Spam Bots Research Articles

Identifying IP Blocks with Spamming Bots by Spatial Distribution

In this letter, we develop a behavioral metric with which spamming botnets can be quickly identified with respect to their residing IP blocks. Our method aims at line-speed operation without deep inspection, so only TCP/IP header fields of the passing packets are examined. However, the proposed metric yields a high-quality receiver operating characteristics (ROC), with high detection rates and low false positive rates.

DNS Based Spam Bots Detection in a University

DNS Based Spam Bots Detection in a University

DNS based Security Incidents Detection in Campus Network

The DNS query traffic from the inside and the outside of the campus network in a university was statistically investigated through January 1st, to July 31st, 2007. The following interesting results are obtained, as follows: (1) The unique source IP address-based entropy value is usually less than the unique DNS query keyword based one in the DNS query traffic from the campus network, however, the unique source IP address-based entropy value is greater than the unique DNS query keyword based one in the DNS query traffic from the outside of the campus network. (2) Two types of entropy changes were found in the unique source IP addresses- and the unique DNS resolution query keywords. In the both entropies, one is a parallel change, and another one is a symmetrical one. Although the latter change type can be conventionally observed in 2006, the former change type can recently observed in 2007. Therefore, it can be concluded that the recent spam bots send a lot of spam E-mails to the next victim PCs via the local vulnerable E-mail servers.

A DNS-based countermeasure technology for bot worm-infected PC terminals in the campus network

The DNS query traffic in a campus top domain DNS server were statistically investigated in order to find out the security incidents, especially bot worm (BW)-infected PCs on the campus network. The interesting results are obtained: (1) The total traffic of the DNS query access from the outside of the campus network frequently correlates with that of the number of their unique source IP addresses. (2) The unique source IP address-based entropy (randomness) also frequently correlates well with the query contents-based one. Therefore, these results indicate that we can detect suspicious IP hosts, especially, spam bots in the campus network by only watching DNS query traffic from the outside of the university.

The threat to identity from new and unknown malware

Malicious code in the form of computer viruses, worms, trojans and spam bots represents a most dangerous and costly threat to fully interconnected networked information systems. Infected Web pages can seriously compromise client machines and networks. Infected electronic messages, commonly sent in the form of e-mail viruses, may not only damage individual machines but may also cause serious denial of service damage by flooding networks. Socially engineered messages in the form of phishing attacks can cause a general lack of confidence in electronic commerce. Conventional approaches to these problems focus on identifying legitimate messages, which is not always an easy or obvious task. Validating the identity of an electronic communication is a fundamental problem in the modern wired world. The aim of this paper is to highlight the problem of authenticating the identity of electronic communications and to demonstrate an extra layer of protection with respect to e-mail systems, whereby attacks based upon the falsification of identity can be detected and eliminated with minimum impact on the system.