TY - GEN
T1 - Understanding the domain registration behavior of spammers
AU - Hao, Shuang
AU - Thomas, Matthew
AU - Paxson, Vern
AU - Feamster, Nick
AU - Kreibich, Christian
AU - Grier, Chris
AU - Hollenbeck, Scott
PY - 2013
Y1 - 2013
N2 - Spammers register a tremendous number of domains to evade blacklisting and takedown efforts. Current techniques to detect such domains rely on crawling spam URLs or monitoring lookup traffic. Such detection techniques are only effective after the spammers have already launched their campaigns, and thus these coun-termeasures may only come into play after the spammer has already reaped significant benefits from the dissemination of large volumes of spam. In this paper we examine the registration process of such domains, with a particular eye towards features that might indicate that a given domain likely has a malicious purpose at registration time, before it is ever used for an attack. Our assessment includes exploring the characteristics of registrars, domain life cycles, registration bursts, and naming patterns. By investigating zone changes from the.com TLD over a 5-month period, we discover that spammers employ bulk registration, that they often re-use domains previously registered by others, and that they tend to register and host their domains over a small set of registrars. Our findings suggest steps that registries or registrars could use to frustrate the efforts of miscreants to acquire domains in bulk, ultimately reducing their agility for mounting large-scale attacks.
AB - Spammers register a tremendous number of domains to evade blacklisting and takedown efforts. Current techniques to detect such domains rely on crawling spam URLs or monitoring lookup traffic. Such detection techniques are only effective after the spammers have already launched their campaigns, and thus these coun-termeasures may only come into play after the spammer has already reaped significant benefits from the dissemination of large volumes of spam. In this paper we examine the registration process of such domains, with a particular eye towards features that might indicate that a given domain likely has a malicious purpose at registration time, before it is ever used for an attack. Our assessment includes exploring the characteristics of registrars, domain life cycles, registration bursts, and naming patterns. By investigating zone changes from the.com TLD over a 5-month period, we discover that spammers employ bulk registration, that they often re-use domains previously registered by others, and that they tend to register and host their domains over a small set of registrars. Our findings suggest steps that registries or registrars could use to frustrate the efforts of miscreants to acquire domains in bulk, ultimately reducing their agility for mounting large-scale attacks.
KW - Blacklist
KW - DNS
KW - Domain registration
KW - Spam
UR - http://www.scopus.com/inward/record.url?scp=84890015185&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84890015185&partnerID=8YFLogxK
U2 - 10.1145/2504730.2504753
DO - 10.1145/2504730.2504753
M3 - Conference contribution
AN - SCOPUS:84890015185
SN - 9781450319539
T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC
SP - 63
EP - 75
BT - IMC 2013 - Proceedings of the 13th ACM Internet Measurement Conference
T2 - 13th ACM Internet Measurement Conference, IMC 2013
Y2 - 23 October 2013 through 25 October 2013
ER -