21 - STUDENT - Internet Bad Neighborhoods: the Spam Case

Giovane Moura (University of Twente)

A significant part of current attacks on the Internet come from compromised hosts that, usually, take part in botnets. Even though bots themselves can be distributed all over the world, there is evidence that most of the malicious hosts are, in fact, concentrated in small fraction of the IP address space, on certain networks. Based on this fact, the Bad Neighborhood concept was introduced. The general idea of Bad Neighborhoods is to rate a subnetwork by the number of malicious hosts that have been detected in that subnetwork. The concept was successfully employed in mail filtering: if a message originates from a Bad
Neighborhood, i.e., from a subnetwork with a high number of spamming hosts, it is more likely to be rated as spam, even if the particular IP was never noticed as spammer before.

In this work, we propose four definitions for spam-based Bad Neighborhoods that take into account the way spammers operate. We apply the definitions to real world data sets and show that they provide valuable insight into the behavior of spammers and the networks hosting them. Among our findings, we show that 10% of the Bad Neighborhoods are
responsible for the majority of spam.

Download file