The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape

Authors

Gianluca Stringhini, Oliver Hohlfeld, Christopher Kruegel, Giovanni Vigna

Venue

Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS), June 2014

Abstract

A spammer needs three elements to run a spam operation: a list of victim email addresses, content to be sent, and a botnet to send it. Each of these three elements are critical for the success of the spam operation: a good email list should be composed of valid email addresses, a good email content should be both convincing to the reader and evades anti-spam filters, and a good botnet should efficiently sent spam. Given how critical these three elements are, figures specialized on one of these elements have emerged in the spam ecosystem. Email harvesters crawl the web and compile email lists, botmasters infect victim computers and maintain efficient botnets for spam dissemination, and spammers rent botnets and buy email lists to run spam campaigns. Previous research suggested that email harvesters and botmasters sell their services to spammers in a prosperous underground economy. No rigorous research has been performed, however, on understanding the relations between these three actors. This paper aims to shed some light on the relations between harvesters, botmasters, and spammers. By disseminating email addresses on the Internet, fingerprinting the botnets that contact these addresses, and looking at the content of these emails, we can infer the relations between the actors involved in the spam ecosystem. Our observations can be used by researchers to develop more effective anti-spam systems.

BibTeX

@inproceedings{Stringhini2014The_Harvester,
  title     = {{The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape}},
  author    = {Stringhini, Gianluca and Hohlfeld, Oliver and Kruegel, Christopher and Vigna, Giovanni},
  booktitle = {Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security},
  series    = {ASIA CCS},
  year      = {2014},
  address   = {New York, NY, USA},
  doi       = {10.1145/2590296.2590302},
  isbn      = {978-1-4503-2800-5},
  pages     = {353--364},
  publisher = {ACM},
  url       = {http://dx.doi.org/10.1145/2590296.2590302}
}