Studying the Network-Level Behavior of Spammers
Nick Feamster
College of Computing
Georgia Tech
Abstract
Much attention has been devoted to studying the content of spam, but
spam's network-level properties have received comparatively little
attention. We argue that gathering information about the
network-level behavior of spam could be a major asset for designing
spam filters that are both more robust to spammers' ever-changing
techniques and easier for network operators to maintain. Towards the
ultimate goal of developing more robust filters based on the
network-level properties of spam, we present a study of the
network-level behavior of spammers, including: IP address ranges that
send the most spam, common spamming modes (e.g., BGP route hijacking,
bots), how persistent across time each spamming host is, and
characteristics of spamming botnets. To explore these questions, we
analyze a 17-month trace of over 10 million spam messages collected at
an Internet ``spam sinkhole'', and by correlating this data with the
results of IP-based blacklist lookups, passive TCP fingerprinting
information, routing information, and botnet ``command and control''
traces. In this talk, I will present several interesting findings
based on our analysis. Additionally, I'll discuss several open
questions and briefly describe ongoing work in this area and the
challenges that lie ahead.
Biography
Nick Feamster is an assistant professor in the College of Computing at
Georgia Tech. He received his Ph.D. in Computer science from MIT in
2005, and his S.B. and M.Eng. degrees in Electrical Engineering and
Computer Science from MIT in 2000 and 2001, respectively. His research
focuses on many aspects of computer networking and networked systems,
including the design, measurement, and analysis of network routing
protocols, network security, anonymous communication systems, and
adaptive streaming media protocols. His honors include award papers at
SIGCOMM 2006 (network-level behavior of spammers), the NSDI 2005
conference (fault detection in router configuration), Usenix Security
2002 (circumventing web censorship using Infranet), and Usenix
Security 2001 (web cookie analysis).