16th USENIX Security Symposium – Abstract
Pp. 135–148 of the Proceedings
Spamscatter: Characterizing Internet Scam Hosting Infrastructure
David S. Anderson, Chris Fleizach, Stefan Savage, and Geoffrey M. Voelker, University of California, San Diego
Unsolicited bulk e-mail, or SPAM, is a means to an end. For virtually
all such messages, the intent is to attract the recipient into
entering a commercial transaction -- typically via a linked Web site.
While the prodigious infrastructure used to pump out billions of such
solicitations is essential, the engine driving this process is
ultimately the ``point-of-sale'' -- the various money-making ``scams''
that extract value from Internet users. In the hopes of better
understanding the business pressures exerted on spammers, this paper
focuses squarely on the Internet infrastructure used to host and
support such scams. We describe an opportunistic measurement
technique called spamscatter that mines emails in real-time,
follows the embedded link structure and automatically clusters the
destination Web sites using image shingling to capture graphical
similarity between rendered sites. We have implemented this approach
on a large real-time spam feed (over 1M messages per week) and have
identified and analyzed over 2,000 distinct scams on 7,000 distinct
- View the full text of this paper in HTML and PDF. Listen to the presentation in MP3 format.
Until August 2008, you will need your USENIX membership identification in order to access the full papers.
The Proceedings are published as a collective work, © 2007 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.