Security and Privacy Applied Research Lab

Studying the Network-Level Behavior of Spammers

Nick Feamster
College of Computing
Georgia Tech


Much attention has been devoted to studying the content of spam, but spam's network-level properties have received comparatively little attention. We argue that gathering information about the network-level behavior of spam could be a major asset for designing spam filters that are both more robust to spammers' ever-changing techniques and easier for network operators to maintain. Towards the ultimate goal of developing more robust filters based on the network-level properties of spam, we present a study of the network-level behavior of spammers, including: IP address ranges that send the most spam, common spamming modes (e.g., BGP route hijacking, bots), how persistent across time each spamming host is, and characteristics of spamming botnets. To explore these questions, we analyze a 17-month trace of over 10 million spam messages collected at an Internet ``spam sinkhole'', and by correlating this data with the results of IP-based blacklist lookups, passive TCP fingerprinting information, routing information, and botnet ``command and control'' traces. In this talk, I will present several interesting findings based on our analysis. Additionally, I'll discuss several open questions and briefly describe ongoing work in this area and the challenges that lie ahead.


Nick Feamster is an assistant professor in the College of Computing at Georgia Tech. He received his Ph.D. in Computer science from MIT in 2005, and his S.B. and M.Eng. degrees in Electrical Engineering and Computer Science from MIT in 2000 and 2001, respectively. His research focuses on many aspects of computer networking and networked systems, including the design, measurement, and analysis of network routing protocols, network security, anonymous communication systems, and adaptive streaming media protocols. His honors include award papers at SIGCOMM 2006 (network-level behavior of spammers), the NSDI 2005 conference (fault detection in router configuration), Usenix Security 2002 (circumventing web censorship using Infranet), and Usenix Security 2001 (web cookie analysis).