Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
UC Santa Barbara
*RWTH Aachen
The Harvester, the Botmaster, and the Spammer:
On the Relations Between the Different Actors...
Spammer
Setting Up a Spam Operation
The Harvester, the Botmaster, and the Spammer 2
Harvester
Botmaster
What are the relations between the
different actors in a spam operation?
Fingerprinting the Actors
Harvesters
Disseminate email addresses on the web
Spammers
Fingerprint spam campaigns
Botnets
Ea...
Fingerprinting the Entire Operation
The Harvester, the Botmaster, and the Spammer 5
Fingerprinting Email Harvesters
Server-side dynamic script to generate unique addresses
Websites of various type [IMC2012]...
Fingerprinting Botnets
SMTP Dialects [USENIX2012]
We can uniquely identify an email-sending program
by looking at the sequ...
Fingerprinting Spammers
We assume that a single spammer is
responsible for each spam campaign
We cluster emails into campa...
Analysis of the
Collected Data
Analysis of the Harvesters
9 different harvesters
613 email addresses were harvested
A single harvester harvested 415 addr...
Analysis of the SMTP Dialects
2,024 emails received sent by 7 different dialects
3 large botnets (Cutwail, Lethic, Kelihos...
Country Distribution - Lethic
The Harvester, the Botmaster, and the Spammer 12
Country Distribution - Cutwail
The Harvester, the Botmaster, and the Spammer 13
Country Distribution - MTAs
The Harvester, the Botmaster, and the Spammer 14
Analysis of the Spam Campaigns
The Harvester, the Botmaster, and the Spammer 15
Campaign Number of Emails Topic
1 64 Count...
Tracking Spammers Over Time
Each campaign is carried out by a different spammer
Spammers could run two campaigns simultane...
Studying the Relationships
Between the Actors
Each botnet was rented by a single spammer
Multiple spammers used the same t...
Conclusions & Lessons Learned
We presented the first end-to-end analysis of the
spam delivery ecosystem
Our results show t...
UC Santa Barbara
*RWTH Aachen
Questions?
gianluca@cs.ucsb.edu
@gianlucasb
Upcoming SlideShare
Loading in …5
×

The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape

1,072 views

Published on

Published in: Technology, News & Politics
  • Be the first to comment

The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape

  1. 1. UC Santa Barbara *RWTH Aachen The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape Gianluca Stringhini, Oliver Hohlfeld*, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara *RWTH Aachen
  2. 2. Spammer Setting Up a Spam Operation The Harvester, the Botmaster, and the Spammer 2 Harvester Botmaster
  3. 3. What are the relations between the different actors in a spam operation?
  4. 4. Fingerprinting the Actors Harvesters Disseminate email addresses on the web Spammers Fingerprint spam campaigns Botnets Each botnet implements SMTP differently [USENIX2012] The Harvester, the Botmaster, and the Spammer 4
  5. 5. Fingerprinting the Entire Operation The Harvester, the Botmaster, and the Spammer 5
  6. 6. Fingerprinting Email Harvesters Server-side dynamic script to generate unique addresses Websites of various type [IMC2012] Various ways of embedding email addresses Plaintext, mailto links, obfuscated JavaScript We recorded IP address and user agent of visitors The Harvester, the Botmaster, and the Spammer 6
  7. 7. Fingerprinting Botnets SMTP Dialects [USENIX2012] We can uniquely identify an email-sending program by looking at the sequence of SMTP messages The Harvester, the Botmaster, and the Spammer 7 HELO domain RSET MAIL FROM:<email-addr> RCPT TO:<email-addr> DATA 250 server 250 OK 250 OK 250 OK Learning dialects spoken by botnets Malware samples submitted to Anubis • 18,849 malware samples sent an email • 72 unique dialects • Virustotal labels to name samples Learning dialects spoken by legitimate clients Virtual machines running 5 popular MTAs
  8. 8. Fingerprinting Spammers We assume that a single spammer is responsible for each spam campaign We cluster emails into campaigns by: • Subject line • URL domain • Mailer • Sender email address The Harvester, the Botmaster, and the Spammer 8
  9. 9. Analysis of the Collected Data
  10. 10. Analysis of the Harvesters 9 different harvesters 613 email addresses were harvested A single harvester harvested 415 addresses Distributed harvester composed of 56 IP addresses Turnaround time between 5 days and almost two years The Harvester, the Botmaster, and the Spammer 10
  11. 11. Analysis of the SMTP Dialects 2,024 emails received sent by 7 different dialects 3 large botnets (Cutwail, Lethic, Kelihos) 2 MTAs (Postfix and Sendmail) The Harvester, the Botmaster, and the Spammer 11
  12. 12. Country Distribution - Lethic The Harvester, the Botmaster, and the Spammer 12
  13. 13. Country Distribution - Cutwail The Harvester, the Botmaster, and the Spammer 13
  14. 14. Country Distribution - MTAs The Harvester, the Botmaster, and the Spammer 14
  15. 15. Analysis of the Spam Campaigns The Harvester, the Botmaster, and the Spammer 15 Campaign Number of Emails Topic 1 64 Counterfeit goods 2 180 Online dating 3 8 Financial scam 4 533 SEO 5 7 Email marketing 6 6 Phishing scam 7 30 Phishing scam 8 5 Phishing scam
  16. 16. Tracking Spammers Over Time Each campaign is carried out by a different spammer Spammers could run two campaigns simultaneously We identify spammers by botnet + email list The Harvester, the Botmaster, and the Spammer 16
  17. 17. Studying the Relationships Between the Actors Each botnet was rented by a single spammer Multiple spammers used the same type of MTA 4 email lists were used by multiple spammers → purchased Spammers keep using the same email list Spammers using MTAs are more likely to harvest their email addresses The Harvester, the Botmaster, and the Spammer 17
  18. 18. Conclusions & Lessons Learned We presented the first end-to-end analysis of the spam delivery ecosystem Our results show that spammers use the same botnet and the same email list for a long time This can be leveraged for spam mitigation Our methodology could be used by other researchers to perform larger-scale studies The Harvester, the Botmaster, and the Spammer 18
  19. 19. UC Santa Barbara *RWTH Aachen Questions? gianluca@cs.ucsb.edu @gianlucasb

×