NANOG Meeting Presentation Abstract

Understanding the Network-Level Behavior of Spammers
Meeting:	NANOG37
Date / Time:	2006-06-06 9:30am - 10:00am
Room:	Exhibit Hall 3
Presenters:	Speakers: Nick Feamster, Georgia Tech University. Anirudh Ramachandran, Georgia Tech University.
Abstract:	We study the network-level behavior of spammers, including: IP address ranges that send the most spam, common spamming modes (e.g., BGP route hijacking, bots), how persistent (in time) each spamming host is, botnet spamming characteristics, and techniques for harvesting email addresses. This presentation studies these questions by analyzing an 18-month trace of over 10 million spam messages collected at one Internet \"spam sinkhole,\" and by correlating these messages with the results of IP-based blacklist lookups, passive TCP fingerprinting information, routing information, and botnet \"command and control\" traces. We find that a small, yet non-negligible, amount of spam is received from IP addresses that correspond to short-lived BGP routes, typically for hijacked addresses. Most spam was received from a few regions of IP address space. Spammers appear to make use of transient \"bots\" that send only a few pieces of email over the course of a few minutes at most. These patterns suggest that developing algorithms to identify botnet membership, filtering email messages based on network-level properties (which are less variable than an email\'s contents), and improving the security of the Internet routing infrastructure may be prove extremely effective for combating spam.
Files:	Nick Feamster Presentation(PDF) Understanding the Network-Level Behavior of Spammers
Sponsors:	None.

Back to NANOG37 agenda.

NANOG37 Abstracts

• Show All

• San Jose Newcomers\' Reception
  Moderators:
  Steve FeldmanCNET; .
  Panelists:
  Bill NortonEquinix; .
  Betty BurkeMerit Network Inc.; .
  

• San Jose Newcomers\' Reception
  Moderators:
  Steve FeldmanCNET; .
  Panelists:
  Bill NortonEquinix; .
  Betty BurkeMerit Network Inc.; .
  

• San Jose Newcomers\' Reception
  Moderators:
  Steve FeldmanCNET; .
  Panelists:
  Bill NortonEquinix; .
  Betty BurkeMerit Network Inc.; .
  

• NANOG Community Meeting
  Moderators:
  Randy BushIIJ; .
  Panelists:
  Steve FeldmanCNET; .
  Betty BurkeMerit Network; .
  Rob SeastromClueTrust; .
  

• NANOG Community Meeting
  Moderators:
  Randy BushIIJ; .
  Panelists:
  Steve FeldmanCNET; .
  Betty BurkeMerit Network; .
  Rob SeastromClueTrust; .
  

• NANOG Community Meeting
  Moderators:
  Randy BushIIJ; .
  Panelists:
  Steve FeldmanCNET; .
  Betty BurkeMerit Network; .
  Rob SeastromClueTrust; .
  

• NANOG Community Meeting
  Moderators:
  Randy BushIIJ; .
  Panelists:
  Steve FeldmanCNET; .
  Betty BurkeMerit Network; .
  Rob SeastromClueTrust; .
  

• Authentication for TCP-based Routing and Management Protocols
  Speakers:
  Ron BonicaJuniper; .
  

• Research Forum: Active Measurement of the AS Path Prepending Method
  Speakers:
  Samantha Lo, Hong Kong Polytechnic University; Rocky K. C. ChangHong Kong Polytechnic University; .
  

• Research Forum: Active Measurement of the AS Path Prepending Method
  Speakers:
  Samantha Lo, Hong Kong Polytechnic University; Rocky K. C. ChangHong Kong Polytechnic University; .
  

• Research Forum: Pretty Good BGP and the Internet Alert Registry
  Speakers:
  Josh KarlinUniversity of New Mexico; .
  

• Research Forum: A simple coordination mechanism for interdomain routing
  Speakers:
  Ratul Mahajan, Microsoft Research; Thomas AndersonUniversity of Washington; .
  David WetherallUniversity of Washington; .
  

• Research Forum: A simple coordination mechanism for interdomain routing
  Speakers:
  Ratul Mahajan, Microsoft Research; Thomas AndersonUniversity of Washington; .
  David WetherallUniversity of Washington; .
  

• Research Forum: A simple coordination mechanism for interdomain routing
  Speakers:
  Ratul Mahajan, Microsoft Research; Thomas AndersonUniversity of Washington; .
  David WetherallUniversity of Washington; .
  

• Managing 100+ million IP addresses
  Speakers:
  Alain Durand, Comcast;

• Panel: Network Neutrality - What Does It Mean To Operators?
  Moderators:
  Bill Woodcock, Packet Clearing House; Panelists:
  Sean DonelanCisco Systems; .
  Sean DoranNone; .
  Gene LewNeustar; .
  Brokaw PriceYahoo; .
  

• Panel: Network Neutrality - What Does It Mean To Operators?
  Moderators:
  Bill Woodcock, Packet Clearing House; Panelists:
  Sean DonelanCisco Systems; .
  Sean DoranNone; .
  Gene LewNeustar; .
  Brokaw PriceYahoo; .
  

• Panel: Network Neutrality - What Does It Mean To Operators?
  Moderators:
  Bill Woodcock, Packet Clearing House; Panelists:
  Sean DonelanCisco Systems; .
  Sean DoranNone; .
  Gene LewNeustar; .
  Brokaw PriceYahoo; .
  

• Panel: Network Neutrality - What Does It Mean To Operators?
  Moderators:
  Bill Woodcock, Packet Clearing House; Panelists:
  Sean DonelanCisco Systems; .
  Sean DoranNone; .
  Gene LewNeustar; .
  Brokaw PriceYahoo; .
  

• Panel: Network Neutrality - What Does It Mean To Operators?
  Moderators:
  Bill Woodcock, Packet Clearing House; Panelists:
  Sean DonelanCisco Systems; .
  Sean DoranNone; .
  Gene LewNeustar; .
  Brokaw PriceYahoo; .
  

• BGP Techniques for Service Providers
  Speakers:
  Philip Smith, Cisco Systems;

• Peering BOF XIII
  Moderators:
  Bill Norton, Equinix;

• Exchange Point Operators
  Moderators:
  Joe Abley, Afilias Canada; Celeste Anderson, USC;

• Exchange Point Operators
  Moderators:
  Joe Abley, Afilias Canada; Celeste Anderson, USC;

• BGP Tools
  Speakers:
  Dan MasseyColorado State University; .
  Nick FeamsterMIT; .
  Lixiz ZhangUCLA; .
  

• BGP Tools
  Speakers:
  Dan MasseyColorado State University; .
  Nick FeamsterMIT; .
  Lixiz ZhangUCLA; .
  

• BGP Tools
  Speakers:
  Dan MasseyColorado State University; .
  Nick FeamsterMIT; .
  Lixiz ZhangUCLA; .
  

• Anatomy of recent DNS reflector attacks from the victim and reflector point of view
  Speakers:
  Frank ScalzoVerisign; .
  

• Understanding the Network-Level Behavior of Spammers
  Speakers:
  Nick FeamsterGeorgia Tech University; .
  Anirudh RamachandranGeorgia Tech University; .
  

• Understanding the Network-Level Behavior of Spammers
  Speakers:
  Nick FeamsterGeorgia Tech University; .
  Anirudh RamachandranGeorgia Tech University; .
  

• Information Collection on DDoS Attacks
  Speakers:
  Anna Claiborne, Prolexic Technologies;

• US ENUM Trial
  Speakers:
  Karen Mulberry, Neustar;

• Panel: Hot Time in the Big IDC: Power, cooling, and the data center
  Moderators:
  Dan Golding, Tier1 Research; Panelists:
  Michael Laudon, Force10 Networks; Jay ParkEquinix; .
  Rob Snevely, Sun Microsystems; Josh Snowhorn, Terremark Worldwide, Inc.; David Tsiang, Cisco Systems; Brad TurnerJuniper Networks; .
  Brian Young, Switch and Data;

• Panel: Hot Time in the Big IDC: Power, cooling, and the data center
  Moderators:
  Dan Golding, Tier1 Research; Panelists:
  Michael Laudon, Force10 Networks; Jay ParkEquinix; .
  Rob Snevely, Sun Microsystems; Josh Snowhorn, Terremark Worldwide, Inc.; David Tsiang, Cisco Systems; Brad TurnerJuniper Networks; .
  Brian Young, Switch and Data;

• Panel: Hot Time in the Big IDC: Power, cooling, and the data center
  Moderators:
  Dan Golding, Tier1 Research; Panelists:
  Michael Laudon, Force10 Networks; Jay ParkEquinix; .
  Rob Snevely, Sun Microsystems; Josh Snowhorn, Terremark Worldwide, Inc.; David Tsiang, Cisco Systems; Brad TurnerJuniper Networks; .
  Brian Young, Switch and Data;

• Panel: Hot Time in the Big IDC: Power, cooling, and the data center
  Moderators:
  Dan Golding, Tier1 Research; Panelists:
  Michael Laudon, Force10 Networks; Jay ParkEquinix; .
  Rob Snevely, Sun Microsystems; Josh Snowhorn, Terremark Worldwide, Inc.; David Tsiang, Cisco Systems; Brad TurnerJuniper Networks; .
  Brian Young, Switch and Data;

• Panel: Hot Time in the Big IDC: Power, cooling, and the data center
  Moderators:
  Dan Golding, Tier1 Research; Panelists:
  Michael Laudon, Force10 Networks; Jay ParkEquinix; .
  Rob Snevely, Sun Microsystems; Josh Snowhorn, Terremark Worldwide, Inc.; David Tsiang, Cisco Systems; Brad TurnerJuniper Networks; .
  Brian Young, Switch and Data;

• Panel: Hot Time in the Big IDC: Power, cooling, and the data center
  Moderators:
  Dan Golding, Tier1 Research; Panelists:
  Michael Laudon, Force10 Networks; Jay ParkEquinix; .
  Rob Snevely, Sun Microsystems; Josh Snowhorn, Terremark Worldwide, Inc.; David Tsiang, Cisco Systems; Brad TurnerJuniper Networks; .
  Brian Young, Switch and Data;

• Panel: Hot Time in the Big IDC: Power, cooling, and the data center
  Moderators:
  Dan Golding, Tier1 Research; Panelists:
  Michael Laudon, Force10 Networks; Jay ParkEquinix; .
  Rob Snevely, Sun Microsystems; Josh Snowhorn, Terremark Worldwide, Inc.; David Tsiang, Cisco Systems; Brad TurnerJuniper Networks; .
  Brian Young, Switch and Data;

• Panel: Hot Time in the Big IDC: Power, cooling, and the data center
  Moderators:
  Dan Golding, Tier1 Research; Panelists:
  Michael Laudon, Force10 Networks; Jay ParkEquinix; .
  Rob Snevely, Sun Microsystems; Josh Snowhorn, Terremark Worldwide, Inc.; David Tsiang, Cisco Systems; Brad TurnerJuniper Networks; .
  Brian Young, Switch and Data;

• MPLS Traffic Engineering
  Speakers:
  Pete Templin, Texlink;

• OPSEC WG
  Moderators:
  Ross Callon, Juniper; Panelists:
  Merike Kaeo, Double Shot Security; Chris Morrow, Verizon Business;

• OPSEC WG
  Moderators:
  Ross Callon, Juniper; Panelists:
  Merike Kaeo, Double Shot Security; Chris Morrow, Verizon Business;

• OPSEC WG
  Moderators:
  Ross Callon, Juniper; Panelists:
  Merike Kaeo, Double Shot Security; Chris Morrow, Verizon Business;

• Fundamentals of Passive Monitoring Access
  Speakers:
  Joy WeberNet Optics; .
  

• Security
  Moderators:
  Danny McPhersonArbor Networks; .
  Roland DobbinsCisco Systems; .
  

• Security
  Moderators:
  Danny McPhersonArbor Networks; .
  Roland DobbinsCisco Systems; .
  

• Smart Network Data Services
  Speakers:
  Eliot Gillum, Microsoft;

• Effects of anycast on K-root Performance
  Speakers:
  Lorenzo ColittiRIPE NCC; .
  

• Operational experience with TCP and Anycast
  Moderators:
  Matt LevineCache Networks; .
  Panelists:
  Barrett LyonBitGravity, LLC; .
  Todd Underwood, Renesys Corporation;

• Operational experience with TCP and Anycast
  Moderators:
  Matt LevineCache Networks; .
  Panelists:
  Barrett LyonBitGravity, LLC; .
  Todd Underwood, Renesys Corporation;

• Operational experience with TCP and Anycast
  Moderators:
  Matt LevineCache Networks; .
  Panelists:
  Barrett LyonBitGravity, LLC; .
  Todd Underwood, Renesys Corporation;

• Deploying DNSSEC. Pulling yourself up by your bootstraps
  Speakers:
  Joao Damas, Internet Systems Consortium;