Clustering Spam Domains and Destination Websites: Digital Forensics with Data Mining

Spam related cyber crimes have become a serious threat to society. Current spam research mainly aims to detect spam more effectively. We believe the identification and disruption of the supporting infrastructure used by spammers is a more effective way of stopping spam than filtering. The termination of spam hosts will greatly reduce the profit a spammer can generate and thwart his ability to send more spam. This research proposes an algorithm for clustering spam domains extracted from spam emails based on the hosting IP addresses and tracing the IP addresses over a period of time. The results show that many seemingly unrelated spam campaigns are actually related if the domain names in the URLs are investigated; spammers have a sophisticated mechanism for combating URL blacklisting by registering many new domain names every day and flushing out old domains; the domains are hosted at different IP addresses across several networks, mostly in China where legislation is not as tight as in the United States; old IP addresses are replaced by new ones from time to time, but still show strong correlation among them. This paper demonstrates an effective use of data mining to relate spam emails for the purpose of identifying the supporting infrastructure used for spamming and other cyber criminal activities

Understanding the Impact of Hacker Innovation upon IS Security Countermeasures

Hackers external to the organization continue to wreak havoc upon the information systems infrastructure of firms through breaches of security defenses, despite constant development of and continual investment in new IS security countermeasures by security professionals and vendors. These breaches are exceedingly costly and damaging to the affected organizations. The continued success of hackers in the face of massive amounts of security investments suggests that the defenders are losing and that the hackers can innovate at a much faster pace. Underground hacker communities have been shown to be an environment where attackers can learn new techniques and share tools pertaining to the defeat of IS security countermeasures. This research sought to understand the manner in which hackers diffuse innovations within these communities. Employing a multi-site, positivist case study approach of four separate hacking communities, the study examined how hackers develop, communicate, and eventually adopt these new techniques and tools, so as to better inform future attempts at mitigating these attacks. The research found that three classes of change agents are influential in the diffusion and adoption of an innovation: the developer/introducer of the innovation to the community, the senior member of a community, and the author of tutorials. Additionally, the research found that three innovation factors are key to successful diffusion and adoption: the compatibility of the innovation to the needs of the community, the complexity of the innovation, and the change in image conferred upon the member from adopting the innovation. The research also described the process by which innovations are adopted within the hacking communities and detailed phases in this process which are unique to these communities

Analyzing the Aftermath of the McColo Shutdown

This paper examines how spam behavior was impacted by the shutdown of McColo, a service provider known for its lax security enforcement. Since the shutdown, a variety of sources have reported significant changes to global spam patterns. In an effort to clarify how spam has changed, we examine reputation data provided by a leading security vendor and present an analysis of spam before and after the Mc-Colo shutdown. We show that the actual number of spammers has decreased. We also examine the distribution of spammers both geographically and across the IP space. Our results show that 87 % spam sending regions suffered some reductions. Despite this however, the number of sources identified as spammers is still monotonically increasing and the spam volume has recovered to its pre-shutdown levels.