The Tricks of the Trade:What Makes Spam Campaigns

Successful?

Jane Iedemska, Gianluca Stringhini, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna

University of California, Santa Barbara

The Tricks of the Trade: What Makes Spam Campaigns Successful? 2

Spamming Botnets

Which elements influence the success of a spam operation?

The Tricks of the Trade: What Makes Spam Campaigns Successful? 3

Success in Spamming

Botnets are a distributed systemThe throughput of the system is important

We consider a spammer successful if most of his emails are sent correctly

We do not consider human factors Previous research [Kanich et al., CCS 2008]

The Tricks of the Trade: What Makes Spam Campaigns Successful? 4

Motivation

Are we helping the bad guys?

Understanding the important elements in running a botnet allows us to:• Identify new research directions• Run a “sanity check” on past research

The Tricks of the Trade: What Makes Spam Campaigns Successful? 5

The Cutwail Botnet

In 2010 we participated to an attempted takedown

We obtained access to 24 C&C servers• 30% of the botnet• Each server rent by a different spammer• Detailed statistics on the spammers’ campaigns

Details in [Stone-Gross et al., LEET 2011]

The CutwailManual

The Tricks of the Trade: What Makes Spam Campaigns Successful? 7

Guidelines for the “good” spammerSpammers are advised to• Choose wisely between text and HTML• Clean up their email lists from non-existing addresses• Do not use too many bots (2,000-3,000 are good)• Run campaigns for a short time

The Tricks of the Trade: What Makes Spam Campaigns Successful? 8

Mathematical model

The Cutwail developers provide a mathematical model on how to optimize the operation of the botnet

Elements that positively influence success:Duration of campaign, email addresses that exist, bandwidth of the bots

Elements that negatively influence success:Size of email messages, time taken to generate an email

The mathematical model is invalid

SuccessfulSpammers

The Tricks of the Trade: What Makes Spam Campaigns Successful? 10

Assessing successful spammersWe look at the fraction of emails successfully sent• Top 10% - Successful campaigns (25B emails)• Bottom 10% - Failed campaings (5B emails)

We use these two sets as ground truth

The Tricks of the Trade: What Makes Spam Campaigns Successful? 11

Important settings

Good “housekeeping”• Clean up email lists for nonexisting addresses• Limit bots to 5,000 at most

Bots have bad Internet connectionsInstruct bots to retry sending emails multiple times

The Tricks of the Trade: What Makes Spam Campaigns Successful? 12

Bot country distribution

Previous research showed that bots located in certain countries are more expensive [Caballero et al., USENIX 2011]

The country of the bots does not influence their spamming capabilitySuccessful spammers purchased cheaper bots

The Tricks of the Trade: What Makes Spam Campaigns Successful? 13

Sanity check on past researchTamper with spammers cleaning up email lists[Stringhini et al., USENIX 2012]

Use network errors for spam detection[Kakavelakis et al., LISA 2011]

Use geographical distance of bots and victims[Hao et al., USENIX 2009]

The Tricks of the Trade: What Makes Spam Campaigns Successful? 14

Conclusions

Elements that make a spam campaign successfulSuccessful spammers leverage experience rather than advice

A wealth of research already targets the important element in a spam campaign

We hope that this paper will help researchers in developing techniques that hit spammers where it hurts the most

Questions?

gianluca@cs.ucsb.edu

@gianlucasb