DOCSLIB.ORG

Studying Spamming Botnets Using Botlab John P

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Studying Spamming Botnets Using Botlab John P. John Alexander Moshchuk Steven D. Gribble Arvind Krishnamurthy Department of Computer Science & Engineering University of Washington Abstract erate. Passive honeynets [13, 27, 41] are becoming less applicable to this problem over time, as botnets are in- In this paper we present Botlab, a platform that con- creasingly propagating via social engineering and web- tinually monitors and analyzes the behavior of spam- based drive-by download attacks that honeynets will not oriented botnets. Botlab gathers multiple real-time observe. Overall, there is still opportunity to design de- streams of information about botnets taken from distinct fensive tools to filter botnet spam, identify and block perspectives. By combining and analyzing these streams, botnet-hosted malicious sites, and pinpoint which hosts Botlab can produce accurate, timely, and comprehensive are currently participating in a spamming botnet. data about spam botnet behavior. Our prototype system In this paper we turn the tables on spam botnets by us- integrates information about spam arriving at the Univer- ing the vast quantities of spam that they generate to mon- sity of Washington, outgoing spam generated by captive itor and analyze their behavior. To do this, we designed botnet nodes, and information gleaned from DNS about and implemented Botlab, a continuously operating bot- URLs found within these spam messages. net monitoring platform that provides real-time informa- We describe the design and implementation of Botlab, tion regarding botnet activity. Botlab consumes a feed of including the challenges we had to overcome, such as all incoming spam arriving at the University of Washing- preventing captive nodes from causing harm or thwart- ton, allowing it to find fresh botnet binaries propagated ing virtual machine detection. Next, we present the re- through spam links. It then executes multiple captive, sults of a detailed measurement study of the behavior of sandboxed nodes from various botnets, allowing it to ob- the most active spam botnets. We find that six botnets serve the precise outgoing spam feeds from these nodes. are responsible for 79% of spam messages arriving at the It scours the spam feeds for URLs, gathers information UW campus. Finally, we present defensive tools that take on scams, and identifies exploit links. Finally, it corre- advantage of the Botlab platform to improve spam filter- lates the incoming and outgoing spam feeds to identify ing and protect users from harmful web sites advertised the most active botnets and the set of compromised hosts within botnet-generated spam. comprising each botnet. 1 Introduction A key insight behind Botlab is that the combination of both incoming and outgoing spam sources is essential for Spamming botnets are a blight on the Internet. By some enabling a comprehensive, accurate, and timely analysis estimates, they transmit approximately 85% of the 100+ of botnet behavior. Incoming spam bootstraps the pro- billion spam messages sent per day [14, 21]. Botnet- cess of identifying spamming bots, outgoing spam en- generated spam is a nuisance to users, but worse, it can ables us to track the ebbs and flows of botnets’ ongoing cause significant harm when used to propagate phishing spam campaigns and establish the ground truth regard- campaigns that steal identities, or to distribute malware ing spam templates, and correlation of the two feeds can to compromise more hosts. classify incoming spam according to botnet that is sourc- These concerns have prompted academia and industry ing it, determine the number of hosts active within each to analyze spam and spamming botnets. Previous stud- botnet, and identify many of these botnet-infected hosts. ies have examined spam received by sinkholes and pop- ular web-based mail services to derive spam signatures, 1.1 Contributions determine properties of spam campaigns, and character- ize scam hosting infrastructure [1, 39, 40]. This analysis Our work offers four novel contributions. First, we tackle of “incoming” spam feeds provides valuable information many of the challenges involved in building a real-time on aggregate botnet behavior, but it does not separate ac- botnet monitoring platform, including identifying and tivities of individual botnets or provide information on incorporating new bot variants, and preventing Botlab the spammers’ latest techniques. Other efforts reverse hosts from being blacklisted by botnet operators. engineered and infiltrated individual spamming botnets, Second, we have designed network sandboxing mech- including Storm [20] and Rustock [5]. However, these anisms that prevent captive bot nodes from causing harm, techniques are specific to these botnets and their com- while still enabling our research to be effective. As well, munication methods, and their analysis only considers we discuss the long-term tension between effectiveness characteristics of the “outgoing” spam these botnets gen- and safety in botnet research given botnets’ trends, and USENIX Association NSDI ’09: 6th USENIX Symposium on Networked Systems Design and Implementation 291 we present thought experiments that suggest that a de- Propagation: Malware authors are increasingly relying termined adversary could make it extremely difficult to on social engineering to find and compromise victims, conduct future botnet research in a safe manner. such as by spamming users with personal greeting card Third, we present interesting behavioral character- ads or false upgrade notices that entice them to install istics of spamming botnets derived from our multi- malware. As propagation techniques move up the proto- perspective analysis. For example, we show that just col stacks, the weakest link in the botnet defense chain a handful of botnets are responsible for most spam re- becomes the human user. As well, systems such as pas- ceived by UW, and attribute incoming spam to specific sive honeynets become less effective at detecting new botnets. As well, we show that the bots we analyze use botnet software, instead requiring active steps to gather simple methods for locating their command and control and classify potential malware. (C&C) servers; if these servers were efficiently located While many of the older and shut down, much of today’s spam flow would be dis- Customized C&C protocols: botnet designs used IRC to communicate with C&C rupted. As another example, in contrast to earlier find- servers, newer botnets use encrypted and customized ings [40], we observe that some spam campaigns utilize protocols for disseminating commands and directing multiple botnets. bots [7, 9, 33, 36]. For example, some botnets communi- Fourth, we have implemented several prototype de- cate via HTTP requests and responses carrying encrypted fensive tools that take advantage of the real-time in- C&C data. Manual reverse-engineering of bot behavior formation provided by the Botlab platform. We have has thus become time-consuming if not impossible. constructed a Firefox plugin that protects users from scam and phishing web sites propagated by spam bot- Rapid evolution: To evade detection from trackers nets. The plug-in blocked 40,270 malicious links em- and anti-malware software, some newer botnets morph anating from one botnet monitored by Botlab; in con- rapidly. For instance, most malware binaries are often trast, two blacklist-based defenses failed to detect any of packed using polymorphic packers that generate differ- these links. As well, we have designed and implemented ent looking binaries even though the underlying code a Thunderbird plugin that filters botnet-generated spam. base has not changed [29]. Also, botnet operators are For one user, the plugin reduced the amount of spam that moving away from relying on a single web server to host bypassed his SpamAssassin filters by 76%. their scams, and instead are using fast flux DNS [12]. The rest of this paper is organized as follows. Sec- In this scheme, attackers rapidly rebind the server DNS tion 2 provides background material on the botnet threat. name to different botnet IP addresses, in order to defend Section 3 discusses the design and implementation of against IP blacklisting or manual server take-down. Fi- Botlab. We evaluate Botlab in Section 4 and describe ap- nally, botnets also make updates to their C&C protocols, plications we have built using it in Section 5. We discuss by incorporating new forms of encryption and command our thoughts on the long-term viability of safe botnet re- distribution. search in Section 6. We present related work in Section 7 Moving forward, analysis and defense systems must and conclude in Section 8. contend with the increasing sophistication of botnets. Monitoring systems must be pro-active in collecting and 2 Background on the Botnet Threat executing botnet samples, as botnets and their behavior A botnet is a large-scale, coordinated network of comput- change rapidly. As well, botnet analysis systems will in- ers, each of which executes specific bot software. Botnet creasingly have to rely on external observations of botnet operators recruit new nodes by commandeering victim behavior, rather than necessarily being able to crack and hosts and surreptitiously installing bot code onto them; reverse engineer botnet control traffic. the resulting army of “zombie” computers is typically controlled by one or more command-and-control (C&C) 3 The Botlab Monitoring Platform servers. Botnet operators employ their botnets to send The Botlab platform produces fresh information about spam, scan for new victims, steal confidential informa- spam-oriented botnets, including their current cam- tion from users, perform DDoS attacks, host web servers paigns, constituent bots, and C&C servers. Botlab par- and phishing content, and propagate updates to the bot- tially automates many aspects of botnet monitoring, re- net software itself. ducing but not eliminating the manual effort required of Botnets originated as simple extensions to existing In- a human operator to analyze new bot binaries and incor- ternet Relay Chat (IRC) softbots. Efforts to combat bot- porate them into Botlab platform. nets have grown, but so has the demand for their services.
Recommended publications
  • Spamming Botnets: Signatures and Characteristics

    Spamming Botnets: Signatures and Characteristics

    Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten+,IvanOsipkov+ Microsoft Research, Silicon Valley +Microsoft Corporation {yxie,fangyu,kachan,rina,ghulten,ivano}@microsoft.com ABSTRACT botnet infection and their associated control process [4, 17, 6], little In this paper, we focus on characterizing spamming botnets by effort has been devoted to understanding the aggregate behaviors of leveraging both spam payload and spam server traffic properties. botnets from the perspective of large email servers that are popular Towards this goal, we developed a spam signature generation frame- targets of botnet spam attacks. work called AutoRE to detect botnet-based spam emails and botnet An important goal of this paper is to perform a large scale analy- membership. AutoRE does not require pre-classified training data sis of spamming botnet characteristics and identify trends that can or white lists. Moreover, it outputs high quality regular expression benefit future botnet detection and defense mechanisms. In our signatures that can detect botnet spam with a low false positive rate. analysis, we make use of an email dataset collected from a large Using a three-month sample of emails from Hotmail, AutoRE suc- email service provider, namely, MSN Hotmail. Our study not only cessfully identified 7,721 botnet-based spam campaigns together detects botnet membership across the Internet, but also tracks the with 340,050 unique botnet host IP addresses. sending behavior and the associated email content patterns that are Our in-depth analysis of the identified botnets revealed several directly observable from an email service provider. Information interesting findings regarding the degree of email obfuscation, prop- pertaining to botnet membership can be used to prevent future ne- erties of botnet IP addresses, sending patterns, and their correlation farious activities such as phishing and DDoS attacks.
  • Zambia and Spam

    Zambia and Spam

    ZAMNET COMMUNICATION SYSTEMS LTD (ZAMBIA) Spam – The Zambian Experience Submission to ITU WSIS Thematic meeting on countering Spam By: Annabel S Kangombe – Maseko June 2004 Table of Contents 1.0 Introduction 1 1.1 What is spam? 1 1.2 The nature of Spam 1 1.3 Statistics 2 2.0 Technical view 4 2.1 Main Sources of Spam 4 2.1.1 Harvesting 4 2.1.2 Dictionary Attacks 4 2.1.3 Open Relays 4 2.1.4 Email databases 4 2.1.5 Inadequacies in the SMTP protocol 4 2.2 Effects of Spam 5 2.3 The fight against spam 5 2.3.1 Blacklists 6 2.3.2 White lists 6 2.3.3 Dial‐up Lists (DUL) 6 2.3.4 Spam filtering programs 6 2.4 Challenges of fighting spam 7 3.0 Legal Framework 9 3.1 Laws against spam in Zambia 9 3.2 International Regulations or Laws 9 3.2.1 US State Laws 9 3.2.2 The USA’s CAN‐SPAM Act 10 4.0 The Way forward 11 4.1 A global effort 11 4.2 Collaboration between ISPs 11 4.3 Strengthening Anti‐spam regulation 11 4.4 User education 11 4.5 Source authentication 12 4.6 Rewriting the Internet Mail Exchange protocol 12 1.0 Introduction I get to the office in the morning, walk to my desk and switch on the computer. One of the first things I do after checking the status of the network devices is to check my email.
  • Enisa Etl2020

    Enisa Etl2020

    EN From January 2019 to April 2020 Spam ENISA Threat Landscape Overview The first spam message was sent in 1978 by a marketing manager to 393 people via ARPANET. It was an advertising campaign for a new product from the company he worked for, the Digital Equipment Corporation. For those first 393 spammed people it was as annoying as it would be today, regardless of the novelty of the idea.1 Receiving spam is an inconvenience, but it may also create an opportunity for a malicious actor to steal personal information or install malware.2 Spam consists of sending unsolicited messages in bulk. It is considered a cybersecurity threat when used as an attack vector to distribute or enable other threats. Another noteworthy aspect is how spam may sometimes be confused or misclassified as a phishing campaign. The main difference between the two is the fact that phishing is a targeted action using social engineering tactics, actively aiming to steal users’ data. In contrast spam is a tactic for sending unsolicited e-mails to a bulk list. Phishing campaigns can use spam tactics to distribute messages while spam can link the user to a compromised website to install malware and steal personal data. Spam campaigns, during these last 41 years have taken advantage of many popular global social and sports events such as UEFA Europa League Final, US Open, among others. Even so, nothing compared with the spam activity seen this year with the COVID-19 pandemic.8 2 __Findings 85%_of all e-mails exchanged in April 2019 were spam, a 15-month high1 14_million
  • Locating Spambots on the Internet

    Locating Spambots on the Internet

    BOTMAGNIFIER: Locating Spambots on the Internet Gianluca Stringhinix, Thorsten Holzz, Brett Stone-Grossx, Christopher Kruegelx, and Giovanni Vignax xUniversity of California, Santa Barbara z Ruhr-University Bochum fgianluca,bstone,chris,[email protected] [email protected] Abstract the world-wide email traffic [20], and a lucrative busi- Unsolicited bulk email (spam) is used by cyber- ness has emerged around them [12]. The content of spam criminals to lure users into scams and to spread mal- emails lures users into scams, promises to sell cheap ware infections. Most of these unwanted messages are goods and pharmaceutical products, and spreads mali- sent by spam botnets, which are networks of compro- cious software by distributing links to websites that per- mised machines under the control of a single (malicious) form drive-by download attacks [24]. entity. Often, these botnets are rented out to particular Recent studies indicate that, nowadays, about 85% of groups to carry out spam campaigns, in which similar the overall spam traffic on the Internet is sent with the mail messages are sent to a large group of Internet users help of spamming botnets [20,36]. Botnets are networks in a short amount of time. Tracking the bot-infected hosts of compromised machines under the direction of a sin- that participate in spam campaigns, and attributing these gle entity, the so-called botmaster. While different bot- hosts to spam botnets that are active on the Internet, are nets serve different, nefarious goals, one important pur- challenging but important tasks. In particular, this infor- pose of botnets is the distribution of spam emails.
  • The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
  • Compu Talk Vol

    Compu Talk Vol

    Sri Sathya Sai College for Women, Bhopal 2017 A newsletter from the Dept. of Computer Sci. & Appl. Compu Talk Vol. III Cyber Security job oppurtunities Botnet Department of Computer Computer Network Science and Application Firewall Departmental News Now Trending: including smartphones, televisions and tiny devices and integration of these as part of the Job Opportunities under the Cyber Internet of Things. Boom in cyber threats has Security Umbrella been an integral part of boom in information technology . Cyber security also known in simpler terms as computer security or IT security involves the Typical cyber security job titles and protection of computer systems from theft, descriptions may include the following: damage or destruction of 1. Security Analyst their hardware, software, data and information, as well from disruption, misuse or A Security Analyst analyzes and assesses misdirection of the services provided through vulnerabilities in the infrastructure which them to cause damage to the fellow humans or includes software, hardware and the society. associated networks. He/she performs The role of cyber security involves investigation using available tools, suggests controlling or limiting physical access to the counter-measures to remedy the detected hardware, as well as protecting them against any vulnerabilities, and recommends solutions harm or attack that may come via network and best practices. He/she analyzes and access intrusion, data insertion and code assesses the damage done to the injection and remote control. IT security is data/infrastructure as a result of security susceptible to being tricked into deviating from incidents, examines available recovery tools secure procedures through various methods. and processes, and recommends solutions.
  • The History of Spam Timeline of Events and Notable Occurrences in the Advance of Spam

    The History of Spam Timeline of Events and Notable Occurrences in the Advance of Spam

    The History of Spam Timeline of events and notable occurrences in the advance of spam July 2014 The History of Spam The growth of unsolicited e-mail imposes increasing costs on networks and causes considerable aggravation on the part of e-mail recipients. The history of spam is one that is closely tied to the history and evolution of the Internet itself. 1971 RFC 733: Mail Specifications 1978 First email spam was sent out to users of ARPANET – it was an ad for a presentation by Digital Equipment Corporation (DEC) 1984 Domain Name System (DNS) introduced 1986 Eric Thomas develops first commercial mailing list program called LISTSERV 1988 First know email Chain letter sent 1988 “Spamming” starts as prank by participants in multi-user dungeon games by MUDers (Multi User Dungeon) to fill rivals accounts with unwanted electronic junk mail. 1990 ARPANET terminates 1993 First use of the term spam was for a post from USENET by Richard Depew to news.admin.policy, which was the result of a bug in a software program that caused 200 messages to go out to the news group. The term “spam” itself was thought to have come from the spam skit by Monty Python's Flying Circus. In the sketch, a restaurant serves all its food with lots of spam, and the waitress repeats the word several times in describing how much spam is in the items. When she does this, a group of Vikings in the corner start a song: "Spam, spam, spam, spam, spam, spam, spam, spam, lovely spam! Wonderful spam!" Until told to shut up.
  • A Survey of Learning-Based Techniques of Email Spam Filtering

    A Survey of Learning-Based Techniques of Email Spam Filtering

    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Unitn-eprints Research A SURVEY OF LEARNING-BASED TECHNIQUES OF EMAIL SPAM FILTERING Enrico Blanzieri and Anton Bryl January 2008 (Updated version) Technical Report # DIT-06-056 A Survey of Learning-Based Techniques of Email Spam Filtering Enrico Blanzieri, University of Trento, Italy, and Anton Bryl University of Trento, Italy, Create-Net, Italy [email protected] January 11, 2008 Abstract vertising pornography, pyramid schemes, etc. [68]. The total worldwide financial losses caused by spam Email spam is one of the major problems of the to- in 2005 were estimated by Ferris Research Analyzer day’s Internet, bringing financial damage to compa- Information Service at $50 billion [31]. nies and annoying individual users. Among the ap- Lately, Goodman et al. [39] presented an overview proaches developed to stop spam, filtering is an im- of the field of anti-spam protection, giving a brief portant and popular one. In this paper we give an history of spam and anti-spam and describing major overview of the state of the art of machine learn- directions of development. They are quite optimistic ing applications for spam filtering, and of the ways in their conclusions, indicating learning-based spam of evaluation and comparison of different filtering recognition, together with anti-spoofing technologies methods. We also provide a brief description of and economic approaches, as one of the measures other branches of anti-spam protection and discuss which together will probably lead to the final victory the use of various approaches in commercial and non- over email spammers in the near future.
  • Downloading and Running

    Downloading and Running

    City Research Online City, University of London Institutional Repository Citation: Meng, X. (2018). An integrated networkbased mobile botnet detection system. (Unpublished Doctoral thesis, City, Universtiy of London) This is the accepted version of the paper. This version of the publication may differ from the final published version. Permanent repository link: https://openaccess.city.ac.uk/id/eprint/19840/ Link to published version: Copyright: City Research Online aims to make research outputs of City, University of London available to a wider audience. Copyright and Moral Rights remain with the author(s) and/or copyright holders. URLs from City Research Online may be freely distributed and linked to. Reuse: Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. City Research Online: http://openaccess.city.ac.uk/ [email protected] AN INTEGRATED NETWORK- BASED MOBILE BOTNET DETECTION SYSTEM Xin Meng Department of Computer Science City, University of London This dissertation is submitted for the degree of Doctor of Philosophy City University London June 2017 Declaration I hereby declare that except where specific reference is made to the work of others, the contents of this dissertation are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other University. This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration, except where specifically indicated in the text.
  • Coordinating Across Chaos: the Practice of Transnational Internet Security Collaboration

    Coordinating Across Chaos: the Practice of Transnational Internet Security Collaboration

    COORDINATING ACROSS CHAOS: THE PRACTICE OF TRANSNATIONAL INTERNET SECURITY COLLABORATION A Dissertation Presented to The Academic Faculty by Tarun Chaudhary In Partial Fulfillment of the Requirements for the Degree International Affairs, Science, and Technology in the Sam Nunn School of International Affairs Georgia Institute of Technology May 2019 COPYRIGHT © 2019 BY TARUN CHAUDHARY COORDINATING ACROSS CHAOS: THE PRACTICE OF TRANSNATIONAL INTERNET SECURITY COLLABORATION Approved by: Dr. Adam N. Stulberg Dr. Peter K. Brecke School of International Affairs School of International Affairs Georgia Institute of Technology Georgia Institute of Technology Dr. Michael D. Salomone Dr. Milton L. Mueller School of International Affairs School of Public Policy Georgia Institute of Technology Georgia Institute of Technology Dr. Jennifer Jordan School of International Affairs Georgia Institute of Technology Date Approved: March 11, 2019 ACKNOWLEDGEMENTS I was once told that writing a dissertation is lonely experience. This is only partially true. The experience of researching and writing this work has been supported and encouraged by a small army of individuals I am forever grateful toward. My wife Jamie, who has been a truly patient soul and encouraging beyond measure while also being my intellectual sounding board always helping guide me to deeper insight. I have benefited from an abundance of truly wonderful teachers over the course of my academic life. Dr. Michael Salomone who steered me toward the world of international security studies since I was an undergraduate, I am thankful for his wisdom and the tremendous amount of support he has given me over the past two decades. The rest of my committee has been equally as encouraging and provided me with countless insights as this work has been gestating and evolving.
  • Characterizing Robocalls Through Audio and Metadata Analysis

    Characterizing Robocalls Through Audio and Metadata Analysis

    Who’s Calling? Characterizing Robocalls through Audio and Metadata Analysis Sathvik Prasad, Elijah Bouma-Sims, Athishay Kiran Mylappan, and Bradley Reaves, North Carolina State University https://www.usenix.org/conference/usenixsecurity20/presentation/prasad This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. Who’s Calling? Characterizing Robocalls through Audio and Metadata Analysis Sathvik Prasad Elijah Bouma-Sims North Carolina State University North Carolina State University [email protected] [email protected] Athishay Kiran Mylappan Bradley Reaves North Carolina State University North Carolina State University [email protected] [email protected] Abstract Despite the clear importance of the problem, much of what Unsolicited calls are one of the most prominent security is known about the unsolicited calling epidemic is anecdotal issues facing individuals today. Despite wide-spread anec- in nature. Despite early work on the problem [6–10], the re- dotal discussion of the problem, many important questions search community still lacks techniques that enable rigorous remain unanswered. In this paper, we present the first large- analysis of the scope of the problem and the factors that drive scale, longitudinal analysis of unsolicited calls to a honeypot it. There are several challenges that we seek to overcome. of up to 66,606 lines over 11 months. From call metadata we First, we note that most measurements to date of unsolicited characterize the long-term trends of unsolicited calls, develop volumes, trends, and motivations (e.g., sales, scams, etc.) have the first techniques to measure voicemail spam, wangiri at- been based on reports from end users.
  • "Best Way to Stop Robocalls", and Pulls on Both My Own Experience in A

    "Best Way to Stop Robocalls", and Pulls on Both My Own Experience in A

    Dear FTC: The following is my submission on the "best way to stop robocalls", and pulls on both my own experience in anti-telemarketing-abuse and anti-spam activity and—more particularly—my personal experience in investigation of the "worst actors" and coordinating with the Kentucky Attorney-General's office to get some of the worse offenders shut down. A little bit of prelude/backstory is necessary to discuss my particular solution. Kentucky has had a particularly stringent do-not-call since the early 2000s even in comparison with the FTC's do-not-call regulations. Specifically, rather than being a mere civil offense, violation of telemarketing laws is a Class D felony in Kentucky (resulting from 1 to 5 years imprisonment). The majority of the issues that the Kentucky A/G (and myself, as a private actor) have had in stopping the worst offenders has been the following: • Much of the problem is both technical and regulatory--the major technical issue is that the majority of "bad actors" are now using SIP-based VoIP calling from "phish farms" overseas which may not even be located in a specific call center but may be "farmed out" to people's homes worldwide from a central location. (A good example of the latter is the "Telemarketing 1-2- 3/Total Home Systems" phish-farm located out of Guadalajara, Mexico which uses SIP-based "softphone" VoIP to conduct illegal telemarketing to Americans (and other countries) and which typically uses a client PC located in a worker's home to call from.) • Most illegal robocalling is conducted by "phish farms" which may or may not have a US actor at all, but whose primary operations do seem to be located overseas; sometimes US companies hire out, some are overseas, but usually there is some US presence if via the PBX used on the American end of a VoIP call center setup.