John Heidemann/ PAPERS/ Correlating Spam Activity with IP Address Characteristics

Correlating Spam Activity with IP Address Characteristics

Chris Wilcox, Christos Papadopoulos, and John Heidemann
USC/Information Sciences Institute

Abstract

 It is well known that spam bots mostly utilize compromised machines with certain address characteristics, such as dynamically allocated addresses, machines in specific geographic areas and IP ranges from AS' with more tolerant spam policies. Such machines tend to be less diligently administered and may exhibit less stability, more volatility, and shorter uptimes. However, few studies have attempted to quantify how such spam bot address characteristics compare with non-spamming hosts. Quantifying these characteristics may help provide important information for comprehensive spam mitigation. We use two large datasets, namely a commercial blacklist and an Internet-wide address visibility study to quantify address characteristics of spam and non-spam networks. We find that spam networks exhibit significantly less availability and uptime, and higher volatility than non-spam networks. In addition, we conduct a collateral damage study of a common practice where an ISP blocks the entire /24 prefix if spammers are detected in that range. We find that such a policy blacklists a significant portion of legitimate mail servers belonging to the same prefix.

Availability

This paper is available in several formats: abstract web page with pointers and cites, PDF, paper copies can be obtained by mail to the authors. Copyright terms for this paper appear below.

Reference

Wilcox10a
Chris Wilcox, Christos Papadopoulos, and John Heidemann. Correlating Spam Activity with IP Address Characteristics. In Proceedings of the IEEE Global Internet Symposium, p. to appear. San Diego, California, USA, IEEE. March, 2010. <http://www.isi.edu/~johnh/PAPERS/Wilcox10a.html>. 
@inproceedings{Wilcox10a,
	author = "Chris Wilcox and Christos Papadopoulos and John Heidemann",
	title = "Correlating Spam Activity with {IP} Address Characteristics",
	booktitle = "Proceedings of the  {IEEE} Global Internet Symposium",
	year = "2010",
	pages = "to appear",
	address = "San Diego, California, USA",
	month = "March",
	publisher = "{IEEE}",
	url = "http://www.isi.edu/~johnh/PAPERS/Wilcox10a.html",
	pdfurl = "http://www.isi.edu/~johnh/PAPERS/Wilcox10a.pdf",
	myorganization = "USC/Information Sciences Institute",
	keywords = "spam, IP address analysis, correlation,
                  collateral damage",
	copyrightholder = "{IEEE}",
}

Copyright

This paper is copyright © 2010 by IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.