Computer scientists from University of California, San Diego (UCSD) have found striking differences between the infrastructure used to distribute unsolicited commercial emails—also known as spam—and the infrastructure used to host the online scams they advertise. This discovery should help reduce spam and close illegal online businesses and malware sites, they say.
While thousands of compromised computers may be used to relay spam to users, individual Web servers host most scams, computer scientists from the UCSD Jacobs School of Engineering have found. Based on an analysis of more than 1 million spams, 94 percent of the scams were advertised via embedded URLs hosted on individual Web servers, according to this new peer-reviewed research [PDF] presented August 2007 at the USENIX Security 2007 conference.
Using new Internet monitoring approaches developed at UCSD, the scientists studied a spam feed for a week. They analyzed spam-advertised Web servers hosting scams that either offered merchandise or services, such as pharmaceuticals and mortgages, or maliciously defrauded users via phishing, spyware, or worse. The researchers traced the URLs to their host servers, probed them, and analyzed the advertised Web pages.
Findings suggest scam infrastructure is vulnerable to common blocking techniques such as blacklisting.
A given spam campaign may use thousands of mail relay agents to deliver its millions of messages, but only use a single server to handle requests from recipients who respond, according to UCSD researchers. Taking down one scam server or spammer redirect can cut down the revenue of an entire spam campaign, they say.
Scam infrastructure vulnerable to blocking
In 2006, industry estimates suggest that spam comprised more than 80 percent of all email with a volume of up to 85 billion messages per day. What drives spam are the various moneymaking schemes they advertise.
“The availability of scam infrastructure is critical to spam profitability,” says Geoff Voelker, a UCSD computer science professor involved with the study. “Our findings suggest scam infrastructure is vulnerable to common blocking techniques such as blacklisting.”
Such blocking techniques, which include Web or URL filtering, are available from unified threat management (UTM) solutions like the Check Point UTM-1 appliance.
‘Spamscatter’ and ‘image shingling’
Through the Collaborative Center for Internet Epidemiology and Defenses, UCSD researchers continue to measure and learn about the infrastructure that supports the black market for illegal online goods and services as a basis for developing controls and defenses against them, like the one in this study dubbed “spamscatter.”
“Spamscatter provides a mechanism for studying global Internet behavior from a single vantage point,” Voelker says.
After recording the server locations and capturing screenshots of the spam destination Web pages, these screenshots of the scam sites were grouped using a technique called “image shingling.” This technique matches visually similar Web pages based on images rendered in a browser rather than on HTML code, URLs, or content. Thus, common techniques to evade detection—such as composing Web sites entirely with images—are foiled.
“Image shingling breaks new ground in determining which servers are running the same scams,” says Chris Fleizach, co-author of the UCSD security paper and recent UCSD computer science masters graduate.
By clustering the Web pages that were visually equal and integrating this with other data collected from the spam feed, the scientists determined that about 94 percent of the scams advertised in spams with embedded URLs were hosted on only a single Web server.
Of the 6 percent of scams that were distributed across multiple servers, a few used more than 10 IP addresses—one scam used 45 servers.
“Scams might use multiple hosts for fault tolerance, for resilience in anticipation of administrative takedown or blacklisting, for geographic distribution, or even for load balancing,” the authors write, noting that most scammers are not currently taking this precaution.
Other UTM solutions