Spammers operations: a multifaceted strategic analysis

Thonnard, Olivier; Vervier, Pierre-Antoine; Dacier, Marc
Security and Communication Networks, October 2012

There is a consensus in the anti-spam community regarding the prevalence of spam botnets and the significant role they play in the worldwide spam problem. Nevertheless, far less attention has been devoted to studying the strategic behavior of spammers on a long-term basis. This paper explores several facets of spammers operations by providing three essential perspectives: (i) we study the inter-relationships among spam botnets through their aggregate spam campaigns, and we focus on identifying similarities or differences in their modus operandi; (ii) we look at the impact of the Rustock takedown on the botnet ecosystem; and (iii) we study the conjecture about spammers hijacking unused IP space to send spam in a stealthy way. To that end, we have analyzed over one million spam records collected by (formerly MessageLabs) through worldwide distributed spamtraps. Our methodology leverages techniques relying on data fusion and multi-criteria decision analysis to extract intelligence from large spam data sets by automatically correlating spam campaigns according to various combinations of spam features. We also take advantage of node-link visualizations developed in the context of VIS-SENSE, a research project aiming at developing Visual Analytics technologies for the security domain. Using these visualizations, we illustrate the tight relationships that exist among different botnet families (such as Rustock/Grum or Lethic/Maazben). Regarding the disruption of Rustock on 17 March 2011, our experimental results provide substantial evidence indicating that part of the botnet activity may have been offloaded to Grum shortly after the takedown operation. Finally, we analyzed over 1 year of spam data enriched with Border Gateway Protocol data and found that an increasing amount of spam may have been sent from IP blocks hijacked for several weeks or months, even though this phenomenon remains marginal at this time compared with spam sent from large botnets. Copyright (C) 2012 John Wiley & Sons, Ltd.

Sécurité numérique
Eurecom Ref:
© Wiley. Personal use of this material is permitted. The definitive version of this paper was published in Security and Communication Networks, October 2012 and is available at :