SpamTracer: How stealthy are spammers?

Abstract: The Internet routing infrastructure is vulnerable to the injection of erroneous routing information resulting in BGP hijacking. Some spammers, also known as fly-by spammers, have been reported using this attack to steal blocks of IP addresses and use them for spamming. Using stolen IP addresses may allow spammers to elude spam filters based on sender IP address reputation and remain stealthy. This remains a open conjecture despite some anecdotal evidences published several years ago.In order to confirm the fir… Show more

“…Our system to detect malicious BGP hijacks was partly designed upon findings of previous studies on the root causes of BGP hijack events, like Ramachandran et al's study [1] on short-lived BGP announcements, the correlation between BGP hijack alerts and spam by Hu et al [2] and a validated hijack case performed by a spammer described by Vervier et al in [12] and by Schlamp et al in [13]. Comparing our findings presented in Section III with those reported in previous work quickly led us to the conclusion that the Bulgarian Case was indeed a malicious BGP hijack.…”

“…In Section II we present the methodology and the experimental environment we have setup to study at large scale the existence and prevalence of malicious BGP hijacking events. It extends on the previous work [12] with a control/routing plane based detection of prefix ownership attacks, a routing consistency analysis using Internet Routing Registries and an analysis of the network traffic from suspect hijacked networks using NetFlow data. In Section III we perform an in-depth analysis of a real case where suspicious routing events were correlated with spam and web scam traffic strongly suggesting a BGP hijack performed for malicious purposes.…”

“…We have developed a tool called SPAMTRACER [12] to monitor the routing behavior of spamming networks by performing traceroute measurements towards networks that have sent spam to Symantec.cloud spam traps. These measurements are performed on a daily basis and repeatedly for a certain period of time after spam is received.…”

“…In theory, spammers using this technique are able to circumvent backtracking and traditional IP-based blacklisting due to the short-lived nature of the attack. More recently, a validated case of a BGP hijack specifically carried out to send spam from the stolen prefixes was reported in [12], [13]. Unlike the first observations of fly-by spammers, this incident involved a long-term hijack attack of several months and was confirmed by the owner of the victim network.…”

“…The contribution of our paper is twofold. First, we present our methodology and experimental environment for detecting BGP hijacks and assessing the malicious intent by looking at the traffic generated by the hijacked prefixes extending on the previous work SPAMTRACER [12]. This is achieved by combining several data sources and analysis techniques in a novel way.…”

Malicious BGP hijacks: Appearances can be deceiving

“…Our system to detect malicious BGP hijacks was partly designed upon findings of previous studies on the root causes of BGP hijack events, like Ramachandran et al's study [1] on short-lived BGP announcements, the correlation between BGP hijack alerts and spam by Hu et al [2] and a validated hijack case performed by a spammer described by Vervier et al in [12] and by Schlamp et al in [13]. Comparing our findings presented in Section III with those reported in previous work quickly led us to the conclusion that the Bulgarian Case was indeed a malicious BGP hijack.…”

“…In Section II we present the methodology and the experimental environment we have setup to study at large scale the existence and prevalence of malicious BGP hijacking events. It extends on the previous work [12] with a control/routing plane based detection of prefix ownership attacks, a routing consistency analysis using Internet Routing Registries and an analysis of the network traffic from suspect hijacked networks using NetFlow data. In Section III we perform an in-depth analysis of a real case where suspicious routing events were correlated with spam and web scam traffic strongly suggesting a BGP hijack performed for malicious purposes.…”

“…We have developed a tool called SPAMTRACER [12] to monitor the routing behavior of spamming networks by performing traceroute measurements towards networks that have sent spam to Symantec.cloud spam traps. These measurements are performed on a daily basis and repeatedly for a certain period of time after spam is received.…”

“…In theory, spammers using this technique are able to circumvent backtracking and traditional IP-based blacklisting due to the short-lived nature of the attack. More recently, a validated case of a BGP hijack specifically carried out to send spam from the stolen prefixes was reported in [12], [13]. Unlike the first observations of fly-by spammers, this incident involved a long-term hijack attack of several months and was confirmed by the owner of the victim network.…”

“…The contribution of our paper is twofold. First, we present our methodology and experimental environment for detecting BGP hijacks and assessing the malicious intent by looking at the traffic generated by the hijacked prefixes extending on the previous work SPAMTRACER [12]. This is achieved by combining several data sources and analysis techniques in a novel way.…”

Malicious BGP hijacks: Appearances can be deceiving

The Abandoned Side of the Internet: Hijacking Internet Resources When Domain Names Expire

Consignor Is a Spammer