Correlating Spam Activity with IP Address Characteristics. Wilcox, C., Papadopoulos, C., & Heidemann, J. In Proceedings of the IEEE Global Internet Symposium, pages 1–6, San Diego, California, USA, March, 2010. IEEE. ![Correlating Spam Activity with IP Address Characteristics [link]](https://bibbase.org/img/filetypes/link.svg "link")
Paper doi abstract bibtex It is well known that spam bots mostly utilize compromised machines with certain address characteristics, such as dynamically allocated addresses, machines in specific geographic areas and IP ranges from AS' with more tolerant spam policies. Such machines tend to be less diligently administered and may exhibit less stability, more volatility, and shorter uptimes. However, few studies have attempted to quantify how such spam bot address characteristics compare with non-spamming hosts. Quantifying these characteristics may help provide important information for comprehensive spam mitigation. We use two large datasets, namely a commercial blacklist and an Internet-wide address visibility study to quantify address characteristics of spam and non-spam networks. We find that spam networks exhibit significantly less availability and uptime, and higher volatility than non-spam networks. In addition, we conduct a collateral damage study of a common practice where an ISP blocks the entire /24 prefix if spammers are detected in that range. We find that such a policy blacklists a significant portion of legitimate mail servers belonging to the same prefix.
@InProceedings{Wilcox10a,
author = "Chris Wilcox and Christos Papadopoulos and John Heidemann",
title = "Correlating Spam Activity with IP Address Characteristics",
booktitle = "Proceedings of the " # " IEEE Global Internet Symposium",
year = 2010,
sortdate = "2010-03-01",
project = "ant, lander, madcat",
jsubject = "network_security",
pages = "1--6",
address = "San Diego, California, USA",
month = mar,
publisher = "IEEE",
doi = "http://dx.doi.org/10.1109/INFCOMW.2010.5466660",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Wilcox10a.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Wilcox10a.pdf",
myorganization = "USC/Information Sciences Institute",
jlocation = "johnh: pafile",
keywords = "spam, IP address analysis, correlation,
collateral damage",
copyrightholder = "IEEE",
copyrightterms = " Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE. ",
abstract = "It is well known that spam bots mostly utilize
compromised machines with certain address
characteristics, such as dynamically allocated
addresses, machines in specific geographic areas and
IP ranges from AS' with more tolerant spam
policies. Such machines tend to be less diligently
administered and may exhibit less stability, more
volatility, and shorter uptimes. However, few
studies have attempted to quantify how such spam bot
address characteristics compare with non-spamming
hosts. Quantifying these characteristics may help
provide important information for comprehensive spam
mitigation. We use two large datasets, namely a
commercial blacklist and an Internet-wide address
visibility study to quantify address characteristics
of spam and non-spam networks. We find that spam
networks exhibit significantly less availability and
uptime, and higher volatility than non-spam
networks. In addition, we conduct a collateral
damage study of a common practice where an ISP
blocks the entire /24 prefix if spammers are
detected in that range. We find that such a policy
blacklists a significant portion of legitimate mail
servers belonging to the same prefix.",
}
Downloads: 0
{"_id":"kbCpNc5TZxckitGQm","bibbaseid":"wilcox-papadopoulos-heidemann-correlatingspamactivitywithipaddresscharacteristics-2010","author_short":["Wilcox, C.","Papadopoulos, C.","Heidemann, J."],"bibdata":{"bibtype":"inproceedings","type":"inproceedings","author":[{"firstnames":["Chris"],"propositions":[],"lastnames":["Wilcox"],"suffixes":[]},{"firstnames":["Christos"],"propositions":[],"lastnames":["Papadopoulos"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]}],"title":"Correlating Spam Activity with IP Address Characteristics","booktitle":"Proceedings of the IEEE Global Internet Symposium","year":"2010","sortdate":"2010-03-01","project":"ant, lander, madcat","jsubject":"network_security","pages":"1–6","address":"San Diego, California, USA","month":"March","publisher":"IEEE","doi":"http://dx.doi.org/10.1109/INFCOMW.2010.5466660","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Wilcox10a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Wilcox10a.pdf","myorganization":"USC/Information Sciences Institute","jlocation":"johnh: pafile","keywords":"spam, IP address analysis, correlation, collateral damage","copyrightholder":"IEEE","copyrightterms":"Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE. ","abstract":"It is well known that spam bots mostly utilize compromised machines with certain address characteristics, such as dynamically allocated addresses, machines in specific geographic areas and IP ranges from AS' with more tolerant spam policies. Such machines tend to be less diligently administered and may exhibit less stability, more volatility, and shorter uptimes. However, few studies have attempted to quantify how such spam bot address characteristics compare with non-spamming hosts. Quantifying these characteristics may help provide important information for comprehensive spam mitigation. We use two large datasets, namely a commercial blacklist and an Internet-wide address visibility study to quantify address characteristics of spam and non-spam networks. We find that spam networks exhibit significantly less availability and uptime, and higher volatility than non-spam networks. In addition, we conduct a collateral damage study of a common practice where an ISP blocks the entire /24 prefix if spammers are detected in that range. We find that such a policy blacklists a significant portion of legitimate mail servers belonging to the same prefix.","bibtex":"@InProceedings{Wilcox10a,\n\tauthor = \t\"Chris Wilcox and Christos Papadopoulos and John Heidemann\",\n\ttitle = \t\"Correlating Spam Activity with IP Address Characteristics\",\n\tbooktitle = \t\"Proceedings of the \" # \" IEEE Global Internet Symposium\",\n\tyear = \t\t2010,\n\tsortdate = \t\t\"2010-03-01\",\n\tproject = \"ant, lander, madcat\",\n\tjsubject = \"network_security\",\n\tpages = \t\"1--6\",\n\taddress = \t\"San Diego, California, USA\",\n\tmonth = \tmar,\n\tpublisher = \t\"IEEE\",\n\tdoi = \"http://dx.doi.org/10.1109/INFCOMW.2010.5466660\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Wilcox10a.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Wilcox10a.pdf\",\n\tmyorganization = \t\"USC/Information Sciences Institute\",\n\tjlocation = \t\"johnh: pafile\",\n\tkeywords = \t\"spam, IP address analysis, correlation,\n collateral damage\",\n\tcopyrightholder = \"IEEE\",\n\tcopyrightterms = \"\tPersonal use of this material is permitted. However, \tpermission to reprint/republish this material for advertising \tor promotional purposes or for creating new collective works for resale or redistribution to servers or lists, \tor to reuse any copyrighted component of this work in other works \tmust be obtained from the IEEE. \",\n\tabstract = \"It is well known that spam bots mostly utilize\n compromised machines with certain address\n characteristics, such as dynamically allocated\n addresses, machines in specific geographic areas and\n IP ranges from AS' with more tolerant spam\n policies. Such machines tend to be less diligently\n administered and may exhibit less stability, more\n volatility, and shorter uptimes. However, few\n studies have attempted to quantify how such spam bot\n address characteristics compare with non-spamming\n hosts. Quantifying these characteristics may help\n provide important information for comprehensive spam\n mitigation. We use two large datasets, namely a\n commercial blacklist and an Internet-wide address\n visibility study to quantify address characteristics\n of spam and non-spam networks. We find that spam\n networks exhibit significantly less availability and\n uptime, and higher volatility than non-spam\n networks. In addition, we conduct a collateral\n damage study of a common practice where an ISP\n blocks the entire /24 prefix if spammers are\n detected in that range. We find that such a policy\n blacklists a significant portion of legitimate mail\n servers belonging to the same prefix.\",\n}\n\n","author_short":["Wilcox, C.","Papadopoulos, C.","Heidemann, J."],"bibbaseid":"wilcox-papadopoulos-heidemann-correlatingspamactivitywithipaddresscharacteristics-2010","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Wilcox10a.html"},"keyword":["spam","IP address analysis","correlation","collateral damage"],"metadata":{"authorlinks":{}}},"bibtype":"inproceedings","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["spam","ip address analysis","correlation","collateral damage"],"search_terms":["correlating","spam","activity","address","characteristics","wilcox","papadopoulos","heidemann"],"title":"Correlating Spam Activity with IP Address Characteristics","year":2010}