SlideShare a Scribd company logo

The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape

Download as PPTX, PDF
Gianluca Stringhini
Gianluca Stringhini
TechnologyNews & Politics
1 of 19
UC Santa Barbara *RWTH Aachen The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape Gianluca Stringhini, Oliver Hohlfeld*, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara *RWTH Aachen
Spammer Setting Up a Spam Operation The Harvester, the Botmaster, and the Spammer 2 Harvester Botmaster
What are the relations between the different actors in a spam operation?
Fingerprinting the Actors Harvesters Disseminate email addresses on the web Spammers Fingerprint spam campaigns Botnets Each botnet implements SMTP differently [USENIX2012] The Harvester, the Botmaster, and the Spammer 4
Fingerprinting the Entire Operation The Harvester, the Botmaster, and the Spammer 5
Fingerprinting Email Harvesters Server-side dynamic script to generate unique addresses Websites of various type [IMC2012] Various ways of embedding email addresses Plaintext, mailto links, obfuscated JavaScript We recorded IP address and user agent of visitors The Harvester, the Botmaster, and the Spammer 6
Fingerprinting Botnets SMTP Dialects [USENIX2012] We can uniquely identify an email-sending program by looking at the sequence of SMTP messages The Harvester, the Botmaster, and the Spammer 7 HELO domain RSET MAIL FROM:<email-addr> RCPT TO:<email-addr> DATA 250 server 250 OK 250 OK 250 OK Learning dialects spoken by botnets Malware samples submitted to Anubis • 18,849 malware samples sent an email • 72 unique dialects • Virustotal labels to name samples Learning dialects spoken by legitimate clients Virtual machines running 5 popular MTAs
Fingerprinting Spammers We assume that a single spammer is responsible for each spam campaign We cluster emails into campaigns by: • Subject line • URL domain • Mailer • Sender email address The Harvester, the Botmaster, and the Spammer 8
Analysis of the Collected Data
Analysis of the Harvesters 9 different harvesters 613 email addresses were harvested A single harvester harvested 415 addresses Distributed harvester composed of 56 IP addresses Turnaround time between 5 days and almost two years The Harvester, the Botmaster, and the Spammer 10
Analysis of the SMTP Dialects 2,024 emails received sent by 7 different dialects 3 large botnets (Cutwail, Lethic, Kelihos) 2 MTAs (Postfix and Sendmail) The Harvester, the Botmaster, and the Spammer 11
Country Distribution - Lethic The Harvester, the Botmaster, and the Spammer 12
Country Distribution - Cutwail The Harvester, the Botmaster, and the Spammer 13
Country Distribution - MTAs The Harvester, the Botmaster, and the Spammer 14
Analysis of the Spam Campaigns The Harvester, the Botmaster, and the Spammer 15 Campaign Number of Emails Topic 1 64 Counterfeit goods 2 180 Online dating 3 8 Financial scam 4 533 SEO 5 7 Email marketing 6 6 Phishing scam 7 30 Phishing scam 8 5 Phishing scam
Tracking Spammers Over Time Each campaign is carried out by a different spammer Spammers could run two campaigns simultaneously We identify spammers by botnet + email list The Harvester, the Botmaster, and the Spammer 16
Studying the Relationships Between the Actors Each botnet was rented by a single spammer Multiple spammers used the same type of MTA 4 email lists were used by multiple spammers → purchased Spammers keep using the same email list Spammers using MTAs are more likely to harvest their email addresses The Harvester, the Botmaster, and the Spammer 17
Conclusions & Lessons Learned We presented the first end-to-end analysis of the spam delivery ecosystem Our results show that spammers use the same botnet and the same email list for a long time This can be leveraged for spam mitigation Our methodology could be used by other researchers to perform larger-scale studies The Harvester, the Botmaster, and the Spammer 18
UC Santa Barbara *RWTH Aachen Questions? gianluca@cs.ucsb.edu @gianlucasb

Recommended

The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...Gianluca Stringhini
 
Botnets - Detection and Mitigation
Botnets - Detection and MitigationBotnets - Detection and Mitigation
Botnets - Detection and MitigationAjit Skanda Kumaraswamy
 
The Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & CommunicationThe Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & CommunicationArturBalanuta
 
2 dc meet new
2 dc meet new2 dc meet new
2 dc meet newkirubavenkat
 
Global Botnet Detector
Global Botnet DetectorGlobal Botnet Detector
Global Botnet DetectorBrenton Mallen
 
Création d'un botnet et défense
Création d'un botnet et défenseCréation d'un botnet et défense
Création d'un botnet et défenseESD Cybersecurity Academy
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNSشناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNSMahdi Sayyad
 

Recommended

The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...Gianluca Stringhini
 
Botnets - Detection and Mitigation
Botnets - Detection and MitigationBotnets - Detection and Mitigation
Botnets - Detection and MitigationAjit Skanda Kumaraswamy
 
The Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & CommunicationThe Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & CommunicationArturBalanuta
 
2 dc meet new
2 dc meet new2 dc meet new
2 dc meet newkirubavenkat
 
Global Botnet Detector
Global Botnet DetectorGlobal Botnet Detector
Global Botnet DetectorBrenton Mallen
 
Création d'un botnet et défense
Création d'un botnet et défenseCréation d'un botnet et défense
Création d'un botnet et défenseESD Cybersecurity Academy
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNSشناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNSMahdi Sayyad
 
E spam
E spamE spam
E spamzelkan19
 
E spam
E spamE spam
E spamzelkan19
 
E spam
E spamE spam
E spamzelkan19
 
E spam
E spamE spam
E spamzelkan19
 
BotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetBotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetGianluca Stringhini
 
Thinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal OperationsThinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal OperationsGianluca Stringhini
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharyasankhadeep
 
What is SPAM?
What is SPAM?What is SPAM?
What is SPAM?Yavuz Adabalı
 
The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?Gianluca Stringhini
 
B0940509
B0940509B0940509
B0940509IOSR Journals
 
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...The Statistical and Applied Mathematical Sciences Institute
 
Detecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSDetecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSijsrd.com
 
Web spam
Web spamWeb spam
Web spamKamal Sharma
 
Presentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social NetworksPresentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social NetworksAshish Arora
 
Spam and hackers
Spam and hackersSpam and hackers
Spam and hackersSouhail Hammou
 
Spam and hackers
Spam and hackersSpam and hackers
Spam and hackersSouhail Hammou
 
Spam attacks
Spam attacksSpam attacks
Spam attacksRanushka Pasindu
 
spam attacks
spam attacksspam attacks
spam attacksRanushka Pasindu
 
Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check Symantec
 
The Phishing Ecosystem
The Phishing EcosystemThe Phishing Ecosystem
The Phishing Ecosystemamiable_indian
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 

More Related Content

Similar to The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape

BotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetBotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetGianluca Stringhini
 
Thinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal OperationsThinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal OperationsGianluca Stringhini
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharyasankhadeep
 
The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?Gianluca Stringhini
 
Detecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSDetecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSijsrd.com
 
Presentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social NetworksPresentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social NetworksAshish Arora
 
Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check Symantec
 
The Phishing Ecosystem
The Phishing EcosystemThe Phishing Ecosystem
The Phishing Ecosystemamiable_indian
 

Similar to The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape (20)

E spam
E spamE spam
E spam
 
E spam
E spamE spam
E spam
 
E spam
E spamE spam
E spam
 
E spam
E spamE spam
E spam
 
BotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetBotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the Internet
 
Thinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal OperationsThinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal Operations
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharya
 
What is SPAM?
What is SPAM?What is SPAM?
What is SPAM?
 
The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?
 
B0940509
B0940509B0940509
B0940509
 
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...
 
Detecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSDetecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBS
 
Web spam
Web spamWeb spam
Web spam
 
Presentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social NetworksPresentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social Networks
 
Spam and hackers
Spam and hackersSpam and hackers
Spam and hackers
 
Spam and hackers
Spam and hackersSpam and hackers
Spam and hackers
 
Spam attacks
Spam attacksSpam attacks
Spam attacks
 
spam attacks
spam attacksspam attacks
spam attacks
 
Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check
 
The Phishing Ecosystem
The Phishing EcosystemThe Phishing Ecosystem
The Phishing Ecosystem
 

Recently uploaded

In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀DianaGray10
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesThousandEyes
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Product School
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 

Recently uploaded (20)

In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 

The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape

  • 1. UC Santa Barbara *RWTH Aachen The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape Gianluca Stringhini, Oliver Hohlfeld*, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara *RWTH Aachen
  • 2. Spammer Setting Up a Spam Operation The Harvester, the Botmaster, and the Spammer 2 Harvester Botmaster
  • 3. What are the relations between the different actors in a spam operation?
  • 4. Fingerprinting the Actors Harvesters Disseminate email addresses on the web Spammers Fingerprint spam campaigns Botnets Each botnet implements SMTP differently [USENIX2012] The Harvester, the Botmaster, and the Spammer 4
  • 5. Fingerprinting the Entire Operation The Harvester, the Botmaster, and the Spammer 5
  • 6. Fingerprinting Email Harvesters Server-side dynamic script to generate unique addresses Websites of various type [IMC2012] Various ways of embedding email addresses Plaintext, mailto links, obfuscated JavaScript We recorded IP address and user agent of visitors The Harvester, the Botmaster, and the Spammer 6
  • 7. Fingerprinting Botnets SMTP Dialects [USENIX2012] We can uniquely identify an email-sending program by looking at the sequence of SMTP messages The Harvester, the Botmaster, and the Spammer 7 HELO domain RSET MAIL FROM:<email-addr> RCPT TO:<email-addr> DATA 250 server 250 OK 250 OK 250 OK Learning dialects spoken by botnets Malware samples submitted to Anubis • 18,849 malware samples sent an email • 72 unique dialects • Virustotal labels to name samples Learning dialects spoken by legitimate clients Virtual machines running 5 popular MTAs
  • 8. Fingerprinting Spammers We assume that a single spammer is responsible for each spam campaign We cluster emails into campaigns by: • Subject line • URL domain • Mailer • Sender email address The Harvester, the Botmaster, and the Spammer 8
  • 10. Analysis of the Harvesters 9 different harvesters 613 email addresses were harvested A single harvester harvested 415 addresses Distributed harvester composed of 56 IP addresses Turnaround time between 5 days and almost two years The Harvester, the Botmaster, and the Spammer 10
  • 11. Analysis of the SMTP Dialects 2,024 emails received sent by 7 different dialects 3 large botnets (Cutwail, Lethic, Kelihos) 2 MTAs (Postfix and Sendmail) The Harvester, the Botmaster, and the Spammer 11
  • 12. Country Distribution - Lethic The Harvester, the Botmaster, and the Spammer 12
  • 13. Country Distribution - Cutwail The Harvester, the Botmaster, and the Spammer 13
  • 14. Country Distribution - MTAs The Harvester, the Botmaster, and the Spammer 14
  • 15. Analysis of the Spam Campaigns The Harvester, the Botmaster, and the Spammer 15 Campaign Number of Emails Topic 1 64 Counterfeit goods 2 180 Online dating 3 8 Financial scam 4 533 SEO 5 7 Email marketing 6 6 Phishing scam 7 30 Phishing scam 8 5 Phishing scam
  • 16. Tracking Spammers Over Time Each campaign is carried out by a different spammer Spammers could run two campaigns simultaneously We identify spammers by botnet + email list The Harvester, the Botmaster, and the Spammer 16
  • 17. Studying the Relationships Between the Actors Each botnet was rented by a single spammer Multiple spammers used the same type of MTA 4 email lists were used by multiple spammers → purchased Spammers keep using the same email list Spammers using MTAs are more likely to harvest their email addresses The Harvester, the Botmaster, and the Spammer 17
  • 18. Conclusions & Lessons Learned We presented the first end-to-end analysis of the spam delivery ecosystem Our results show that spammers use the same botnet and the same email list for a long time This can be leveraged for spam mitigation Our methodology could be used by other researchers to perform larger-scale studies The Harvester, the Botmaster, and the Spammer 18
  • 19. UC Santa Barbara *RWTH Aachen Questions? gianluca@cs.ucsb.edu @gianlucasb