Spam and Scams: It's All the Same

Is there a difference between the infrastructure used to distribute spam and that used to host the online scams advertised in them? "Yes," say Geoff Voelker and Stefan Savage, computer science professors at the University of California, San Diego. Most scams are hosted by individual Web servers.

Using an Internet monitoring technique called spamscatter, Voelker and Savage studied more than 1 million spam emails over the course of a week, examining spam-advertised Web servers hosting online scams that either offer merchandise and services or use malicious means to defraud users (phishing, spyware, rootkits). They followed the URLs embedded in spam back to the hosting servers, probed the servers, and analyzed the Web pages advertised in the spam. They were able to identified scams across servers and domains and reported on distributed and shared infrastructure, lifetime, stability, and location. By clustering the Web pages that were visually equivalent and integrating this information into the other data collected from the spam feed, they determined that about 94 percent of the scams advertised in spam emails with embedded URLs were hosted only a single web server. Of the 6 percent of scam servers that were distributed across multiple servers, a few used more than 10 IP addresses, and one scam used 45 servers.

"A given spam campaign may use thousands of mail relay agents to deliver its millions of messages, but only use a single server to handle requests from recipients who respond. A single takedown of a scam server or a spammer redirect can curtail the earning potential of an entire spam campaign," they say in Spamscatter: Characterizing Internet Scam Hosting Infrastructure, co-authored by Geoff Voelker, Stefan Savage, David Anderson, and Chris Fleizach.

-- Jonathan Erickson

Posted by Jon Erickson at 10:58 AM  Permalink