UC Santa Barbara*RWTH Aachen

The Harvester, the Botmaster, and the Spammer:

On the Relations Between the Different Actors in the Spam Landscape

Gianluca Stringhini, Oliver Hohlfeld*, Christopher Kruegel, and Giovanni Vigna

University of California, Santa Barbara

*RWTH Aachen

The Harvester, the Botmaster, and the Spammer 2

Spammer

Setting Up a Spam Operation

Harvester

Botmaster

What are the relations between the different actors in a spam operation?

The Harvester, the Botmaster, and the Spammer 4

Fingerprinting the Actors

HarvestersDisseminate email addresses on the web

SpammersFingerprint spam campaigns

BotnetsEach botnet implements SMTP differently [USENIX2012]

The Harvester, the Botmaster, and the Spammer 5

Fingerprinting the Entire Operation

The Harvester, the Botmaster, and the Spammer 6

Fingerprinting Email Harvesters

Server-side dynamic script to generate unique addressesWebsites of various type [IMC2012]

Various ways of embedding email addressesPlaintext, mailto links, obfuscated JavaScript

We recorded IP address and user agent of visitors

The Harvester, the Botmaster, and the Spammer 7

Fingerprinting BotnetsSMTP Dialects [USENIX2012]We can uniquely identify an email-sending program by looking at the sequence of SMTP messages

HELO domain

RSET

MAIL FROM:<email-addr>

RCPT TO:<email-addr>

DATA

250 server

250 OK

250 OK

250 OK

Learning dialects spoken by botnetsMalware samples submitted to Anubis• 18,849 malware samples sent an email• 72 unique dialects• Virustotal labels to name samples

Learning dialects spoken by legitimate clientsVirtual machines running 5 popular MTAs

The Harvester, the Botmaster, and the Spammer 8

Fingerprinting Spammers

We assume that a single spammer is responsible for each spam campaign

We cluster emails into campaigns by:• Subject line• URL domain•Mailer• Sender email address

Analysis of the Collected Data

The Harvester, the Botmaster, and the Spammer 10

Analysis of the Harvesters

9 different harvesters613 email addresses were harvestedA single harvester harvested 415 addresses

Distributed harvester composed of 56 IP addresses

Turnaround time between 5 days and almost two years

The Harvester, the Botmaster, and the Spammer 11

Analysis of the SMTP Dialects2,024 emails received sent by 7 different dialects

3 large botnets (Cutwail, Lethic, Kelihos)

2 MTAs (Postfix and Sendmail)

The Harvester, the Botmaster, and the Spammer 12

Country Distribution - Lethic

The Harvester, the Botmaster, and the Spammer 13

Country Distribution - Cutwail

The Harvester, the Botmaster, and the Spammer 14

Country Distribution - MTAs

The Harvester, the Botmaster, and the Spammer 15

Analysis of the Spam CampaignsCampaign Number of Emails Topic

1 64 Counterfeit goods

2 180 Online dating

3 8 Financial scam

4 533 SEO

5 7 Email marketing

6 6 Phishing scam

7 30 Phishing scam

8 5 Phishing scam

The Harvester, the Botmaster, and the Spammer 16

Tracking Spammers Over Time

Each campaign is carried out by a different spammer

Spammers could run two campaigns simultaneouslyWe identify spammers by botnet + email list

The Harvester, the Botmaster, and the Spammer 17

Studying the Relationships Between the Actors

Each botnet was rented by a single spammerMultiple spammers used the same type of MTA

4 email lists were used by multiple spammers → purchasedSpammers keep using the same email list

Spammers using MTAs are more likely to harvest their email addresses

The Harvester, the Botmaster, and the Spammer 18

Conclusions & Lessons LearnedWe presented the first end-to-end analysis of the spam delivery ecosystem

Our results show that spammers use the same botnet and the same email list for a long timeThis can be leveraged for spam mitigation

Our methodology could be used by other researchers to perform larger-scale studies

UC Santa Barbara*RWTH Aachen

Questions?

gianluca@cs.ucsb.edu

@gianlucasb