A team of computer science researchers from California and Germany this summer published new findings that for the first time “focused on the operational relations and the interactions among the different parties in the spam ecosystem.”
Unwanted commercial email – commonly referred to as “spam” – is a global Internet scourge. Information security experts from Symantec® estimated the global email spam volume at 29 billion per day in 2013, according to their 2014 Internet Security Threat Report, Volume 19.
The bulk of these unwanted emails advertise bogus goods and services, counterfeit or misbranded products, and other items. Many contain malware that covertly conscript computers into large “robot networks” (botnets, for short) controlled by cybercriminals. Botnets are utilized in a variety of criminal activities, from conducting distributed denial-of-service (DDoS) attacks to waging even more spam email campaigns.
Symantec’s data shows that 70% of spam emails advertise adult sites and dating sites. About 18% market pharmaceutical products. Spam can generate big money for cybercriminals, according to security researchers, with a successful campaign producing anywhere from $400,000 to $1 million.
In their paper – “The Harvester, the Botmaster, and the Spammer: On the Relations Between Different Actors in the Spam Landscape” – researchers from the University of California-Santa Barbara’s Department of Computer Science and Germany’s RWTH Aachen University found that spammers typically rent botnets to distribute their emails and tend to stick with their preferred email lists for long periods of time. “The fact that spammers are using the same botnet and email list for long periods of times can be leveraged by security researchers for detection,” they concluded.
For their research, the team from UC Santa Barbara and RWTH set several “spamtraps.” They set up email addresses connected to a mail server under their control. The team then tracked how the emails were harvested and which botnets contacted the harvested email addresses and what type of spam those addresses then received. From December 2012 to May 2013, researchers observed 2,197 spam emails sent to 613 of their spamtrap addresses.
The research revealed that professional email harvesters collected many of the bait email addresses and then sold them as part of lists marketed through underground channels online. Furthermore, observed spam campaigns made use of two well-known botnets – Kelihos and Cutwail – that distributed an estimated 19 billion spam emails per day in 2013, according to Symantec.
In the cyberworld, reputations matter. Previous research has shown respected email harvesters sell the most emails and the most effective botnets attract more clients. “In the experiments performed for this paper,” the researchers wrote, “we found evidence of this behavior. Spammers seem to stick with the same email harvesters, as well as with the same botnets, for long periods of time. This suggests that spammers establish some sort of customer loyalty with harvesters and botmasters, and that this relationship hardly breaks (in the absence of major events, such as botnet takedown.)”
Previously, spam-related research has focused on the “conversion factor” (spam-advertised goods/services actually purchased) and the “distribution” of spam in hopes of identifying various chokepoints or breakdowns in the spam ecosystem that security programs could exploit to slow the tide of unwanted email.
This new avenue of research – which focuses on the relations between the three key actors in the spam delivery system – might eventually increase the effectiveness of mitigation techniques, the UC Santa Barbara/RWTH scientists suggested. Past studies effectively outlined the contours of the underground spam economy. “Our paper provides a first look at this phenomenon, focusing on the relations between email harvesters, botnets and spammers,” the team wrote. By understanding the business dynamics at play in the spam system, security providers can more effectively target mitigation efforts, the researchers suggested.
Individual Internet users can take steps to limit their exposure to spam email, which often contain harmful code and computer viruses.
- The site www.onguardonline.gov contains valuable information about how to limit your exposure to spam and how to protect your computer from becoming part of an international, criminal-controlled botnet (http://www.onguardonline.gov/articles/0038-spam). Spam messages can be forwarded to firstname.lastname@example.org.
The Internet Crime Complaint Center, a partnership between the FBI and NW3C, also features valuable information related to protecting yourself online. If you believe you have been a victim of cybercrime, please file a complaint with IC3.
Additionally, NW3C has partnered with Symantec to operate the site www.victimvoice.org. This online hub features a variety of cybercrime resources designed to aid victims and help Internet users avoid falling victim to e-crime schemes.