DOCSLIB.ORG

Everyone Hates Robocalls: a Survey of Techniques Against Telephone Spam

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Everyone Hates Robocalls: a Survey of Techniques Against Telephone Spam 2016 IEEE Symposium on Security and Privacy SoK: Everyone Hates Robocalls: A Survey of Techniques against Telephone Spam Huahong Tu, Adam Doupé, Ziming Zhao, and Gail-Joon Ahn Arizona State University {tu, doupe, zzhao30, gahn}@asu.edu Abstract—Telephone spam costs United States consumers productivity. A study in 2014 by Kimball et al. [5] found $8.6 billion annually. In 2014, the Federal Trade Commission that 75% of people listened to over 19 seconds of a robocall has received over 22 million complaints of illegal and wanted message and the vast majority of people, 97%, listen to calls. Telephone spammers today are leveraging recent techni- cal advances in the telephony ecosystem to distribute massive at least 6 seconds. Even when the recipient ignores or automated spam calls known as robocalls. Given that anti-spam declines the call, today spammers can send a prerecorded techniques and approaches are effective in the email domain, audio message directly into the recipient’s voicemail inbox. the question we address is: what are the effective defenses Deleting a junk voicemail wastes even more time, taking at against spam calls? least 6 steps to complete in a typical voicemail system. In this paper, we first describe the telephone spam ecosys- tem, specifically focusing on the differences between email Telephone spam are not only significant annoyances, and telephone spam. Then, we survey the existing telephone they also result in significant financial loss in the econ- spam solutions and, by analyzing the failings of the current omy, mostly due to scams and identity theft. According techniques, derive evaluation criteria that are critical to an to complaint data collected by the FTC, Americans lose acceptable solution. We believe that this work will help guide more than $8.6 billion due to fraud annually, and the vast the development of effective telephone spam defenses, as well as provide a framework to evaluate future defenses. majority of them (and still increasing) are due to phone communication [4]. This situation is surprising, given the significant gains made in reducing the amount of email I. INTRODUCTION spam. This raises the question: are there any simple and The national and global telephony system is a critical effective solutions that could stop telephone spam? The un- component of our modern infrastructure and economy. In fortunate answer is no. We found that this issue is not easily the United States (US), the mobile telephone subscribership solved, and, in fact, the simple and effective techniques penetration rate has already surpassed 100% [1]. According against email spam cannot be applied to telephone systems. to the U.S. Bureau of Labor Statistics, each day more than There are significant differences and unique challenges in the 240 million hours are spent on telephone calls in the United telephone ecosystem that require novel approaches. Many States, equating to more than 88 trillion hours each year [2]. existing solutions have failed to overcome these challenges However, with the pervasiveness of telephone service and, as a result, have yet to be widely implemented. subscribership, telephone spam has also become an increas- The objective of this paper is to survey the existing ingly prevalent issue in the US. Recent technical advances solutions in combating telephone spam and, by analyzing the in the telephony ecosystem are leveraged by spammers to failings of the current techniques, derive the requirements distribute massive automated spam calls, known as robo- that are critical to an acceptable solution. This work will calls. The Federal Trade Commission’s (FTC) National Do help guide the development of effective telephone spam Not Call Registry’s cumulative number of complaints of defenses, as well as provide a framework to help evaluate illegal calls in the US totaled more than 22 million in the techniques against telephone spam. 2014 [3], with about 200,000 complaints each month about robocalls alone [4]. Despite US laws prohibiting robocalling The main contributions of this paper are the following: and telephone spamming (with some exceptions), complaints • We describe the telephone spam ecosystem, focusing on illegal calls have reached record numbers year after on the players involved and the technical challenges year, which indicates that the laws have not deterred the that make telephone spam distinct from email spam. spammers. • We develop a taxonomy that classifies the existing anti- Spam calls are significant annoyances for telephone users. spam techniques into three categories, providing a high- Unlike email spam, which can be ignored, spam calls level view of the benefits and drawbacks of each type demand immediate attention. When a phone rings, a call of technique. recipient generally must decide whether to accept the call • We provide a systematization of assessment criteria and listen to the call. After realizing that the call contains for evaluating telephone spam countermeasures, and unwanted information and disconnects from the call, the we evaluate existing techniques using these assessment recipient has already lost time, money (phone bill), and criteria. 2375-1207/16© 2016, Huahong $31.00 Tu. ©Under 2016 license IEEE to IEEE. 320 DOI 10.1109/SP.2016.27 • We provide a discussion on what we believe to be the Long Distance Network Interexchange Carrier Termination Network future direction of solving the telephone spam problem. Termination Carrier Open Internet VoIP Carrier Trunk Line II. BACKGROUND While email spam is arguably the most well-known form Spammer of spam, telephone spam is now more popular than ever. Victims The Public Switched Telephone Network (PSTN) is an Possibly further anonymized behind VPNs and Possibly routing through more layers than aggregate of various interconnected telephone networks that Tor networks depicted adheres to the core standards created by the International Figure 1: Routing of a spam call. Telecommunication Union, allowing most telephones to intercommunicate. We define telephone spam as the mass distribution of unwanted content to modern telephones in the VoIP Interexchange Termination Victim Spammer PSTN, which includes voice spam that distributes unwanted Carrier Carrier Carrier voice content to answered phones, and voicemail spam that distributes unwanted voice content into the recipient’s Leads Seller voicemail inbox. Due to the much greater capacity of IP infrastructure Figure 2: The flow of money in the telephone spam ecosys- and the wide availability of IP-based equipment, telephony tem. service providers have shifted their network infrastructure to IP-based solutions, and the operation cost of the telephone network has dramatically decreased. While the core PSTN than email spam, particularly when spammers use techniques infrastructure has evolved to be almost entirely IP-based, such as caller ID spoofing. the core signaling protocols have not changed. The entire ecosystem still relies on the three-decade-old Signaling Sys- A. Key Players of Telephone Spam tem No. 7 (SS7) [6] suite of protocols, allowing any phone to To understand the telephone spam ecosystem, we will first reach any other phone through a worldwide interconnection identify and explain the roles of all players who take part in of switching centers. the routing of a telephone spam. Figure 1 show a graph- A very common way of disseminating telephone spam ical depiction of the routing process: The spammer con- is robocalling, which uses an autodialer that automatically nects through the Internet to an Internet Telephony Service dials and delivers a prerecorded message to a list of phone Provider, then the call is routed through an Interexchange numbers. An autodialer is a generic term for any com- Carrier, before finally being accepted by the Termination puter program or device that can automatically initiate calls Carrier, who then routes the call to the victim. to telephone recipients. Today, an autodialer is usually a Another way to understand the ecosystem is to show computer program with Voice over Internet Protocol (VoIP) how money flows through the system, which we display in connectivity to a high volume VoIP-to-PSTN carrier, that Figure 2: the money flows from the victim to the spammer, may include features such as voicemail and SMS delivery, and the spammer uses this money to obtain leads (new phone customizable caller ID, Call Progress Analysis, scheduled numbers to spam) and to pay for the spam calls, the Internet broadcast, text-to-speech, Interactive Voice Response, etc. Telephony Service Provider receives the money from the The high reachability of telephone numbers has led to spammer and pays the Interexchange Carrier, who then pays telephony being an attractive spam distribution channel. Al- the Termination Carrier. Next we examine each of these most every adult in the US can be reached with a telephone roles in turn. number, and the vast majority of telephone numbers are Spammer is the agent that carries out the spamming mobile telephone subscribers. Although VoIP usage has been operation. The spammer could be part of an organization, growing rapidly, we found that it is more of an add-on or an independent contractor that offers spamming-as-a- protocol (instead of a wholesale replacement) of existing service. The goal of the spammer is usually to extract mobile wireless and landline services. Using 2013 statistics, money from victims through sales and scams, or to launch there are about 335 million mobile telephone subscribers [1], a campaign of harassment. For cost efficiency, spam calls 136 million fixed-telephone subscribers [7], and 34 million are typically initiated using an autodialer connected to an VoIP subscribers [8] in the US (population 318 million). Internet Telephony Service Provider to reach the PSTN We believe the improved cost efficiency of telephone victims. Currently, spamming to VoIP victims are not as spamming, advancement of spam distribution technology, common, mainly due to the limited pool of potential victims, and high reachability of telephone numbers contributed to and some VoIP users, such as Skype, may not be reachable the recent surge in telephone spam.
Load more

Recommended publications
  • Show Me the Money: Characterizing Spam-Advertised Revenue
    Show Me the Money: Characterizing Spam-advertised Revenue Chris Kanich∗ Nicholas Weavery Damon McCoy∗ Tristan Halvorson∗ Christian Kreibichy Kirill Levchenko∗ Vern Paxsonyz Geoffrey M. Voelker∗ Stefan Savage∗ ∗ y Department of Computer Science and Engineering International Computer Science Institute University of California, San Diego Berkeley, CA z Computer Science Division University of California, Berkeley Abstract money at all [6]. This situation has the potential to distort Modern spam is ultimately driven by product sales: policy and investment decisions that are otherwise driven goods purchased by customers online. However, while by intuition rather than evidence. this model is easy to state in the abstract, our under- In this paper we make two contributions to improving standing of the concrete business environment—how this state of affairs using measurement-based methods to many orders, of what kind, from which customers, for estimate: how much—is poor at best. This situation is unsurpris- ing since such sellers typically operate under question- • Order volume. We describe a general technique— able legal footing, with “ground truth” data rarely avail- purchase pair—for estimating the number of orders able to the public. However, absent quantifiable empiri- received (and hence revenue) via on-line store order cal data, “guesstimates” operate unchecked and can dis- numbering. We use this approach to establish rough, tort both policy making and our choice of appropri- but well-founded, monthly order volume estimates ate interventions. In this paper, we describe two infer- for many of the leading “affiliate programs” selling ence techniques for peering inside the business opera- counterfeit pharmaceuticals and software. tions of spam-advertised enterprises: purchase pair and • Purchasing behavior.
    [Show full text]
  • Zambia and Spam
    ZAMNET COMMUNICATION SYSTEMS LTD (ZAMBIA) Spam – The Zambian Experience Submission to ITU WSIS Thematic meeting on countering Spam By: Annabel S Kangombe – Maseko June 2004 Table of Contents 1.0 Introduction 1 1.1 What is spam? 1 1.2 The nature of Spam 1 1.3 Statistics 2 2.0 Technical view 4 2.1 Main Sources of Spam 4 2.1.1 Harvesting 4 2.1.2 Dictionary Attacks 4 2.1.3 Open Relays 4 2.1.4 Email databases 4 2.1.5 Inadequacies in the SMTP protocol 4 2.2 Effects of Spam 5 2.3 The fight against spam 5 2.3.1 Blacklists 6 2.3.2 White lists 6 2.3.3 Dial‐up Lists (DUL) 6 2.3.4 Spam filtering programs 6 2.4 Challenges of fighting spam 7 3.0 Legal Framework 9 3.1 Laws against spam in Zambia 9 3.2 International Regulations or Laws 9 3.2.1 US State Laws 9 3.2.2 The USA’s CAN‐SPAM Act 10 4.0 The Way forward 11 4.1 A global effort 11 4.2 Collaboration between ISPs 11 4.3 Strengthening Anti‐spam regulation 11 4.4 User education 11 4.5 Source authentication 12 4.6 Rewriting the Internet Mail Exchange protocol 12 1.0 Introduction I get to the office in the morning, walk to my desk and switch on the computer. One of the first things I do after checking the status of the network devices is to check my email.
    [Show full text]
  • Email Phishing for IT Providers How Phishing Emails Have Changed and How to Protect Your IT Clients
    Email Phishing for IT Providers How phishing emails have changed and how to protect your IT clients 1 © 2016 Calyptix Security Corporation. All rights reserved. I [email protected] I (800) 650 – 8930 (800) 650-8930 I [email protected] Contents Introduction ............................................................................................ 2 Phishing overview .................................................................................. 3 Trends in phishing emails ...................................................................... 6 Email phishing tactics .......................................................................... 11 Steps for MSP & VARS .......................................................................... 24 Advice for your clients .......................................................................... 29 Sources .................................................................................................. 35 1 © 2016 Calyptix Security Corporation. All rights reserved. I [email protected] I (800) 650 – 8930 Introduction There are only so many ways to break into a bank. You can march through the door. You can climb through a window. You can tunnel through the floor. There is the service entrance, the employee entrance, and access on the roof. Criminals who want to rob a bank will probably use an open route – such as a side door. It’s easier than breaking down a wall. Criminals who want to break into your network face a similar challenge. They need to enter. They can look for a weakness in your
    [Show full text]
  • CUB Guide to Fighting Robocalls
    CitizensUtilityBoard.org 1-800-669-5556 Guide to Fighting Robocalls February 2021 The latest news on the robocall fi ght Robocalls are prerecorded messages from computer-generat- ed dialers, and Illinois is one of the nation’s hardest hit states. In early 2021, for example, the state received more than 153 million robocalls (about 57 per second) in the span of just one month. That ranked Illinois eighth in the country for these calls, according to the robocall-blocking fi rm YouMail. While there are helpful robocalls (alerting you to school closings or when a prescription is ready), YouMail estimates about 42 percent of the calls in Illinois were scams and another 22 percent were simply marketing pitches. Unwanted robocalls are annoying, and costly. The Federal Com- munications Commission (FCC) put the price tag at $3 billion a year just from lost time, not even counting any fraud. TechRe- One in 10 Americans public put the total annual loss for consumers at $9.5 billion. are scammed each year, While policymakers are fi nally starting to act against illegal robo- calls, don’t wait for federal law to catch up. Use the simple tips in resulting in an annual loss of this guide to protect yourself from unwanted calls. The law The Telephone Robocall Abuse Criminal Enforcement and $9.5 billion Deterrence (TRACED) Act became federal law in 2019. The act increases penalties and requires phone companies to validate Source: TechRepublic, calls before they reach you. This is to combat “spoofi ng,” October 2019 when a robocaller uses your area code and/or prefi x to ap- pear as if someone locally—maybe a friend or neighbor—is Note: In December 2020, the FCC ordered that organiza- trying to reach you.
    [Show full text]
  • Locating Spambots on the Internet
    BOTMAGNIFIER: Locating Spambots on the Internet Gianluca Stringhinix, Thorsten Holzz, Brett Stone-Grossx, Christopher Kruegelx, and Giovanni Vignax xUniversity of California, Santa Barbara z Ruhr-University Bochum fgianluca,bstone,chris,[email protected] [email protected] Abstract the world-wide email traffic [20], and a lucrative busi- Unsolicited bulk email (spam) is used by cyber- ness has emerged around them [12]. The content of spam criminals to lure users into scams and to spread mal- emails lures users into scams, promises to sell cheap ware infections. Most of these unwanted messages are goods and pharmaceutical products, and spreads mali- sent by spam botnets, which are networks of compro- cious software by distributing links to websites that per- mised machines under the control of a single (malicious) form drive-by download attacks [24]. entity. Often, these botnets are rented out to particular Recent studies indicate that, nowadays, about 85% of groups to carry out spam campaigns, in which similar the overall spam traffic on the Internet is sent with the mail messages are sent to a large group of Internet users help of spamming botnets [20,36]. Botnets are networks in a short amount of time. Tracking the bot-infected hosts of compromised machines under the direction of a sin- that participate in spam campaigns, and attributing these gle entity, the so-called botmaster. While different bot- hosts to spam botnets that are active on the Internet, are nets serve different, nefarious goals, one important pur- challenging but important tasks. In particular, this infor- pose of botnets is the distribution of spam emails.
    [Show full text]
  • The History of Spam Timeline of Events and Notable Occurrences in the Advance of Spam
    The History of Spam Timeline of events and notable occurrences in the advance of spam July 2014 The History of Spam The growth of unsolicited e-mail imposes increasing costs on networks and causes considerable aggravation on the part of e-mail recipients. The history of spam is one that is closely tied to the history and evolution of the Internet itself. 1971 RFC 733: Mail Specifications 1978 First email spam was sent out to users of ARPANET – it was an ad for a presentation by Digital Equipment Corporation (DEC) 1984 Domain Name System (DNS) introduced 1986 Eric Thomas develops first commercial mailing list program called LISTSERV 1988 First know email Chain letter sent 1988 “Spamming” starts as prank by participants in multi-user dungeon games by MUDers (Multi User Dungeon) to fill rivals accounts with unwanted electronic junk mail. 1990 ARPANET terminates 1993 First use of the term spam was for a post from USENET by Richard Depew to news.admin.policy, which was the result of a bug in a software program that caused 200 messages to go out to the news group. The term “spam” itself was thought to have come from the spam skit by Monty Python's Flying Circus. In the sketch, a restaurant serves all its food with lots of spam, and the waitress repeats the word several times in describing how much spam is in the items. When she does this, a group of Vikings in the corner start a song: "Spam, spam, spam, spam, spam, spam, spam, spam, lovely spam! Wonderful spam!" Until told to shut up.
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • Characterizing Robocalls Through Audio and Metadata Analysis
    Who’s Calling? Characterizing Robocalls through Audio and Metadata Analysis Sathvik Prasad, Elijah Bouma-Sims, Athishay Kiran Mylappan, and Bradley Reaves, North Carolina State University https://www.usenix.org/conference/usenixsecurity20/presentation/prasad This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. Who’s Calling? Characterizing Robocalls through Audio and Metadata Analysis Sathvik Prasad Elijah Bouma-Sims North Carolina State University North Carolina State University [email protected] [email protected] Athishay Kiran Mylappan Bradley Reaves North Carolina State University North Carolina State University [email protected] [email protected] Abstract Despite the clear importance of the problem, much of what Unsolicited calls are one of the most prominent security is known about the unsolicited calling epidemic is anecdotal issues facing individuals today. Despite wide-spread anec- in nature. Despite early work on the problem [6–10], the re- dotal discussion of the problem, many important questions search community still lacks techniques that enable rigorous remain unanswered. In this paper, we present the first large- analysis of the scope of the problem and the factors that drive scale, longitudinal analysis of unsolicited calls to a honeypot it. There are several challenges that we seek to overcome. of up to 66,606 lines over 11 months. From call metadata we First, we note that most measurements to date of unsolicited characterize the long-term trends of unsolicited calls, develop volumes, trends, and motivations (e.g., sales, scams, etc.) have the first techniques to measure voicemail spam, wangiri at- been based on reports from end users.
    [Show full text]
  • The History of Digital Spam
    The History of Digital Spam Emilio Ferrara University of Southern California Information Sciences Institute Marina Del Rey, CA [email protected] ACM Reference Format: This broad definition will allow me to track, in an inclusive Emilio Ferrara. 2019. The History of Digital Spam. In Communications of manner, the evolution of digital spam across its most popular appli- the ACM, August 2019, Vol. 62 No. 8, Pages 82-91. ACM, New York, NY, USA, cations, starting from spam emails to modern-days spam. For each 9 pages. https://doi.org/10.1145/3299768 highlighted application domain, I will dive deep to understand the nuances of different digital spam strategies, including their intents Spam!: that’s what Lorrie Faith Cranor and Brian LaMacchia ex- and catalysts and, from a technical standpoint, how they are carried claimed in the title of a popular call-to-action article that appeared out and how they can be detected. twenty years ago on Communications of the ACM [10]. And yet, Wikipedia provides an extensive list of domains of application: despite the tremendous efforts of the research community over the last two decades to mitigate this problem, the sense of urgency ``While the most widely recognized form of spam is email spam, the term is applied to similar abuses in other media: instant remains unchanged, as emerging technologies have brought new messaging spam, Usenet newsgroup spam, Web search engine spam, dangerous forms of digital spam under the spotlight. Furthermore, spam in blogs, wiki spam, online classified ads spam, mobile when spam is carried out with the intent to deceive or influence phone messaging spam, Internet forum spam, junk fax at scale, it can alter the very fabric of society and our behavior.
    [Show full text]
  • Best Practices
    Northampton Public Schools Cybersecurity Information Best Practices: ● Use a Secure Password A secure password is one that is a minimum of 8-12 characters, and includes a mix of different characters, lower and uppercase, and includes a few numbers and symbols. ● Don’t use your Work or School email account for personal sites Limiting interconnected accounts reduces risks in event of a cyberattack. It is also important to keep in mind that if you ever leave the district, your email account will be suspended, this could restrict access to linked accounts. ● Never enter a password or payment information into a site unless you’re sure it’s legitimate. You will never have to use personal payment information at work, but for personal accounts, minimize the amount of times you save payment information. ● Don’t brush off security warnings Most sites will send you an email if they see a suspicious or new login attempt. If you see a successful login you don’t recognize, or multiple failed attempts, be sure to change your password. ● Don’t share passwords Limiting the number of places you’re logged in will help protect you against threats, be sure to log out and never share your passwords with others. If you suspect someone has your login information, change your password right away. ● Don’t open documents or links from an unknown sender You can learn more about email spam and phishing below. If you have any doubts or questions, contact your IT Department Spam Mail and Internet Phishing: What is Spam Mail? Email spam is unsolicited messages sent in bulk by email.
    [Show full text]
  • Permanent Email • Spam and Spoofing
    CU eComm Program Permanent Email • Spam and Spoofing We get a lot of inquiries regarding SPAM. As a result, we have compiled a list of the most frequently asked questions with explanations for each. See below. I hope you find this information helpful. SPAM FAQ Is the alumni association sending me spam? No. Neither the alumni association nor Harris Internet Services, who host the Alumni Connections servers that maintain the email forwarding service, are the source of the spam. We respect your privacy and do not sell, or otherwise distribute, alumni email addresses; nor have they been stolen. How did the spammers get my address? Unfortunately, there are many ways that spammers obtain email addresses: addresses compiled by commercial entities from web commerce; web crawlers searching for specific domain names (such as @alumni.anyschool.edu) on any web site where contact information might be listed; and a practice sometimes called "blind spamming" or "dictionary spamming" in which spammers simply guess at the username before the @ sign and send literally thousands of messages. This is why you may see a message addressed to "albert@, allen@, andrew@ ...," etc. The spammers run what is basically a dictionary of usernames against a domain • those that don't immediately bounce are kept and reused. This can give the false impression that the spammer has access to the list of user accounts. Viruses can also generate unwanted email and harvest addresses for spammers. Even if your computer is not infected, if someone else has your address in their address book and their computer becomes infected, viruses will often send multiple messages to everyone in the address book.
    [Show full text]
  • BOTMAGNIFIER: Locating Spambots on the Internet
    BOTMAGNIFIER: Locating Spambots on the Internet Gianluca Stringhini§, Thorsten Holz‡, Brett Stone-Gross§, Christopher Kruegel§, and Giovanni Vigna§ §University of California, Santa Barbara ‡ Ruhr-University Bochum {gianluca,bstone,chris,vigna}@cs.ucsb.edu [email protected] Abstract the world-wide email traffic [20], and a lucrative busi- Unsolicited bulk email (spam) is used by cyber- ness has emerged around them [12]. The content of spam criminals to lure users into scams and to spread mal- emails lures users into scams, promises to sell cheap ware infections. Most of these unwanted messages are goods and pharmaceutical products, and spreads mali- sent by spam botnets, which are networks of compro- cious software by distributing links to websites that per- mised machines under the control of a single (malicious) form drive-by download attacks [24]. entity. Often, these botnets are rented out to particular Recent studies indicate that, nowadays, about 85% of groups to carry out spam campaigns, in which similar the overall spam traffic on the Internet is sent with the mail messages are sent to a large group of Internet users help of spamming botnets [20,36]. Botnets are networks in a short amount of time. Tracking the bot-infected hosts of compromised machines under the direction of a sin- that participate in spam campaigns, and attributing these gle entity, the so-called botmaster. While different bot- hosts to spam botnets that are active on the Internet, are nets serve different, nefarious goals, one important pur- challenging but important tasks. In particular, this infor- pose of botnets is the distribution of spam emails.
    [Show full text]