The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape
1. UC Santa Barbara
*RWTH Aachen
The Harvester, the Botmaster, and the Spammer:
On the Relations Between the Different Actors in
the Spam Landscape
Gianluca Stringhini, Oliver Hohlfeld*,
Christopher Kruegel, and Giovanni Vigna
University of California, Santa Barbara
*RWTH Aachen
2. Spammer
Setting Up a Spam Operation
The Harvester, the Botmaster, and the Spammer 2
Harvester
Botmaster
3. What are the relations between the
different actors in a spam operation?
4. Fingerprinting the Actors
Harvesters
Disseminate email addresses on the web
Spammers
Fingerprint spam campaigns
Botnets
Each botnet implements SMTP differently [USENIX2012]
The Harvester, the Botmaster, and the Spammer 4
6. Fingerprinting Email Harvesters
Server-side dynamic script to generate unique addresses
Websites of various type [IMC2012]
Various ways of embedding email addresses
Plaintext, mailto links, obfuscated JavaScript
We recorded IP address and user agent of visitors
The Harvester, the Botmaster, and the Spammer 6
7. Fingerprinting Botnets
SMTP Dialects [USENIX2012]
We can uniquely identify an email-sending program
by looking at the sequence of SMTP messages
The Harvester, the Botmaster, and the Spammer 7
HELO domain
RSET
MAIL FROM:<email-addr>
RCPT TO:<email-addr>
DATA
250 server
250 OK
250 OK
250 OK
Learning dialects spoken by botnets
Malware samples submitted to Anubis
• 18,849 malware samples sent an email
• 72 unique dialects
• Virustotal labels to name samples
Learning dialects spoken by legitimate clients
Virtual machines running 5 popular MTAs
8. Fingerprinting Spammers
We assume that a single spammer is
responsible for each spam campaign
We cluster emails into campaigns by:
• Subject line
• URL domain
• Mailer
• Sender email address
The Harvester, the Botmaster, and the Spammer 8
10. Analysis of the Harvesters
9 different harvesters
613 email addresses were harvested
A single harvester harvested 415 addresses
Distributed harvester composed of 56 IP addresses
Turnaround time between 5 days and almost two years
The Harvester, the Botmaster, and the Spammer 10
11. Analysis of the SMTP Dialects
2,024 emails received sent by 7 different dialects
3 large botnets (Cutwail, Lethic, Kelihos)
2 MTAs (Postfix and Sendmail)
The Harvester, the Botmaster, and the Spammer 11
15. Analysis of the Spam Campaigns
The Harvester, the Botmaster, and the Spammer 15
Campaign Number of Emails Topic
1 64 Counterfeit goods
2 180 Online dating
3 8 Financial scam
4 533 SEO
5 7 Email marketing
6 6 Phishing scam
7 30 Phishing scam
8 5 Phishing scam
16. Tracking Spammers Over Time
Each campaign is carried out by a different spammer
Spammers could run two campaigns simultaneously
We identify spammers by botnet + email list
The Harvester, the Botmaster, and the Spammer 16
17. Studying the Relationships
Between the Actors
Each botnet was rented by a single spammer
Multiple spammers used the same type of MTA
4 email lists were used by multiple spammers → purchased
Spammers keep using the same email list
Spammers using MTAs are more likely to harvest their
email addresses
The Harvester, the Botmaster, and the Spammer 17
18. Conclusions & Lessons Learned
We presented the first end-to-end analysis of the
spam delivery ecosystem
Our results show that spammers use the same
botnet and the same email list for a long time
This can be leveraged for spam mitigation
Our methodology could be used by other researchers
to perform larger-scale studies
The Harvester, the Botmaster, and the Spammer 18