Article

Dynamics of Online Scam Hosting Infrastructure

Authors:

Jaeyeon JungAuthors Info & Claims

PAM '09: Proceedings of the 10th International Conference on Passive and Active Network Measurement

Pages 219 - 228

https://doi.org/10.1007/978-3-642-00975-4_22

Published: 28 March 2009 Publication History

Abstract

This paper studies the dynamics of scam hosting infrastructure, with an emphasis on the role of fast-flux service networks. By monitoring changes in DNS records of over 350 distinct spam-advertised domains collected from URLs in 115,000 spam emails received at a large spam sinkhole, we measure the rates and locations of remapping DNS records, and the rates at which "fresh" IP addresses are used. We find that, unlike the short-lived nature of the scams themselves, the infrastructure that hosts these scams has relatively persistent features that may ultimately assist detection.

References

[1]

Alexa. Alexa the Web Information Company (2008), http://www.alexa.com/

[2]

Anderson, D.S., Fleizach, C., Savage, S., Voelker, G.M.: Spamscatter: Characterizing Internet Scam Hosting Infrastructure. In: USENIX Security Symposium (August 2007)

Digital Library

[3]

Dagon, D., Zou, C., Lee, W.: Modeling Botnet Propagation Using Time Zones. In: The 13th Annual Network and Distributed System Security Symposium (NDSS 2006), San Diego, CA (February 2006)

[4]

Holz, T., Corecki, C., Rieck, K., Freiling, F.C.: Measuring and Detecting Fast-Flux Service Networks. In: NDSS (February 2008)

[5]

ICANN Security and Stability Advisory Committee. SSAC Advisory on Fast Flux Hosting and DNS (March 2008), http://www.icann.org/committees/security/sac025.pdf

[6]

Jung, J., Sit, E.: An Empirical Study of Spam Traffic and the Use of DNS Black Lists. In: Internet Measurement Conference, Taormina, Italy (October 2004)

Digital Library

[7]

Konte, M., Feamster, N., Jung, J.: Fast Flux Service Networks: Dynamics and Roles in Online Scam Hosting Infrastructure. Technical Report GT-CS-08-07 (September 2008), http://www.cc.gatech.edu/~feamster/papers/fastflux-tr08.pdf

[8]

Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FluXOR: detecting and monitoring fast-flux service networks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 186- 206. Springer, Heidelberg (2008)

Digital Library

[9]

Pathak, A., Hu, Y.C., Mao, Z.M.: Peeking into Spammer Behavior from a Unique Vantage Point. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Francisco, CA (April 2008)

Digital Library

[10]

Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: ACM SIGCOMM/USENIX Internet Measurement Conference, Brazil (October 2006)

Digital Library

[11]

Ramachandran, A., Feamster, N.: Understanding the Network-Level Behavior of Spammers. In: SIGCOMM (September 2006)

Digital Library

[12]

Spam Trackers, http://spamtrackers.eu/wiki/index.php?title=Main_Page

[13]

The Honeynet Project. Know Your Enemy: Fast-Flux Service Networks (July 2007), http://www.honeynet.org/papers/ff/

[14]

Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are IP addresses? In: ACM SIGCOMM, Kyoto, Japan (August 2007)

Digital Library

[15]

Zdrnja, B., Brownlee, N.,Wessels, D.: Passive monitoring of DNS anomalies. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 129-139. Springer, Heidelberg (2007)

Digital Library

Cited By

Zhauniarovich YKhalil IYu TDacier M(2018)A Survey on Malicious Domains Detection through DNS Data AnalysisACM Computing Surveys10.1145/319132951:4(1-36)Online publication date: 6-Jul-2018
https://dl.acm.org/doi/10.1145/3191329
Almomani A(2018)Fast-flux hunterNeural Computing and Applications10.1007/s00521-016-2531-129:7(483-493)Online publication date: 1-Apr-2018
https://dl.acm.org/doi/10.1007/s00521-016-2531-1
Al-Qudah ZJohnson ERabinovich MSpatscheck O(2016)Internet with transient destination-controlled addressingIEEE/ACM Transactions on Networking10.1109/TNET.2014.238211024:2(731-744)Online publication date: 1-Apr-2016
https://dl.acm.org/doi/10.1109/TNET.2014.2382110
Show More Cited By

Recommendations

Blocklist-Forecast: Proactive Domain Blocklisting by Identifying Malicious Hosting Infrastructure
RAID '24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses

Domain blocklists play an important role in blocking malicious domains reaching users. However, existing blocklists are reactive in nature and slow to react to attacks, by which time the damage is already caused. This is mainly due to the fact that ...
The role of web hosting providers in detecting compromised websites
WWW '13: Proceedings of the 22nd international conference on World Wide Web

Compromised websites are often used by attackers to deliver malicious content or to host phishing pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little security ...
How Experts Detect Phishing Scam Emails
CSCW

Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

PAM '09: Proceedings of the 10th International Conference on Passive and Active Network Measurement

March 2009

229 pages

ISBN:9783642009747

Editors:
Sue B. Moon
Computer Science Department, KAIST, Daejeon, Republic of Korea 305-701
,
Renata Teixeira
Centre National de la Recherche Scientifique (CNRS) and, Université Pierre et Marie Curie - Paris 6, Paris, France 75016
,
Steve Uhlig
T-labs/TU Berlin, Berlin, Germany 10587

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 28 March 2009

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhauniarovich YKhalil IYu TDacier M(2018)A Survey on Malicious Domains Detection through DNS Data AnalysisACM Computing Surveys10.1145/319132951:4(1-36)Online publication date: 6-Jul-2018
https://dl.acm.org/doi/10.1145/3191329
Almomani A(2018)Fast-flux hunterNeural Computing and Applications10.1007/s00521-016-2531-129:7(483-493)Online publication date: 1-Apr-2018
https://dl.acm.org/doi/10.1007/s00521-016-2531-1
Al-Qudah ZJohnson ERabinovich MSpatscheck O(2016)Internet with transient destination-controlled addressingIEEE/ACM Transactions on Networking10.1109/TNET.2014.238211024:2(731-744)Online publication date: 1-Apr-2016
https://dl.acm.org/doi/10.1109/TNET.2014.2382110
Gao HYegneswaran VJiang JChen YPorras PGhosh SDuan H(2016)Reexamining DNS from a global recursive resolver perspectiveIEEE/ACM Transactions on Networking10.1109/TNET.2014.235863724:1(43-57)Online publication date: 1-Feb-2016
https://dl.acm.org/doi/10.1109/TNET.2014.2358637
Dinh SAzeb TFortin FMouheb DDebbabi M(2015)Spam campaign detection, analysis, and investigationDigital Investigation: The International Journal of Digital Forensics & Incident Response10.1016/j.diin.2015.01.00612:S1(S12-S21)Online publication date: 1-Mar-2015
https://dl.acm.org/doi/10.1016/j.diin.2015.01.006
Bou-Harb ELakhdari NBinsalleeh HDebbabi M(2014)Multidimensional investigation of source port 0 probingDigital Investigation: The International Journal of Digital Forensics & Incident Response10.5555/2838421.283845111:S2(S114-S123)Online publication date: 1-Aug-2014
https://dl.acm.org/doi/10.5555/2838421.2838451
Bilge LSen SBalzarotti DKirda EKruegel C(2014)ExposureACM Transactions on Information and System Security10.1145/258467916:4(1-28)Online publication date: 1-Apr-2014
https://dl.acm.org/doi/10.1145/2584679
Gao HYegneswaran VChen YPorras PGhosh SJiang JDuan H(2013)An empirical reexamination of global DNS behaviorACM SIGCOMM Computer Communication Review10.1145/2534169.248601843:4(267-278)Online publication date: 27-Aug-2013
https://dl.acm.org/doi/10.1145/2534169.2486018
Huang TRahman MMadhyastha HFaloutsos MRibeiro BSchwabe DAlmeida VGlaser HBaeza-Yates RMoon S(2013)An analysis of socware cascades in online social networksProceedings of the 22nd international conference on World Wide Web10.1145/2488388.2488443(619-630)Online publication date: 13-May-2013
https://dl.acm.org/doi/10.1145/2488388.2488443
Gao HYegneswaran VChen YPorras PGhosh SJiang JDuan HChiu DWang JBarford PSeshan S(2013)An empirical reexamination of global DNS behaviorProceedings of the ACM SIGCOMM 2013 conference on SIGCOMM10.1145/2486001.2486018(267-278)Online publication date: 12-Aug-2013
https://dl.acm.org/doi/10.1145/2486001.2486018
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents