Abstract
Snowshoe spam is a type of spam that is notoriously hard to detect. Anti-abuse vendors estimate that 15% of spam can be classified as snowshoe spam. Differently from regular spam, snowshoe spammers distribute sending of spam over many hosts, in order to evade detection by spam reputation systems (blacklists). To be successful spammers need to appear as legitimate as possible, for example, by adopting email best practices, such as the Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Many previous studies have relied on DNS data to detect spam. However, this often happens based on passive DNS data. This limits detection to domains that have actually been used and have been observed on passive DNS sensors. To overcome this limitation, we take a different approach. We make use of active DNS measurements, covering more than 60% of the global DNS namespace, in combination with machine learning to identify malicious domains crafted for snowshoe spam. Our results show that we are able to detect snowshoe spam domains with a precision of over 93%. More importantly, we are able to detect a significant fraction of the malicious domains up to 100 days earlier than existing blacklists, which suggests our method can give us a time advantage in the fight against spam. In addition to testing the efficacy of our approach in comparison to existing blacklists, we validated our approach over a 3-month period in an actual mail filter system at a major Dutch network operator. Not only did this demonstrate that our approach works in practice, the operator has actually decided to deploy our method in production, based on the results obtained.
Original language | English |
---|---|
Title of host publication | IEEE/IFIP Network Operations and Management Symposium |
Subtitle of host publication | Cognitive Management in a Cyber World, NOMS 2018 |
Publisher | IEEE |
Pages | 1-9 |
Number of pages | 9 |
ISBN (Electronic) | 978-1-5386-3416-5, 978-1-5386-3415-8 |
ISBN (Print) | 978-1-5386-3417-2 |
DOIs | |
Publication status | Published - Jul 2018 |
Event | 16th IEEE/IFIP Network Operations and Management Symposium 2018: Cognitive Management in a Cyber World - Taipei, Taiwan Duration: 23 Apr 2018 → 27 Apr 2018 Conference number: 16 http://noms2018.ieee-noms.org/ |
Conference
Conference | 16th IEEE/IFIP Network Operations and Management Symposium 2018 |
---|---|
Abbreviated title | NOMS 2018 |
Country/Territory | Taiwan |
City | Taipei |
Period | 23/04/18 → 27/04/18 |
Internet address |
Fingerprint
Dive into the research topics of 'Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains'. Together they form a unique fingerprint.Prizes
-
NOMS 2018 Best Paper Award
van der Toorn, O. I. (Recipient), van Rijswijk, R. M. (Recipient), Geesink, B. (Recipient) & Sperotto, A. (Recipient), 27 Apr 2018
Prize