{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,4,11]],"date-time":"2025-04-11T04:02:55Z","timestamp":1744344175422,"version":"3.40.4"},"reference-count":41,"publisher":"Wiley","issue":"4","license":[{"start":{"date-parts":[[2012,10,9]],"date-time":"2012-10-09T00:00:00Z","timestamp":1349740800000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/onlinelibrary.wiley.com\/termsAndConditions#vor"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Security Comm Networks"],"published-print":{"date-parts":[[2016,3,10]]},"abstract":"Abstract<\/jats:title>There is a consensus in the anti\u2010spam community regarding the prevalence of spam botnets and the significant role they play in the worldwide spam problem. Nevertheless, far less attention has been devoted to studying thestrategic behavior<\/jats:italic>of spammers on a long\u2010term basis. This paper explores several facets of spammers operations by providing three essential perspectives: (i) we study the inter\u2010relationships among spam botnets through their aggregate spam campaigns, and we focus on identifying similarities or differences in theirmodus operandi<\/jats:italic>; (ii) we look at the impact of theRustock<\/jats:styled-content>takedown on the botnet ecosystem; and (iii) we study the conjecture about spammers hijacking unused IP space to send spam in a stealthy way. To that end, we have analyzed over one million spam records collected bySymantec.cloud<\/jats:italic>(formerly MessageLabs) through worldwide distributed spamtraps. Our methodology leverages techniques relying on data fusion and multi\u2010criteria decision analysis to extract intelligence from large spam data sets by automatically correlating spam campaigns according to various combinations of spam features. We also take advantage of node\u2013link visualizations developed in the context of VIS\u2010SENSE, a research project aiming at developingVisual Analytics<\/jats:italic>technologies for the security domain. Using these visualizations, we illustrate the tight relationships that exist among different botnet families (such asRustock\/Grum<\/jats:styled-content>orLethic\/Maazben<\/jats:styled-content>). Regarding the disruption ofRustock<\/jats:styled-content>on 17 March 2011, our experimental results provide substantial evidence indicating that part of the botnet activity may have been offloaded toGrum<\/jats:styled-content>shortly after the takedown operation. Finally, we analyzed over 1\u2009year of spam data enriched with Border Gateway Protocol data and found that an increasing amount of spam may have been sent from IP blocks hijacked for several weeks or months, even though this phenomenon remains marginal at this time compared with spam sent from large botnets. Copyright \u00a9 2012 John Wiley & Sons, Ltd.<\/jats:p>","DOI":"10.1002\/sec.640","type":"journal-article","created":{"date-parts":[[2012,10,9]],"date-time":"2012-10-09T06:17:37Z","timestamp":1349763457000},"page":"336-356","source":"Crossref","is-referenced-by-count":3,"title":["Spammers operations: a multifaceted strategic analysis"],"prefix":"10.1002","volume":"9","author":[{"given":"O.","family":"Thonnard","sequence":"first","affiliation":[{"name":"Symantec Research Labs 2229, Route des Cr\u00e8tes 06560 Sophia Antipolis France"}]},{"given":"Pierre\u2010Antoine","family":"Vervier","sequence":"additional","affiliation":[{"name":"Symantec Research Labs 2229, Route des Cr\u00e8tes 06560 Sophia Antipolis France"},{"name":"Institut Eurecom 2229, Routes des Cr\u00e8tes 06560 Sophia Antipolis France"}]},{"given":"M.","family":"Dacier","sequence":"additional","affiliation":[{"name":"Symantec Research Labs 2229, Route des Cr\u00e8tes 06560 Sophia Antipolis France"}]}],"member":"311","published-online":{"date-parts":[[2012,10,9]]},"reference":[{"key":"e_1_2_10_2_1","unstructured":"Symantec.cloud. Symantec Intelligence Reports.http:\/\/www.symanteccloud.com\/globalthreats."},{"key":"e_1_2_10_3_1","unstructured":"StewartJ.Top Spam Botnets Exposed. Malware Research SecureWorks 2008.http:\/\/www.secureworks.com\/research\/threats\/topbotnets\/."},{"key":"e_1_2_10_4_1","doi-asserted-by":"crossref","unstructured":"XieY YuF AchanK PanigrahyR HultenG OsipkovI.Spamming botnets: signatures and characteristics. InSIGCOMM '08: Proceedings of the ACM SIGCOMM 2008 conference on Data communication New York NY USA 2008;171\u2013182. ACM.","DOI":"10.1145\/1402958.1402979"},{"key":"e_1_2_10_5_1","unstructured":"MoriT EsquivelH AkellaA ShimodaA GotoS.Understanding large\u2010scale spamming botnets from internet edge sites. InCEAS 2010."},{"key":"e_1_2_10_6_1","doi-asserted-by":"crossref","unstructured":"HusnaH PhithakkitnukoonS PallaS DantuR.Behavior analysis of spam botnets. InCOMSWARE IEEE 2008;246\u2013253.","DOI":"10.1109\/COMSWA.2008.4554418"},{"key":"e_1_2_10_7_1","unstructured":"LiF HsiehM\u2010H.An empirical study of clustering behavior of spammers and group\u2010based anti\u2010spam strategies. InCEAS 2006."},{"key":"e_1_2_10_8_1","doi-asserted-by":"crossref","unstructured":"RamachandranA FeamsterN.Understanding the network\u2010level behavior of spammers. InSIGCOMM '06: Proceedings of the 2006 Conference on Applications Technologies Architectures and Protocols for Computer Communications New York NY USA 2006;291\u2013302. ACM.","DOI":"10.1145\/1159913.1159947"},{"key":"e_1_2_10_9_1","doi-asserted-by":"crossref","unstructured":"HuX MaoZM.Accurate real\u2010time identification of IP prefix hijacking. InProceedings of the 2007 IEEE Symposium on Security and Privacy SP '07 Washington DC USA 2007;3\u201317. IEEE Computer Society.","DOI":"10.1109\/SP.2007.7"},{"key":"e_1_2_10_10_1","unstructured":"BankD RichmondR.Where the dangers are.http:\/\/www.crime\u2010research.org\/articles\/1369\/ 2005."},{"key":"e_1_2_10_11_1","unstructured":"Spamhaus DROP list (Don't Route Or Peer).http:\/\/www.spamhaus.org\/drop."},{"key":"e_1_2_10_12_1","unstructured":"Prefix hijacking by Michael Lindsay via Internap.http:\/\/mailman.nanog.org\/pipermail\/nanog\/2011\u2010August\/039379.html 2011."},{"key":"e_1_2_10_13_1","unstructured":"Composite Blocking List.http:\/\/cbl.abuseat.org"},{"key":"e_1_2_10_14_1","unstructured":"ThonnardO.A multi\u2010criteria clustering approach to support attack attribution in cyberspace. PhD Thesis \u00c9cole Doctorale d'Informatique T\u00e9l\u00e9communications et \u00c9lectronique de Paris 2010."},{"key":"e_1_2_10_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/1882471.1882474"},{"key":"e_1_2_10_16_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-15512-3_23"},{"key":"e_1_2_10_17_1","unstructured":"Symantec Corporation.Symantec report on rogue security software.http:\/\/www.symantec.com\/threatreport\/archive.jsp 2009."},{"key":"e_1_2_10_18_1","doi-asserted-by":"crossref","unstructured":"DacierM PhamV ThonnardO.The WOMBAT attack attribution method: some results. InProc. of the 5th International Conference on Information Systems Security (ICISS 2009) Kolkata India 2009.","DOI":"10.1007\/978-3-642-10772-6_3"},{"key":"e_1_2_10_19_1","unstructured":"WOMBAT Project.Worldwide observatory of malicious behaviors and attack threats. Deliverable D22 (D5.2). Root Causes Analysis: Experimental Report.http:\/\/www.wombat\u2010project.eu 2011."},{"key":"e_1_2_10_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/21.87068"},{"volume-title":"Aggregation Functions: a Guide for Practitioners","year":"2007","author":"Beliakov G","key":"e_1_2_10_21_1"},{"key":"e_1_2_10_22_1","unstructured":"SugenoM.Theory of fuzzy integrals and its applications. PhD thesis Tokyo Institute of Technology 1974."},{"key":"e_1_2_10_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/1882471.1882474"},{"key":"e_1_2_10_24_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0165-0114(97)00168-1"},{"key":"e_1_2_10_25_1","doi-asserted-by":"crossref","unstructured":"CollinsMP ShimeallTJ FaberS JaniesJ WeaverR ShonMD KadaneJ.Using uncleanliness to predict future botnet addresses. InIMC '07: Proc. of the 7th ACM SIGCOMM Conference on Internet Measurement 93\u2013104 New York NY USA 2007. ACM.","DOI":"10.1145\/1298306.1298319"},{"key":"e_1_2_10_26_1","unstructured":"FugledeB TopsoeF.Jensen\u2013Shannon divergence and Hilbert space embedding.2004;31."},{"key":"e_1_2_10_27_1","doi-asserted-by":"publisher","DOI":"10.1126\/science.210.4468.390"},{"key":"e_1_2_10_28_1","unstructured":"PavanM PelilloM.A new graph\u2010theoretic approach to clustering and segmentation. InProceedings of IEEE Conference on Computer Vision and Pattern Recognition 2003."},{"key":"e_1_2_10_29_1","unstructured":"The VIS\u2010SENSE Project.http:\/\/www.vis\u2010sense.eu\/"},{"key":"e_1_2_10_30_1","unstructured":"The Wall Street Journal.Spam Network Shut Down.http:\/\/online.wsj.com\/article\/SB10001424052748703328404576207173861008758.html 2011."},{"key":"e_1_2_10_31_1","unstructured":"ParkE.Rustock Takedown's effect on global spam volume.http:\/\/www.symantec.com\/connect\/security\/blogs 2011."},{"key":"e_1_2_10_32_1","unstructured":"KrebsB.Rustock Botnet Flatlined Spam Volumes Plummet.http:\/\/krebsonsecurity.com\/ 2011."},{"key":"e_1_2_10_33_1","unstructured":"ZinkT.Who has taken over as the most prolific botnet since Rustock was taken down?http:\/\/blogs.msdn.com\/b\/tzink\/ 2011."},{"key":"e_1_2_10_34_1","unstructured":"ZinkT.Has anyone stepped in to fill Rustock's gap?http:\/\/blogs.msdn.com\/b\/tzink\/ 2011."},{"key":"e_1_2_10_35_1","unstructured":"MuncasterP.V3.co.uk Blog. Bagle fills botnet hole as spam drops by third after Rustock takedown. http:\/\/www.v3.co.uk\/ 2011."},{"key":"e_1_2_10_36_1","unstructured":"N. R. Organization.Free pool of IPv4 address space depleted.http:\/\/www.nro.net\/news\/ipv4\u2010free\u2010pool\u2010depleted 2011."},{"key":"e_1_2_10_37_1","unstructured":"Threatpost Blog.Attackers adjusting tactics to evade reputation systems.https:\/\/threatpost.com\/en_us\/blogs\/attackers\u2010adjusting\u2010tactics\u2010evade\u2010reputa tion\u2010systems\u2010100711 2011."},{"key":"e_1_2_10_38_1","doi-asserted-by":"crossref","unstructured":"QiuJ GaoL.Detecting bogus BGP route information: going beyond prefix hijacking. Technical Report In Proc. SecureComm 2007.","DOI":"10.1109\/SECCOM.2007.4550358"},{"key":"e_1_2_10_39_1","unstructured":"Symantec Corporation.Symantec Internet security threat report.http:\/\/www.symantec.com\/threatreport\/ 2012."},{"key":"e_1_2_10_40_1","unstructured":"Botnets buying up IPv4 address space.http:\/\/mailman.nanog.org\/pipermail\/nanog\/2011\u2010October\/040883.html 2011."},{"key":"e_1_2_10_41_1","unstructured":"T. C. A. for Internet Data Analysis. Prefix To ASN.http:\/\/data.caida.org\/datasets\/routing\/routeviews\u2010prefix2as\/."},{"key":"e_1_2_10_42_1","unstructured":"NANOG.North American Network Operators' Group.http:\/\/www.merit.edu\/nanog\/."}],"container-title":["Security and Communication Networks"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.wiley.com\/onlinelibrary\/tdm\/v1\/articles\/10.1002%2Fsec.640","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/pdf\/10.1002\/sec.640","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,4,10]],"date-time":"2025-04-10T06:42:38Z","timestamp":1744267358000},"score":1,"resource":{"primary":{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/10.1002\/sec.640"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2012,10,9]]},"references-count":41,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2016,3,10]]}},"alternative-id":["10.1002\/sec.640"],"URL":"https:\/\/doi.org\/10.1002\/sec.640","archive":["Portico"],"relation":{},"ISSN":["1939-0114","1939-0122"],"issn-type":[{"type":"print","value":"1939-0114"},{"type":"electronic","value":"1939-0122"}],"subject":[],"published":{"date-parts":[[2012,10,9]]}}}