Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains

Olivier Isaac van der Toorn, Roland M. van Rijswijk, Bart Geesink, Anna Sperotto

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    1 Citation (Scopus)
    7 Downloads (Pure)


    Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Previous studies uses DNS data to detect spam. However, this often happens based on passive DNS data. In this paper we take a different approach. We make use of active DNS measurements, covering more than 60% of the namespace, in combination with machine learning to identify malicious domains crafted for snowshoe spam. Our results show that we are able to detect snowshoe spam domains with a precision of more than 93%. Also, we are able to detect a subset of the malicious domain 2?104 days earlier than the spam reputation systems (blacklists) currently in use, which suggest our method can give us a time advantage in the fight against spam. In a real-life scenario, we have shown that our results allow spam filter operators to block spam that would otherwise bypass their mail filter. A Realtime Blackhole List (RBL) based on our approach is currently deployed in the operational network of a major Dutch ISP.
    Original languageEnglish
    Title of host publicationNOMS2018
    Subtitle of host publicationthe IEEE/IFIP Network Operations and Management Symposium
    Number of pages8
    ISBN (Print)978-1-5386-3416-5
    Publication statusPublished - 24 Apr 2018
    Event16th IEEE/IFIP Network Operations and Management Symposium 2018: Cognitive Management in a Cyber World - Taipei, Taiwan, Province of China
    Duration: 23 Apr 201827 Apr 2018
    Conference number: 16


    Conference16th IEEE/IFIP Network Operations and Management Symposium 2018
    Abbreviated titleNOMS 2018
    CountryTaiwan, Province of China
    Internet address

    Fingerprint Dive into the research topics of 'Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains'. Together they form a unique fingerprint.

    Cite this