SlideShare une entreprise Scribd logo

The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape

Télécharger en tant que PPTX, PDF
Gianluca Stringhini
Gianluca Stringhini
TechnologieActualités & Politique
1  sur  19
UC Santa Barbara *RWTH Aachen The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape Gianluca Stringhini, Oliver Hohlfeld*, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara *RWTH Aachen
Spammer Setting Up a Spam Operation The Harvester, the Botmaster, and the Spammer 2 Harvester Botmaster
What are the relations between the different actors in a spam operation?
Fingerprinting the Actors Harvesters Disseminate email addresses on the web Spammers Fingerprint spam campaigns Botnets Each botnet implements SMTP differently [USENIX2012] The Harvester, the Botmaster, and the Spammer 4
Fingerprinting the Entire Operation The Harvester, the Botmaster, and the Spammer 5
Fingerprinting Email Harvesters Server-side dynamic script to generate unique addresses Websites of various type [IMC2012] Various ways of embedding email addresses Plaintext, mailto links, obfuscated JavaScript We recorded IP address and user agent of visitors The Harvester, the Botmaster, and the Spammer 6
Fingerprinting Botnets SMTP Dialects [USENIX2012] We can uniquely identify an email-sending program by looking at the sequence of SMTP messages The Harvester, the Botmaster, and the Spammer 7 HELO domain RSET MAIL FROM:<email-addr> RCPT TO:<email-addr> DATA 250 server 250 OK 250 OK 250 OK Learning dialects spoken by botnets Malware samples submitted to Anubis • 18,849 malware samples sent an email • 72 unique dialects • Virustotal labels to name samples Learning dialects spoken by legitimate clients Virtual machines running 5 popular MTAs
Fingerprinting Spammers We assume that a single spammer is responsible for each spam campaign We cluster emails into campaigns by: • Subject line • URL domain • Mailer • Sender email address The Harvester, the Botmaster, and the Spammer 8
Analysis of the Collected Data
Analysis of the Harvesters 9 different harvesters 613 email addresses were harvested A single harvester harvested 415 addresses Distributed harvester composed of 56 IP addresses Turnaround time between 5 days and almost two years The Harvester, the Botmaster, and the Spammer 10
Analysis of the SMTP Dialects 2,024 emails received sent by 7 different dialects 3 large botnets (Cutwail, Lethic, Kelihos) 2 MTAs (Postfix and Sendmail) The Harvester, the Botmaster, and the Spammer 11
Country Distribution - Lethic The Harvester, the Botmaster, and the Spammer 12
Country Distribution - Cutwail The Harvester, the Botmaster, and the Spammer 13
Country Distribution - MTAs The Harvester, the Botmaster, and the Spammer 14
Analysis of the Spam Campaigns The Harvester, the Botmaster, and the Spammer 15 Campaign Number of Emails Topic 1 64 Counterfeit goods 2 180 Online dating 3 8 Financial scam 4 533 SEO 5 7 Email marketing 6 6 Phishing scam 7 30 Phishing scam 8 5 Phishing scam
Tracking Spammers Over Time Each campaign is carried out by a different spammer Spammers could run two campaigns simultaneously We identify spammers by botnet + email list The Harvester, the Botmaster, and the Spammer 16
Studying the Relationships Between the Actors Each botnet was rented by a single spammer Multiple spammers used the same type of MTA 4 email lists were used by multiple spammers → purchased Spammers keep using the same email list Spammers using MTAs are more likely to harvest their email addresses The Harvester, the Botmaster, and the Spammer 17
Conclusions & Lessons Learned We presented the first end-to-end analysis of the spam delivery ecosystem Our results show that spammers use the same botnet and the same email list for a long time This can be leveraged for spam mitigation Our methodology could be used by other researchers to perform larger-scale studies The Harvester, the Botmaster, and the Spammer 18
UC Santa Barbara *RWTH Aachen Questions? gianluca@cs.ucsb.edu @gianlucasb

Recommandé

The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...Gianluca Stringhini
 
Botnets - Detection and Mitigation
Botnets - Detection and MitigationBotnets - Detection and Mitigation
Botnets - Detection and MitigationAjit Skanda Kumaraswamy
 
The Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & CommunicationThe Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & CommunicationArturBalanuta
 
2 dc meet new
2 dc meet new2 dc meet new
2 dc meet newkirubavenkat
 
Global Botnet Detector
Global Botnet DetectorGlobal Botnet Detector
Global Botnet DetectorBrenton Mallen
 
Création d'un botnet et défense
Création d'un botnet et défenseCréation d'un botnet et défense
Création d'un botnet et défenseESD Cybersecurity Academy
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNSشناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNSMahdi Sayyad
 

Recommandé

The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...Gianluca Stringhini
 
Botnets - Detection and Mitigation
Botnets - Detection and MitigationBotnets - Detection and Mitigation
Botnets - Detection and MitigationAjit Skanda Kumaraswamy
 
The Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & CommunicationThe Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & CommunicationArturBalanuta
 
2 dc meet new
2 dc meet new2 dc meet new
2 dc meet newkirubavenkat
 
Global Botnet Detector
Global Botnet DetectorGlobal Botnet Detector
Global Botnet DetectorBrenton Mallen
 
Création d'un botnet et défense
Création d'un botnet et défenseCréation d'un botnet et défense
Création d'un botnet et défenseESD Cybersecurity Academy
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
 
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNSشناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNSMahdi Sayyad
 
E spam
E spamE spam
E spamzelkan19
 
E spam
E spamE spam
E spamzelkan19
 
E spam
E spamE spam
E spamzelkan19
 
E spam
E spamE spam
E spamzelkan19
 
BotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetBotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetGianluca Stringhini
 
Thinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal OperationsThinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal OperationsGianluca Stringhini
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharyasankhadeep
 
What is SPAM?
What is SPAM?What is SPAM?
What is SPAM?Yavuz Adabalı
 
The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?Gianluca Stringhini
 
B0940509
B0940509B0940509
B0940509IOSR Journals
 
250ok Deliverability Tips For Success
250ok Deliverability Tips For Success250ok Deliverability Tips For Success
250ok Deliverability Tips For SuccessRon Corbisier
 
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...The Statistical and Applied Mathematical Sciences Institute
 
Detecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSDetecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSijsrd.com
 
Web spam
Web spamWeb spam
Web spamKamal Sharma
 
Presentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social NetworksPresentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social NetworksAshish Arora
 
Spam and hackers
Spam and hackersSpam and hackers
Spam and hackersSouhail Hammou
 
Spam and hackers
Spam and hackersSpam and hackers
Spam and hackersSouhail Hammou
 
Spam attacks
Spam attacksSpam attacks
Spam attacksRanushka Pasindu
 
spam attacks
spam attacksspam attacks
spam attacksRanushka Pasindu
 
Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check Symantec
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 

Contenu connexe

Similaire à The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape

BotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetBotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetGianluca Stringhini
 
Thinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal OperationsThinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal OperationsGianluca Stringhini
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharyasankhadeep
 
The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?Gianluca Stringhini
 
250ok Deliverability Tips For Success
250ok Deliverability Tips For Success250ok Deliverability Tips For Success
250ok Deliverability Tips For SuccessRon Corbisier
 
Detecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSDetecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSijsrd.com
 
Presentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social NetworksPresentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social NetworksAshish Arora
 
Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check Symantec
 

Similaire à The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape (20)

E spam
E spamE spam
E spam
 
E spam
E spamE spam
E spam
 
E spam
E spamE spam
E spam
 
E spam
E spamE spam
E spam
 
BotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the InternetBotMagnifier: Locating Spambots on the Internet
BotMagnifier: Locating Spambots on the Internet
 
Thinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal OperationsThinking Like They Do: An Inside Look At Cybercriminal Operations
Thinking Like They Do: An Inside Look At Cybercriminal Operations
 
Spam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta BhattacharyaSpam and Anti-spam - Sudipta Bhattacharya
Spam and Anti-spam - Sudipta Bhattacharya
 
What is SPAM?
What is SPAM?What is SPAM?
What is SPAM?
 
The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?The Tricks of the Trade: What Makes Spam Campaigns Successful?
The Tricks of the Trade: What Makes Spam Campaigns Successful?
 
B0940509
B0940509B0940509
B0940509
 
250ok Deliverability Tips For Success
250ok Deliverability Tips For Success250ok Deliverability Tips For Success
250ok Deliverability Tips For Success
 
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...
2019 GDRR: Blockchain Data Analytics - Tracking Criminals by Following the Mo...
 
Detecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBSDetecting Spambot as an Antispam Technique for Web Internet BBS
Detecting Spambot as an Antispam Technique for Web Internet BBS
 
Web spam
Web spamWeb spam
Web spam
 
Presentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social NetworksPresentation-Detecting Spammers on Social Networks
Presentation-Detecting Spammers on Social Networks
 
Spam and hackers
Spam and hackersSpam and hackers
Spam and hackers
 
Spam and hackers
Spam and hackersSpam and hackers
Spam and hackers
 
Spam attacks
Spam attacksSpam attacks
Spam attacks
 
spam attacks
spam attacksspam attacks
spam attacks
 
Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check Security Trends to Watch in 2010 - A Mid-Year Status Check
Security Trends to Watch in 2010 - A Mid-Year Status Check
 

Dernier

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Dernier (20)

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape

  • 1. UC Santa Barbara *RWTH Aachen The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape Gianluca Stringhini, Oliver Hohlfeld*, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara *RWTH Aachen
  • 2. Spammer Setting Up a Spam Operation The Harvester, the Botmaster, and the Spammer 2 Harvester Botmaster
  • 3. What are the relations between the different actors in a spam operation?
  • 4. Fingerprinting the Actors Harvesters Disseminate email addresses on the web Spammers Fingerprint spam campaigns Botnets Each botnet implements SMTP differently [USENIX2012] The Harvester, the Botmaster, and the Spammer 4
  • 5. Fingerprinting the Entire Operation The Harvester, the Botmaster, and the Spammer 5
  • 6. Fingerprinting Email Harvesters Server-side dynamic script to generate unique addresses Websites of various type [IMC2012] Various ways of embedding email addresses Plaintext, mailto links, obfuscated JavaScript We recorded IP address and user agent of visitors The Harvester, the Botmaster, and the Spammer 6
  • 7. Fingerprinting Botnets SMTP Dialects [USENIX2012] We can uniquely identify an email-sending program by looking at the sequence of SMTP messages The Harvester, the Botmaster, and the Spammer 7 HELO domain RSET MAIL FROM:<email-addr> RCPT TO:<email-addr> DATA 250 server 250 OK 250 OK 250 OK Learning dialects spoken by botnets Malware samples submitted to Anubis • 18,849 malware samples sent an email • 72 unique dialects • Virustotal labels to name samples Learning dialects spoken by legitimate clients Virtual machines running 5 popular MTAs
  • 8. Fingerprinting Spammers We assume that a single spammer is responsible for each spam campaign We cluster emails into campaigns by: • Subject line • URL domain • Mailer • Sender email address The Harvester, the Botmaster, and the Spammer 8
  • 10. Analysis of the Harvesters 9 different harvesters 613 email addresses were harvested A single harvester harvested 415 addresses Distributed harvester composed of 56 IP addresses Turnaround time between 5 days and almost two years The Harvester, the Botmaster, and the Spammer 10
  • 11. Analysis of the SMTP Dialects 2,024 emails received sent by 7 different dialects 3 large botnets (Cutwail, Lethic, Kelihos) 2 MTAs (Postfix and Sendmail) The Harvester, the Botmaster, and the Spammer 11
  • 12. Country Distribution - Lethic The Harvester, the Botmaster, and the Spammer 12
  • 13. Country Distribution - Cutwail The Harvester, the Botmaster, and the Spammer 13
  • 14. Country Distribution - MTAs The Harvester, the Botmaster, and the Spammer 14
  • 15. Analysis of the Spam Campaigns The Harvester, the Botmaster, and the Spammer 15 Campaign Number of Emails Topic 1 64 Counterfeit goods 2 180 Online dating 3 8 Financial scam 4 533 SEO 5 7 Email marketing 6 6 Phishing scam 7 30 Phishing scam 8 5 Phishing scam
  • 16. Tracking Spammers Over Time Each campaign is carried out by a different spammer Spammers could run two campaigns simultaneously We identify spammers by botnet + email list The Harvester, the Botmaster, and the Spammer 16
  • 17. Studying the Relationships Between the Actors Each botnet was rented by a single spammer Multiple spammers used the same type of MTA 4 email lists were used by multiple spammers → purchased Spammers keep using the same email list Spammers using MTAs are more likely to harvest their email addresses The Harvester, the Botmaster, and the Spammer 17
  • 18. Conclusions & Lessons Learned We presented the first end-to-end analysis of the spam delivery ecosystem Our results show that spammers use the same botnet and the same email list for a long time This can be leveraged for spam mitigation Our methodology could be used by other researchers to perform larger-scale studies The Harvester, the Botmaster, and the Spammer 18
  • 19. UC Santa Barbara *RWTH Aachen Questions? gianluca@cs.ucsb.edu @gianlucasb