Skip to main content

Serving up spam and scams

Geoff Voelker and Stefan Savage, computer science professors at the Jacobs School, have made some surprising discoveries about scams advertised in spam emails.
Geoff Voelker and Stefan Savage, computer science professors at the Jacobs School, have made some surprising discoveries about scams advertised in spam emails.

Jacobs School computer scientists have found striking differences between the infrastructure used to distribute spam and the infrastructure used to host the online scams advertised in these unwanted email messages. This work is expected to aid in the fight to reduce spam volume and shut down illegal online businesses and malware sites

Based on an analysis of over one million spam emails, 94 percent of the scams advertised via embedded links are hosted on individual Web servers, according to research from the Jacobs School presented at the USENIX Security 2007 conference held August 9 in Boston.

Using an Internet monitoring approach developed at UCSD called "spamscatter," computer science professors Geoff Voelker and Stefan Savage and two graduate students - David Anderson and Chris Fleizach - studied a spam feed over the course of a week. They analyzed Web servers hosting online scams that were advertised in spam and either offered merchandise and services or used malicious means like phishing and spyware to defraud users. The researchers followed the URLs embedded in spam back to the hosting servers, probed the servers and analyzed the Web pages advertised in the spam.

"Spamscatter provides a mechanism for studying global Internet behavior from a single vantage point. Our findings suggest that the current scam infrastructure is particularly vulnerable to common blocking techniques such as blacklisting," Voelker says.

The computer scientists recorded the server locations and captured screenshots of the spam URL destination Web pages. From these screen shots, the researchers grouped the scams using a technique called "image shingling. "This approach matches visually similar Web pages based upon images rendered in a Web browser rather than on HTML source, URL text, or spam email contents. Image shingling enables spamscatter to foil common scammer techniques for avoiding detection in which, for example, the scammers compose their Web sites entirely with images.

Through the Collaborative Center for Internet Epidemiology and Defenses (CCIED), the UCSD researchers will continue their efforts to measure and understand the infrastructure used to support the active underground market for illegal online goods and services as a basis for developing controls and defenses against them.

Jacobs School computer scientists studied spam to better understand the dynamics and business pressures exerted on spammers.
Jacobs School computer scientists studied spam to better understand the dynamics and business pressures exerted on spammers.

Print Article