A Spam Trinity: Email Harvesters, Botmasters, Spammers

A profitable spam campaign has three key elements—a reliable email list, filter-busting content, and a botnet for distribution—and each has been individually dissected and understood. But in order to adequately protect users from spam, which thrives in an established economic ecosystem, researchers decided it was important to understand the relationships between email harvesters, botmasters and spammers.

A paper released this week, “The Harvester, the Botmaster, and the Spammer: On the Relations Between the Different Actors in the Spam Landscape,” connects the dots between the three and concludes that spammers are creatures of habit. Familiarity and trust is important for spammers, who buy email lists from the same harvester and buy or rent the botnets for distribution.

“This suggests that spammers establish some sort of customer loyalty with harvesters and botmasters, and that this relationship hardly breaks (in the absence of major events, such as botnet takedowns),” wrote researchers Gianluca Stringhini, Oliver Hohlfeldy, Christopher Kruegel, and Giovanni Vigna of the Department of Computer Science, UC Santa Barbara and Aachen University in Germany.

The paper provides a world of direction on how to use the data collected in a series of experiments conducted by the researchers to understand operational relationships and improve detection rates.

“It first helps to estimate the magnitude of the spam problem and can reveal new trends. Second, it allows to identify bottlenecks and critical points in the spamming pipeline; these critical points can be used to develop mitigation techniques to fight such threats,” they wrote.

The researchers sought to understand whether spammers harvest email addresses themselves, or rely on harvesters, for example. Do they rent multiple botnets to send spam, or just one? And how often are email addresses used and are they used in multiple campaigns?

The experiment conducted involved building a spam trap by advertising a large number of email addresses set up for this specific research project. Each of those email addresses was advertised on websites and pointed to the researchers’ mail server. The team logged each time those pages were accessed in order to fingerprint email harvesters for example. They also logged connections made to their mail server; since none of the email addresses were legitimate, they could safely assume that each connection was botnet-generated.

The next step was to apply a technique known as SMTP dialects in order to assess which botnet or server generated each connection, before analyzing the content of spam email messages received by the project’s mail server. Those were grouped by campaign. By comparing the respective datasets, the researchers said they could reach reliable conclusions as to whether a spammer had rented multiple botnets and whether multiple spammers shared the same email list or botnet.

“Our findings suggest that spammers typically rent a single botnet.”

“Our findings suggest that spammers typically rent a single botnet and that a fraction of them set up their own mail transfer agents (MTAs) to spread spam. Another interesting discovery is that spammers tend to stick with a single list of email addresses for long periods of time, even years,” they wrote.

The researchers’ spamtrap caught 75 unique IP addresses, though only four harvested up to 70 percent of the email addresses, which received 74 percent of the total spam. The researchers concluded there were nine email harvesters at play in their dataset, five of whom used a single IP address while others relied on a distributed infrastructure. The SMTP dialects, meanwhile, led them to conclude that three botnets—Cutwail, Lethic and Kelihos—targeted their servers, from varied geographic locations.

“Our observation suggests that the botnet users that sent spam to us purchased their bots in a small number of countries. Other instances (and customers) of the same botnet might show very different country distributions,” the paper said. “The fact that each spammer uses bots located in different countries is consistent with previous work, which showed that the physical location of a bot does not influence the overall spamming performance of the botnet”

The paper points the way for researchers whose aim is to better detection methods for finding spambots in the wild or fingerprinting the email engine used by a particular botnet.

“Since spammers seem to rely on a single botnet at a time, taking down the botnet that they are using can have significant effects on their business,” the paper said. “This observation makes techniques that identify command and control servers particularly important.”

Provided from: threatpost.