Download
1 / 5
50 likes | 179 Vues
This research by Anirudh Ramachandran and Nick Feamster at Georgia Tech explores spam collection techniques using BGP spectrum agility. Instrumenting two domains with MailAvenger since 2004, they collected over 3 million spam pieces. The study identifies how botnets coordinate low-bandwidth spam sending, correlating data with Bobax botnet victims. By analyzing client IP distances from MX records and monitoring BGP advertisements, they reveal patterns in spam behavior linked to short-lived prefixes. This work sheds light on the persistent methods used by spammers and their implications for network security.
E N D
Spamming withBGP Spectrum Agility Anirudh Ramachandran Nick Feamster Georgia Tech
Collection • Two domains instrumented with MailAvenger • Sinkhole domain #1 • Continuous spam collection since Aug 2004 • No real email addresses---sink everything • 3 million+ pieces of spam • Sinkhole domain #2 • Recently registered domain (Nov 2005) • “Clean control” – domain posted at a few places • Not much spam yet…perhaps we are being too conservative
Spamming Techniques • Mostly botnets, of course • We’re trying to quantify this • Coordination • Characteristics • How we’re doing this • Correlation with Bobax victims • from Georgia Tech botnet sinkhole • Heuristics • Distance of Client IP from MX record • Coordinated, low-bandwidth sending
BGP Spectrum Agility • Log IP addresses of SMTP relays • Join with BGP route advertisements seen at network where spam trap is co-located. A small club of persistent players appears to be using this technique. Common short-lived prefixes and ASes 65.0.0.0/8 23541 61.0.0.0/8 4678 82.0.0.0/8 8920
Length of short-lived BGP epochs 1 day ~ 10% of spam coming from short-lived BGP announcements Epoch length
