long-term basis. This paper explores several facets of spammers operations by providing three essential perspectives: (i) we study the inter-relationships among spam botnets through their aggregate spam campaigns, and we focus on identifying similarities or differences in their modus operandi; (ii) we look at the impact of the Rustock takedown on the botnet ecosystem; and (iii) we study the conjecture about spammers hijacking unused IP space to send spam in a stealthy way. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly MessageLabs) through worldwide distributed spamtraps. Our methodology leverages techniques relying on data fusion and multi-criteria decision analysis to extract intelligence from large spam data sets by automatically correlating spam campaigns according to various combinations of spam features. We also take advantage of node-link visualizations developed in the context of VIS-SENSE, a research project aiming at developing Visual Analytics technologies for the security domain. Using these visualizations, we illustrate the tight relationships that exist among different botnet families (such as Rustock/Grum or Lethic/Maazben). Regarding the disruption of Rustock on 17 March 2011, our experimental results provide substantial evidence indicating that part of the botnet activity may have been offloaded to Grum shortly after the takedown operation. Finally, we analyzed over 1year of spam data enriched with Border Gateway Protocol data and found that an increasing amount of spam may have been sent from IP blocks hijacked for several weeks or months, even though this phenomenon remains marginal at this time compared with spam sent from large botnets.

Original languageEnglish
Pages (from-to)336-356
Number of pages21
JournalSecurity and Communication Networks
Volume9
Issue number4
DOIs
Publication statusPublished - 10 Mar 2016
Externally publishedYes

Fingerprint

Visualization
Gateways (computer networks)
Decision theory
Data fusion
Ecosystems
Botnet
Network protocols
Intellectual property core

Keywords

  • Botnet intelligence
  • Prefix hijacking
  • Rustock takedown
  • Spam botnets

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems

Cite this

Spammers operations : A multifaceted strategic analysis. / Thonnard, O.; Vervier, Pierre Antoine; Dacier, Marc.

In: Security and Communication Networks, Vol. 9, No. 4, 10.03.2016, p. 336-356.

Research output: Contribution to journalArticle

Thonnard, O. ; Vervier, Pierre Antoine ; Dacier, Marc. / Spammers operations : A multifaceted strategic analysis. In: Security and Communication Networks. 2016 ; Vol. 9, No. 4. pp. 336-356.
@article{cff3e5a3c02a4d6dab9b3a5f62cfbe1c,
title = "Spammers operations: A multifaceted strategic analysis",
abstract = "There is a consensus in the anti-spam community regarding the prevalence of spam botnets and the significant role they play in the worldwide spam problem. Nevertheless, far less attention has been devoted to studying the strategic behavior of spammers on a long-term basis. This paper explores several facets of spammers operations by providing three essential perspectives: (i) we study the inter-relationships among spam botnets through their aggregate spam campaigns, and we focus on identifying similarities or differences in their modus operandi; (ii) we look at the impact of the Rustock takedown on the botnet ecosystem; and (iii) we study the conjecture about spammers hijacking unused IP space to send spam in a stealthy way. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly MessageLabs) through worldwide distributed spamtraps. Our methodology leverages techniques relying on data fusion and multi-criteria decision analysis to extract intelligence from large spam data sets by automatically correlating spam campaigns according to various combinations of spam features. We also take advantage of node-link visualizations developed in the context of VIS-SENSE, a research project aiming at developing Visual Analytics technologies for the security domain. Using these visualizations, we illustrate the tight relationships that exist among different botnet families (such as Rustock/Grum or Lethic/Maazben). Regarding the disruption of Rustock on 17 March 2011, our experimental results provide substantial evidence indicating that part of the botnet activity may have been offloaded to Grum shortly after the takedown operation. Finally, we analyzed over 1year of spam data enriched with Border Gateway Protocol data and found that an increasing amount of spam may have been sent from IP blocks hijacked for several weeks or months, even though this phenomenon remains marginal at this time compared with spam sent from large botnets.",
keywords = "Botnet intelligence, Prefix hijacking, Rustock takedown, Spam botnets",
author = "O. Thonnard and Vervier, {Pierre Antoine} and Marc Dacier",
year = "2016",
month = "3",
day = "10",
doi = "10.1002/sec.640",
language = "English",
volume = "9",
pages = "336--356",
journal = "Security and Communication Networks",
issn = "1939-0122",
publisher = "John Wiley and Sons Inc.",
number = "4",

}

TY - JOUR

T1 - Spammers operations

T2 - A multifaceted strategic analysis

AU - Thonnard, O.

AU - Vervier, Pierre Antoine

AU - Dacier, Marc

PY - 2016/3/10

Y1 - 2016/3/10

N2 - There is a consensus in the anti-spam community regarding the prevalence of spam botnets and the significant role they play in the worldwide spam problem. Nevertheless, far less attention has been devoted to studying the strategic behavior of spammers on a long-term basis. This paper explores several facets of spammers operations by providing three essential perspectives: (i) we study the inter-relationships among spam botnets through their aggregate spam campaigns, and we focus on identifying similarities or differences in their modus operandi; (ii) we look at the impact of the Rustock takedown on the botnet ecosystem; and (iii) we study the conjecture about spammers hijacking unused IP space to send spam in a stealthy way. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly MessageLabs) through worldwide distributed spamtraps. Our methodology leverages techniques relying on data fusion and multi-criteria decision analysis to extract intelligence from large spam data sets by automatically correlating spam campaigns according to various combinations of spam features. We also take advantage of node-link visualizations developed in the context of VIS-SENSE, a research project aiming at developing Visual Analytics technologies for the security domain. Using these visualizations, we illustrate the tight relationships that exist among different botnet families (such as Rustock/Grum or Lethic/Maazben). Regarding the disruption of Rustock on 17 March 2011, our experimental results provide substantial evidence indicating that part of the botnet activity may have been offloaded to Grum shortly after the takedown operation. Finally, we analyzed over 1year of spam data enriched with Border Gateway Protocol data and found that an increasing amount of spam may have been sent from IP blocks hijacked for several weeks or months, even though this phenomenon remains marginal at this time compared with spam sent from large botnets.

AB - There is a consensus in the anti-spam community regarding the prevalence of spam botnets and the significant role they play in the worldwide spam problem. Nevertheless, far less attention has been devoted to studying the strategic behavior of spammers on a long-term basis. This paper explores several facets of spammers operations by providing three essential perspectives: (i) we study the inter-relationships among spam botnets through their aggregate spam campaigns, and we focus on identifying similarities or differences in their modus operandi; (ii) we look at the impact of the Rustock takedown on the botnet ecosystem; and (iii) we study the conjecture about spammers hijacking unused IP space to send spam in a stealthy way. To that end, we have analyzed over one million spam records collected by Symantec.cloud (formerly MessageLabs) through worldwide distributed spamtraps. Our methodology leverages techniques relying on data fusion and multi-criteria decision analysis to extract intelligence from large spam data sets by automatically correlating spam campaigns according to various combinations of spam features. We also take advantage of node-link visualizations developed in the context of VIS-SENSE, a research project aiming at developing Visual Analytics technologies for the security domain. Using these visualizations, we illustrate the tight relationships that exist among different botnet families (such as Rustock/Grum or Lethic/Maazben). Regarding the disruption of Rustock on 17 March 2011, our experimental results provide substantial evidence indicating that part of the botnet activity may have been offloaded to Grum shortly after the takedown operation. Finally, we analyzed over 1year of spam data enriched with Border Gateway Protocol data and found that an increasing amount of spam may have been sent from IP blocks hijacked for several weeks or months, even though this phenomenon remains marginal at this time compared with spam sent from large botnets.

KW - Botnet intelligence

KW - Prefix hijacking

KW - Rustock takedown

KW - Spam botnets

UR - http://www.scopus.com/inward/record.url?scp=84956695334&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84956695334&partnerID=8YFLogxK

U2 - 10.1002/sec.640

DO - 10.1002/sec.640

M3 - Article

VL - 9

SP - 336

EP - 356

JO - Security and Communication Networks

JF - Security and Communication Networks

SN - 1939-0122

IS - 4

ER -