research-article

Free access

Spamming botnets: signatures and characteristics

Authors:

Rina Panigrahy,

Ivan OsipkovAuthors Info & Claims

SIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communication

Pages 171 - 182

https://doi.org/10.1145/1402958.1402979

Published: 17 August 2008 Publication History

Abstract

In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and botnet membership. AutoRE does not require pre-classified training data or white lists. Moreover, it outputs high quality regular expression signatures that can detect botnet spam with a low false positive rate. Using a three-month sample of emails from Hotmail, AutoRE successfully identified 7,721 botnet-based spam campaigns together with 340,050 unique botnet host IP addresses.

Our in-depth analysis of the identified botnets revealed several interesting findings regarding the degree of email obfuscation, properties of botnet IP addresses, sending patterns, and their correlation with network scanning traffic. We believe these observations are useful information in the design of botnet detection schemes.

References

[1]

M. I. Abouelhoda, S. Kurtz, and E. Ohlebusch. Replacing suffix trees with enhanced suffix arrays. J. of Discrete Algorithms, 2(1), 2004.

Digital Library

[2]

D. S. Anderson, C. Fleizach, S. Savage, and G. M. Voelker. Spamscatter: Characterizing Internet scam hosting infrastructure. In 14th conference on USENIX Security Symposium, 2007.

Digital Library

[3]

T. Berners-Lee, R. Fielding, and L. Masinter. Uniform resource identifiers (URI): Generic syntax. RFC 2396, 1998.

Digital Library

[4]

K. Chiang and L. Lloyd. A case study of the Rustock rootkit and spam bot. In The First Workshop in Understanding Botnets, 2007.

Digital Library

[5]

D. Dagon, C. Zou, and W. Lee. Modeling botnet propagation using time zones. In Proc. of the 13th Annual Network and Distributed System Security Symposium (NDSS), 2006.

[6]

N. Daswani, M. Stoppelman, and the Google click quality and security teams. The anatomy of Clickbot.A. In The First Workshop in Understanding Botnets, 2007.

Digital Library

[7]

Dshield: Cooperative network security community. Dynablock dynamic IP list. http://www.njabl.org/, recently aquired by spamhaus, http://www.spamhaus.org/pbl/index.lasso, 2007.

[8]

D. Fetterly, M. Manasse, M. Najork, and J. L. Wiener. A large-scale study of the evolution of web pages. Softw. Pract. Exper., 34(2), 2004.

Digital Library

[9]

T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In LEET 08: First USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008.

Digital Library

[10]

C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, and S. Savage. The Heisenbot uncertainty problem: Challenges in separating bots from chaff. In LEET '08: First USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008.

Digital Library

[11]

H.-A. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In the 13th conference on USENIX Security Symposium, 2004.

Digital Library

[12]

C. Kreibich and J. Crowcroft. Honeycomb: Creating intrusion detection signatures using honeypots. In 2nd Workshop on Hot Topics in Networks (HotNets-II), 2003.

[13]

F. Li and M.-H. Hsieh. An empirical study of clustering behavior of spammers and group-based anti-spam strategies. In CEAS 2006: Proceedings of the 3rd conference on email and anti-spam, 2006.

[14]

Z. Li, M. Sanghi, Y. Chen, M.-Y. Kao, and B. Chavez. Hamsa: Fast signature generation for zero--day polymorphic worm with provable attack resilience. In IEEE Symposium on Security and Privacy, 2006.

Digital Library

[15]

J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, 2005.

Digital Library

[16]

M. A. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In IMC '06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, 2006.

Digital Library

[17]

A. Ramachandran, D. Dagon, and N. Feamster. Can DNS based blacklists keep up with bots? In Conference on Email and Anti-Spam, 2006.

[18]

A. Ramachandran and N. Feamster. Understanding the network-level behavior of spammers. In Proceedings of Sigcomm, 2006.

Digital Library

[19]

A. Ramachandran, N. Feamster, and S. Vempala. Filtering spam with behavioral blacklisting. In Proceedings of the 14th ACM conference on computer and communications security, 2007.

Digital Library

[20]

S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In OSDI, 2004.

Digital Library

[21]

Spamhaus policy block list (PBL). http://www.spamhaus.org/pbl/, Jan 2007.

[22]

S. Webb, J. Caverlee, and C. Pu. Introducing the web spam corpus: Using email spam to identify web spam automatically. In Proceedings of the Third Conference on Email and Anti-Spam (CEAS), 2006.

[23]

Y. Xie, F. Yu, K. Achan, E. Gillum, M. Goldszmidt, and T. Wobber. How dynamic are IP addresses? In ACM Sigcomm, 2007.

Digital Library

[24]

L. Zhuang, J. Dunagan, D. R. Simon, H. J. Wang, I. Osipkov, G. Hulten, and J. Tygar. Characterizing botnets from email spam records. In LEET 08: First USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008.

Digital Library

Cited By

Castaldo MFrasca PVenturini TGargiulo F(2024)Fake views removal and popularity on YouTubeScientific Reports10.1038/s41598-024-63649-w14:1Online publication date: 4-Jul-2024
https://doi.org/10.1038/s41598-024-63649-w
Magdacy Jerjes ADawod AAbdulqader M(2023)Detect Malicious Web Pages Using Naive Bayesian Algorithm to Detect Cyber ThreatsWireless Personal Communications10.1007/s11277-023-10713-9Online publication date: 28-Aug-2023
https://doi.org/10.1007/s11277-023-10713-9
Khaund TKirdemir BAgarwal NLiu HMorstatter F(2022)Social Bots and Their Coordination During Online Campaigns: A SurveyIEEE Transactions on Computational Social Systems10.1109/TCSS.2021.31035159:2(530-545)Online publication date: Apr-2022
https://doi.org/10.1109/TCSS.2021.3103515
Show More Cited By

Index Terms

Spamming botnets: signatures and characteristics
1. Networks
  1. Network services
    1. Network management

Recommendations

Understanding the network-level behavior of spammers
SIGCOMM '06: Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications

This paper studies the network-level behavior of spammers, including: IP address ranges that send the most spam, common spamming modes (e.g., BGP route hijacking, bots), how persistent across time each spamming host is, and characteristics of spamming ...
Spamming botnets: signatures and characteristics

In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet

Many of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communication

August 2008

452 pages

ISBN:9781605581750

DOI:10.1145/1402958

General Chairs:
Victor Bahl
Microsoft Research
,
David Wetherall
Intel Research & University of Washington
,
Program Chairs:
Stefan Savage
University of California, San Diego
,
Ion Stoica
University of California, Berkeley

ACM SIGCOMM Computer Communication Review Volume 38, Issue 4
October 2008
436 pages
ISSN:0146-4833
DOI:10.1145/1402946
Issue’s Table of Contents

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SIGCOMM '08

Sponsor:

SIGCOMM '08: ACM SIGCOMM 2008 Conference

August 17 - 22, 2008

WA, Seattle, USA

Acceptance Rates

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

262
Total Citations
View Citations
2,837
Total Downloads

Downloads (Last 12 months)87
Downloads (Last 6 weeks)10

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Castaldo MFrasca PVenturini TGargiulo F(2024)Fake views removal and popularity on YouTubeScientific Reports10.1038/s41598-024-63649-w14:1Online publication date: 4-Jul-2024
https://doi.org/10.1038/s41598-024-63649-w
Magdacy Jerjes ADawod AAbdulqader M(2023)Detect Malicious Web Pages Using Naive Bayesian Algorithm to Detect Cyber ThreatsWireless Personal Communications10.1007/s11277-023-10713-9Online publication date: 28-Aug-2023
https://doi.org/10.1007/s11277-023-10713-9
Khaund TKirdemir BAgarwal NLiu HMorstatter F(2022)Social Bots and Their Coordination During Online Campaigns: A SurveyIEEE Transactions on Computational Social Systems10.1109/TCSS.2021.31035159:2(530-545)Online publication date: Apr-2022
https://doi.org/10.1109/TCSS.2021.3103515
Wang MSong L(2021)Efficient defense strategy against spam and phishing emailJournal of Information Security and Applications10.1016/j.jisa.2021.10294761:COnline publication date: 1-Sep-2021
https://dl.acm.org/doi/10.1016/j.jisa.2021.102947
Wang BZhang YZhu MChen Y(2020)Design and Implementation of Web Honeypot Detection System Based on Search Engine2020 International Conference on Intelligent Computing, Automation and Systems (ICICAS)10.1109/ICICAS51530.2020.00034(130-135)Online publication date: Dec-2020
https://doi.org/10.1109/ICICAS51530.2020.00034
Khalid MIsmail MHussain MHanif Durad M(2020)Automatic YARA Rule Generation2020 International Conference on Cyber Warfare and Security (ICCWS)10.1109/ICCWS48432.2020.9292390(1-5)Online publication date: 20-Oct-2020
https://doi.org/10.1109/ICCWS48432.2020.9292390
Keshavarzi MGhaffary H(2020)I2CE3: A dedicated and separated attack chain for ransomware offenses as the most infamous cyber extortionComputer Science Review10.1016/j.cosrev.2020.10023336(100233)Online publication date: May-2020
https://doi.org/10.1016/j.cosrev.2020.100233
Kabakus AKara R(2019)“TwitterSpamDetector”International Journal of Knowledge and Systems Science10.4018/IJKSS.201907010110:3(1-14)Online publication date: Jul-2019
https://doi.org/10.4018/IJKSS.2019070101
Zhang YZhang HYuan XTzeng N(2019)Pseudo-Honeypot: Toward Efficient and Scalable Spam Sniffer2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN.2019.00052(435-446)Online publication date: Jun-2019
https://doi.org/10.1109/DSN.2019.00052
Kumari APaul PRajnish K(2019)Bots a New Evolution of Robots: A SurveyProceedings of the Third International Conference on Microelectronics, Computing and Communication Systems10.1007/978-981-13-7091-5_19(201-210)Online publication date: 24-May-2019
https://doi.org/10.1007/978-981-13-7091-5_19
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents