Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Previous studies uses DNS data to detect spam. However, this often happens based on passive DNS data. In this paper we take a different approach. We make use of active DNS measurements, covering more than 60% of the namespace, in combination with machine learning to identify malicious domains crafted for snowshoe spam. Our results show that we are able to detect snowshoe spam domains with a precision of more than 93%. Also, we are able to detect a subset of the malicious domain 2?104 days earlier than the spam reputation systems (blacklists) currently in use, which suggest our method can give us a time advantage in the fight against spam. In a real-life scenario, we have shown that our results allow spam filter operators to block spam that would otherwise bypass their mail filter. A Realtime Blackhole List (RBL) based on our approach is currently deployed in the operational network of a major Dutch ISP.
|Title of host publication||NOMS2018|
|Subtitle of host publication||the IEEE/IFIP Network Operations and Management Symposium|
|Number of pages||8|
|Publication status||Published - 24 Apr 2018|
|Event||16th IEEE/IFIP Network Operations and Management Symposium 2018: Cognitive Management in a Cyber World - Taipei, Taiwan, Province of China|
Duration: 23 Apr 2018 → 27 Apr 2018
Conference number: 16
|Conference||16th IEEE/IFIP Network Operations and Management Symposium 2018|
|Abbreviated title||NOMS 2018|
|Country||Taiwan, Province of China|
|Period||23/04/18 → 27/04/18|
van der Toorn, O. I., van Rijswijk, R. M., Geesink, B., & Sperotto, A. (2018). Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains. In NOMS2018: the IEEE/IFIP Network Operations and Management Symposium IEEE.