Abstract
This paper studies the dynamics of scam hosting infrastructure, with an emphasis on the role of fast-flux service networks. By monitoring changes in DNS records of over 350 distinct spam-advertised domains collected from URLs in 115,000 spam emails received at a large spam sinkhole, we measure the rates and locations of remapping DNS records, and the rates at which “fresh” IP addresses are used. We find that, unlike the short-lived nature of the scams themselves, the infrastructure that hosts these scams has relatively persistent features that may ultimately assist detection.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Alexa. Alexa the Web Information Company (2008), http://www.alexa.com/
Anderson, D.S., Fleizach, C., Savage, S., Voelker, G.M.: Spamscatter: Characterizing Internet Scam Hosting Infrastructure. In: USENIX Security Symposium (August 2007)
Dagon, D., Zou, C., Lee, W.: Modeling Botnet Propagation Using Time Zones. In: The 13th Annual Network and Distributed System Security Symposium (NDSS 2006), San Diego, CA (February 2006)
Holz, T., Corecki, C., Rieck, K., Freiling, F.C.: Measuring and Detecting Fast-Flux Service Networks. In: NDSS (February 2008)
ICANN Security and Stability Advisory Committee. SSAC Advisory on Fast Flux Hosting and DNS (March 2008), http://www.icann.org/committees/security/sac025.pdf
Jung, J., Sit, E.: An Empirical Study of Spam Traffic and the Use of DNS Black Lists. In: Internet Measurement Conference, Taormina, Italy (October 2004)
Konte, M., Feamster, N., Jung, J.: Fast Flux Service Networks: Dynamics and Roles in Online Scam Hosting Infrastructure. Technical Report GT-CS-08-07 (September 2008), http://www.cc.gatech.edu/~feamster/papers/fastflux-tr08.pdf
Passerini, E., Paleari, R., Martignoni, L., Bruschi, D.: FluXOR: detecting and monitoring fast-flux service networks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 186–206. Springer, Heidelberg (2008)
Pathak, A., Hu, Y.C., Mao, Z.M.: Peeking into Spammer Behavior from a Unique Vantage Point. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Francisco, CA (April 2008)
Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: ACM SIGCOMM/USENIX Internet Measurement Conference, Brazil (October 2006)
Ramachandran, A., Feamster, N.: Understanding the Network-Level Behavior of Spammers. In: SIGCOMM (September 2006)
Spam Trackers, http://spamtrackers.eu/wiki/index.php?title=Main_Page
The Honeynet Project. Know Your Enemy: Fast-Flux Service Networks (July 2007), http://www.honeynet.org/papers/ff/
Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are IP addresses? In: ACM SIGCOMM, Kyoto, Japan (August 2007)
Zdrnja, B., Brownlee, N., Wessels, D.: Passive monitoring of DNS anomalies. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 129–139. Springer, Heidelberg (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Konte, M., Feamster, N., Jung, J. (2009). Dynamics of Online Scam Hosting Infrastructure. In: Moon, S.B., Teixeira, R., Uhlig, S. (eds) Passive and Active Network Measurement. PAM 2009. Lecture Notes in Computer Science, vol 5448. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00975-4_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-00975-4_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-00974-7
Online ISBN: 978-3-642-00975-4
eBook Packages: Computer ScienceComputer Science (R0)