Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains

Olivier Isaac van der Toorn, Roland M. van Rijswijk, Bart Geesink, Anna Sperotto

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

Abstract

Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Previous studies uses DNS data to detect spam. However, this often happens based on passive DNS data. In this paper we take a different approach. We make use of active DNS measurements, covering more than 60% of the namespace, in combination with machine learning to identify malicious domains crafted for snowshoe spam. Our results show that we are able to detect snowshoe spam domains with a precision of more than 93%. Also, we are able to detect a subset of the malicious domain 2?104 days earlier than the spam reputation systems (blacklists) currently in use, which suggest our method can give us a time advantage in the fight against spam. In a real-life scenario, we have shown that our results allow spam filter operators to block spam that would otherwise bypass their mail filter. A Realtime Blackhole List (RBL) based on our approach is currently deployed in the operational network of a major Dutch ISP.
LanguageEnglish
Title of host publicationNOMS2018
Subtitle of host publicationthe IEEE/IFIP Network Operations and Management Symposium
PublisherInstitute of Electrical and Electronics Engineers
Number of pages8
ISBN (Print)978-1-5386-3416-5
Publication statusPublished - 24 Apr 2018
Event16th IEEE/IFIP Network Operations and Management Symposium 2018: Cognitive Management in a Cyber World - Taipei, Taiwan, Province of China
Duration: 23 Apr 201827 Apr 2018
Conference number: 16
http://noms2018.ieee-noms.org/

Conference

Conference16th IEEE/IFIP Network Operations and Management Symposium 2018
Abbreviated titleNOMS 2018
CountryTaiwan, Province of China
CityTaipei
Period23/04/1827/04/18
Internet address

Fingerprint

Electronic mail
Snow
Learning systems
Melting

Cite this

van der Toorn, O. I., van Rijswijk, R. M., Geesink, B., & Sperotto, A. (2018). Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains. In NOMS2018: the IEEE/IFIP Network Operations and Management Symposium Institute of Electrical and Electronics Engineers.
van der Toorn, Olivier Isaac ; van Rijswijk, Roland M. ; Geesink, Bart ; Sperotto, Anna . / Melting the Snow : Using Active DNS Measurements to Detect Snowshoe Spam Domains. NOMS2018: the IEEE/IFIP Network Operations and Management Symposium. Institute of Electrical and Electronics Engineers, 2018.
@inproceedings{4f31683da1ae460f93500e126224c937,
title = "Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains",
abstract = "Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Previous studies uses DNS data to detect spam. However, this often happens based on passive DNS data. In this paper we take a different approach. We make use of active DNS measurements, covering more than 60{\%} of the namespace, in combination with machine learning to identify malicious domains crafted for snowshoe spam. Our results show that we are able to detect snowshoe spam domains with a precision of more than 93{\%}. Also, we are able to detect a subset of the malicious domain 2?104 days earlier than the spam reputation systems (blacklists) currently in use, which suggest our method can give us a time advantage in the fight against spam. In a real-life scenario, we have shown that our results allow spam filter operators to block spam that would otherwise bypass their mail filter. A Realtime Blackhole List (RBL) based on our approach is currently deployed in the operational network of a major Dutch ISP.",
author = "{van der Toorn}, {Olivier Isaac} and {van Rijswijk}, {Roland M.} and Bart Geesink and Anna Sperotto",
year = "2018",
month = "4",
day = "24",
language = "English",
isbn = "978-1-5386-3416-5",
booktitle = "NOMS2018",
publisher = "Institute of Electrical and Electronics Engineers",
address = "United States",

}

van der Toorn, OI, van Rijswijk, RM, Geesink, B & Sperotto, A 2018, Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains. in NOMS2018: the IEEE/IFIP Network Operations and Management Symposium. Institute of Electrical and Electronics Engineers, 16th IEEE/IFIP Network Operations and Management Symposium 2018, Taipei, Taiwan, Province of China, 23/04/18.

Melting the Snow : Using Active DNS Measurements to Detect Snowshoe Spam Domains. / van der Toorn, Olivier Isaac; van Rijswijk, Roland M.; Geesink, Bart; Sperotto, Anna .

NOMS2018: the IEEE/IFIP Network Operations and Management Symposium. Institute of Electrical and Electronics Engineers, 2018.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Melting the Snow

T2 - Using Active DNS Measurements to Detect Snowshoe Spam Domains

AU - van der Toorn, Olivier Isaac

AU - van Rijswijk, Roland M.

AU - Geesink, Bart

AU - Sperotto, Anna

PY - 2018/4/24

Y1 - 2018/4/24

N2 - Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Previous studies uses DNS data to detect spam. However, this often happens based on passive DNS data. In this paper we take a different approach. We make use of active DNS measurements, covering more than 60% of the namespace, in combination with machine learning to identify malicious domains crafted for snowshoe spam. Our results show that we are able to detect snowshoe spam domains with a precision of more than 93%. Also, we are able to detect a subset of the malicious domain 2?104 days earlier than the spam reputation systems (blacklists) currently in use, which suggest our method can give us a time advantage in the fight against spam. In a real-life scenario, we have shown that our results allow spam filter operators to block spam that would otherwise bypass their mail filter. A Realtime Blackhole List (RBL) based on our approach is currently deployed in the operational network of a major Dutch ISP.

AB - Snowshoe spam is a type of spam which is notoriously hard to detect. Differently from regular spam, snowshoe spammers distribute the volume among many hosts, in order to make detection harder. To be successful, however spammers need to appear as legitimate as possible, for example, by adopting email best practice like Sender Policy Framework (SPF). This requires spammers to register and configure legitimate DNS domains. Previous studies uses DNS data to detect spam. However, this often happens based on passive DNS data. In this paper we take a different approach. We make use of active DNS measurements, covering more than 60% of the namespace, in combination with machine learning to identify malicious domains crafted for snowshoe spam. Our results show that we are able to detect snowshoe spam domains with a precision of more than 93%. Also, we are able to detect a subset of the malicious domain 2?104 days earlier than the spam reputation systems (blacklists) currently in use, which suggest our method can give us a time advantage in the fight against spam. In a real-life scenario, we have shown that our results allow spam filter operators to block spam that would otherwise bypass their mail filter. A Realtime Blackhole List (RBL) based on our approach is currently deployed in the operational network of a major Dutch ISP.

M3 - Conference contribution

SN - 978-1-5386-3416-5

BT - NOMS2018

PB - Institute of Electrical and Electronics Engineers

ER -

van der Toorn OI, van Rijswijk RM, Geesink B, Sperotto A. Melting the Snow: Using Active DNS Measurements to Detect Snowshoe Spam Domains. In NOMS2018: the IEEE/IFIP Network Operations and Management Symposium. Institute of Electrical and Electronics Engineers. 2018