Identifying spammers by their resource usage patterns

Kevin S. Xu, Mark Kliger, and Alfred O. Hero III

Abstract

Most studies on spam thus far have focused on its content or source. These types of studies, however, reveal little about the behavioral characteristics of spammers. In addition, privacy issues may prevent wide access to email content. In this paper, we try to identify spammers by investigating their resource usage patterns. Specifically, we look at usage patterns of harvesters, the bots that are used to acquire email addresses, and spam servers, the email servers being used to send the spam emails. We perform spectral biclustering on both harvesters and servers to reveal groups of resources that are used together, which we believe correspond to individual spammers or groups of spammers. We make several interesting discoveries including a division into phishing and non-phishing spammers and a group of harvesters with highly correlated behavior that have IP addresses belonging to a rogue Internet service provider.

Paper

K. S. Xu, M. Kliger, A. O. Hero III, “Identifying spammers by their resource usage patterns,” Collaboration, Electronic Messaging, Anti-Abuse and Spam Conf. (CEAS), 2010. (.pdf)

Biclustering results

The Cytoscape visualization shows the bicluster interaction network. Each bicluster is represented by two vertices: a circular vertex corresponding to a cluster of harvesters and a triangular vertex corresponding to a cluster of servers. The size of a vertex is representative of the number of harvesters or servers in that particular cluster, and the color of a vertex corresponds to the average phishing level of the harvesters or servers in the bicluster. Only the biclusters in the giant connected component (GCC) are displayed! In some months, such as March 2006, all of the phishing biclusters were disconnected from the GCC, so they are excluded from the visualization. The smaller connected components are, however, included in the contingency tables.

The contingency tables show the distribution of phishing and non-phishing harvesters and servers in phishing and non-phishing biclusters.

Month	Visualization	Contingency tables
2006-01	clu_2006_01.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	120	4	P_cluster	155	8
		N_cluster	16	466	P_cluster	21	3077
2006-02	clu_2006_02.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	127	1	P_cluster	202	3
		N_cluster	14	557	P_cluster	25	3745
2006-03	clu_2006_03.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	209	25	P_cluster	299	51
		N_cluster	18	639	P_cluster	28	5290
2006-04	clu_2006_04.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	244	26	P_cluster	331	34
		N_cluster	19	586	P_cluster	22	4389
2006-05	clu_2006_05.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	222	21	P_cluster	255	24
		N_cluster	24	697	P_cluster	34	4723
2006-06	clu_2006_06.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	187	11	P_cluster	232	20
		N_cluster	20	788	P_cluster	52	17639
2006-07	clu_2006_07.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	188	10	P_cluster	238	18
		N_cluster	33	864	P_cluster	43	22431
2006-08	clu_2006_08.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	193	14	P_cluster	214	24
		N_cluster	19	879	P_cluster	71	29738
2006-09	clu_2006_09.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	165	9	P_cluster	215	19
		N_cluster	25	965	P_cluster	108	37554
2006-10	clu_2006_10.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	172	7	P_cluster	231	11
		N_cluster	20	1333	P_cluster	1465	73748
2006-11	clu_2006_11.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	147	10	P_cluster	192	16
		N_cluster	44	1287	P_cluster	832	61970
2006-12	clu_2006_12.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	135	13	P_cluster	180	11
		N_cluster	18	1316	P_cluster	1832	59957
2007-01	clu_2007_01.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	132	7	P_cluster	171	18
		N_cluster	23	1245	P_cluster	1502	59982
2007-02	clu_2007_02.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	130	6	P_cluster	198	23
		N_cluster	37	1228	P_cluster	1085	65320
2007-03	clu_2007_03.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	110	5	P_cluster	146	24
		N_cluster	17	1131	P_cluster	609	67203
2007-04	clu_2007_04.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	117	8	P_cluster	293	21
		N_cluster	26	1760	P_cluster	1057	79528
2007-05	clu_2007_05.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	115	13	P_cluster	258	37
		N_cluster	100	1965	P_cluster	1380	74307
2007-06	clu_2007_06.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	163	18	P_cluster	396	59
		N_cluster	103	2347	P_cluster	1807	88705
2007-07	clu_2007_07.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	168	32	P_cluster	448	105
		N_cluster	110	2700	P_cluster	2229	147110
2007-08	clu_2007_08.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	256	58	P_cluster	891	164
		N_cluster	87	2918	P_cluster	2667	195619
2007-09	clu_2007_09.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	410	73	P_cluster	1248	372
		N_cluster	86	3938	P_cluster	3205	236327
2007-10	clu_2007_10.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	295	71	P_cluster	990	2416
		N_cluster	122	5390	P_cluster	258	452859
2007-11	clu_2007_11.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	323	84	P_cluster	1000	297
		N_cluster	127	5983	P_cluster	5773	740193
2007-12	clu_2007_12.png		P_harvester	N_harvester		P_server	N_server
		P_cluster	242	49	P_cluster	698	200
		N_cluster	124	7137	P_cluster	4232	992336

Code and Data

To request access to the code and data used in the analysis, please contact Kevin Xu at the address below.

Identifying spammers by their resource usage patterns

Abstract

Paper

Biclustering results

Code and Data

Contact