empirically characterizing
play

Empirically Characterizing Domain Abuse and the Revenue Impact of - PowerPoint PPT Presentation

Jun 01, 2023 •183 likes •686 views

Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*, Damon McCoy, Stefan Savage, Geoffrey M. Voelker 2 3 4 5 6 Spam was 70% of total email traffic in 2013 7 buydrugs.com canadianpharmacy.com

  1. Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting Neha Chachra*, Damon McCoy, Stefan Savage, Geoffrey M. Voelker

  2. 2

  3. 3

  4. 4

  5. 5

  6. 6

  7. Spam was 70% of total email traffic in 2013 7

  8. buydrugs.com canadianpharmacy.com genericviagra.com fmomail3.info fmomail4.info foodexquisite.net gingerbreadmanz.com givespry.com gnawstaxi.com hathaywo.com havensgroggy.com headdownels.com healsflit.com 8

  9. buydrugs.com canadianpharmacy.com genericviagra.com fmomail3.info fmomail4.info foodexquisite.net gingerbreadmanz.com givespry.com gnawstaxi.com hathaywo.com havensgroggy.com headdownels.com healsflit.com 9

  10. Overview Understand how domain blacklisting affects its monetizability Answered using the ground truth data  Amount, time of sale of drugs for every spammed domain  Time and duration of blacklisting 10

  11. Leaked Data Set All transaction data for counterfeit pharmaceutical SpamIt campaigns Leaked publicly due to conflict GlavMed 11

  12. 12

  13. Leaked Data Set SpamIt GlavMed 13

  14. Leaked Data Set Databases for SpamIt and GlavMed Leaked database Domain Name Created On Affiliate ~100 tables in each db placecanadianyule.com 2009-04-27 master666 20:18:00 52 K SpamIt domains 2 K GlavMed domains Shop Site 14

  15. Leaked Data Set 2 M transactions for $170 M over 3 years Leaked database Domain Name Created On Affiliate Sale Time Domain Amount Referrer ?? ?? 2009-06-18 placecanadianyule.com 149.45 http://groups.google.com 05:09:46 /group/300x51242280263 Sales 15

  16. Leaked Data Set Leaked database Domain Name Created On Affiliate Sale Time Domain Amount Referrer ?? ?? 2009-06-18 placecanadianyule.com 149.45 http://groups.google.com/ 05:09:46 group/300x51242280263 Sales 16

  17. Example Referrers http://bl111w.blu111.mail.live.com /mail/readmessagelight.aspx?action =markasnotjunk&folderid=... http://mail.yahoo.com/mc/showFolde r?fid=Inbox... http://www.google.com/search?hl=en &q=canadian+viagra&... http://us.yhs.search.yahoo.com/avg /search?p=buy+prozac&... 17

  18. 98% of SpamIt revenue arose from emails 90% of GlavMed revenue arose from search 18

  19. Example Referrers http://bl111w.blu111.mail.live.com /mail/readmessagelight.aspx?action =markasnotjunk&folderid=... http://mail.yahoo.com/mc/showFolde r?fid=Inbox... http://www.google.com/search?hl=en &q=canadian+viagra&... http://us.yhs.search.yahoo.com/avg /search?p=buy+prozac&... 19

  20. 20% of Hotmail sales, 40% of Yahoo mail sales are from junk folders There is high demand for counterfeit drugs! 20

  21. Affiliate Program Overview Affiliate Affiliate Program Shop Site 21

  22. Affiliate Program Overview Commission Transaction Processing Affiliate Affiliate Program Shop Site Purchase Advertise Order fulfilment Customer 22

  23. Affiliate Program Overview Affiliates advertise aggressively to get Affiliate customers Shop Site Purchase Advertise Domain blacklisting disrupts advertising Customer 23

  24. Blacklist Data: URIBL Popular email based blacklist Used for classification of spammed domains When and how long a domain was blacklisted Study the effect on SpamIt domains 24

  25. Attributes of a Good Blacklist 1. Speed: Identifies domains fast 2. Coverage: Identifies all or most domains 3. Penalty: Consequences of blacklisting 4. Resource Choice: Cost imposed due to replacing the resource 25

  26. Speed How fast is blacklisting? Time to blacklist is an opportunity to monetize Results:  Most domains appeared within 48 hours  Spammers earned $740 K before domains were blacklisted ($21/domain) 26

  27. Coverage How many domains does blacklist identify? Any missed domains will continue to monetize Results:  88% of the 40 K SpamIt domains blacklisted  Remaining 12% earned 62% of total revenue ($1900/domain) 27

  28. Penalty Does blacklisting have consequences that force domain replacement? Results: 28

  29. Penalty Domains continue to monetize after blacklisting Blacklisting used to classify emails into spam 87% revenue after blacklisti ($147/domain) Due to demand customers found emails Blacklisted domains continued to monetize 29

  30. Penalty Spammers replace domains after Blacklisting used to classify emails into spam Revenue peaks within 2 hours of blacklisting blacklisting Due to demand customers found emails Blacklisted domains continued to monetize 30

  31. Penalty Blacklisting used to classify emails into spam Revenue for block-access penalty $21/domain in blocking regime Due to demand customers found emails Blacklisted domains continued to monetize 31

  32. Resource Choice What is the cost of replacing a domain? Observations:  Domains cost between $0.10 - $10  Replacing domains can be automated 32

  33. Summarizing Blacklisting Efficacy Blacklists only affect the email vector Blacklisting is not fast enough to overwhelm the cost of replacing domains Penalty is too low (87% of the revenue after blacklisting) Blacklists miss some domains that monetize heavily ($1900/domain) 33

  34. Blacklist Evasion Depends on how blacklist is constructed Blacklists constructed using:  Email honeypots  Human identification for emails 34

  35. Blacklist Evasion 3 ways to evade blacklists:  Use a non-email vector  Advertise solely to real humans – 96% of blacklisted domains, 0.5% non-blacklisted domains appear on honeypot feeds – 25% non-blacklisted domains appear in human identified spam  Hide storefront domains behind redirections 35

  36. Blacklist Evasion Intermediate Domain 36

  37. Identifying Intermediate Domains Found variety of referrers Sale Time Domain Amount Referrer 2009-06-18 placecanadianyule.com 149.45 http://groups.google.com/ 05:09:46 group/300x51242280263

  38. Identifying Intermediate Domains Classified intermediate domains into Free hosting, Bulk, and Compromised sites SpamIt abused cheap, third-party domains GlavMed abused domains to increase search engine ranks and number of results

  39. Free Hosting Domains 39

  40. 40

  41. Free Hosting Domains Domains which allow anyone to host content Features:  Free  Often not blacklisted at all Represent 86% of SpamIt revenue from intermediate domains 42

  42. Bulk Domains Cheap domains purchased for redirection Features:  Inexpensive  Easily blacklisted  Useful for SEO 13% of SpamIt revenue, 46% of GlavMed revenue 43

  43. 44

  44. Compromised Domains Sites hacked for hosting links to storefronts Features:  Useful for SEO  Takedown is slower 26% of GlavMed revenue 45

  45. 46

  46. Intermediate Domain Abuse Spammers abuse wide variety of domains to:  Evade detection and blacklisting  Increase traffic at minimal cost Spammers are flexible at switching strategies 47

  47. Temporal Domain Abuse Spammers switch from free hosting to bulk domain abuse 48

  48. Temporal Domain Abuse 49

  49. Summary Blacklisting currently unable to undermine spamming enterprise Faster blacklisting unlikely to overwhelm the business without block access penalty Coverage is important to improve but difficult  Agile spammers  Many evasion techniques exist 50

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies Internet Routing Policies Feng Wang Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts, Amherst MA 01002, USA 1

450 views • 18 slides
I would like to know (empirically) Bertrand Meyer (SEAFOOD)

I would like to know (empirically) Bertrand Meyer (SEAFOOD)

Two or three things I would like to know (empirically) Bertrand Meyer (SEAFOOD) - , 2010 Chair of Software Engineering 2 Supplementary topics Experiences in industry

904 views • 68 slides
Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity

Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity

Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity (Biochemical or Conformational) (Biochemical or Conformational) by Cryo-EM by Cryo-EM Eva Nogales HHMI / UC Berkeley LBNL Seth Kostek Transcription

492 views • 34 slides
Are we using enough listeners? No! An empirically-supported critique of Interspeech 2014 TTS

Are we using enough listeners? No! An empirically-supported critique of Interspeech 2014 TTS

Are we using enough listeners? No! An empirically-supported critique of Interspeech 2014 TTS evaluations Mirjam Wester, Cassia Valentini-Botinhao and Gustav Eje Henter CSTR, University of Edinburgh Introduction

900 views • 28 slides
Create Distributions Empirically using Excel V0E 10/11/2014 0E 2014 Schield Creating

Create Distributions Empirically using Excel V0E 10/11/2014 0E 2014 Schield Creating

Create Distributions Empirically using Excel V0E 10/11/2014 0E 2014 Schield Creating Distributions Empirically 1 0E 2014 Schield Creating Distributions Empirically 2 Creating Distributions Generating Distributions Empirically In

978 views • 21 slides
Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic

Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic

Ubiquitous and Mobile Computing CS 528: Automatically Characterizing Places with Opportunistic CrowdSensing using Smartphones Gauri Pulekar Computer Science Dept. Worcester Polytechnic Institute (WPI) Automatically Characterizing Places with

311 views • 30 slides
Ask and You Shall Receive: Empirically Evaluating Declarative Approaches to Finding Data in

Ask and You Shall Receive: Empirically Evaluating Declarative Approaches to Finding Data in

Ask and You Shall Receive: Empirically Evaluating Declarative Approaches to Finding Data in Unstructured Heaps William F . Jones and Gregory M. Kapfhammer Allegheny College http://www.cs.allegheny.edu/ gkapfham/ 20th International

1.34k views • 98 slides
Characterizing and Synthesizing Task Dependencies of Data-Parallel Jobs in Alibaba Cloud

Characterizing and Synthesizing Task Dependencies of Data-Parallel Jobs in Alibaba Cloud

Characterizing and Synthesizing Task Dependencies of Data-Parallel Jobs in Alibaba Cloud Huangshi Tian, Yunchuan Zheng, Wei Wang @ HKUST Nov. 21, 2019 1 Every job is born equal, but some are more complicated ... Hadoop Spark Characterizing

269 views • 26 slides
Empirically Distinguishing Informative and Prestige Effects of Advertising (Ackerberg, 2001 RAND)

Empirically Distinguishing Informative and Prestige Effects of Advertising (Ackerberg, 2001 RAND)

Introduction Data Model Results Conclusions Empirically Distinguishing Informative and Prestige Effects of Advertising (Ackerberg, 2001 RAND) Panagiotis Adamopoulos Department of Information, Operations and Management Sciences Stern School

776 views • 18 slides
EMPIRICALLY IDENTIFYING THE BEST GENETIC ALGORITHM FOR COVERING ARRAY GENERATION Liang Yalan 1 ,

EMPIRICALLY IDENTIFYING THE BEST GENETIC ALGORITHM FOR COVERING ARRAY GENERATION Liang Yalan 1 ,

1 EMPIRICALLY IDENTIFYING THE BEST GENETIC ALGORITHM FOR COVERING ARRAY GENERATION Liang Yalan 1 , Changhai Nie 1 , Jonathan M. Kauffman 2 , Gregory M. Kapfhammer 2 , Hareton Leung 3 1 Department of Computer Science and Technology, Nanjing

1.33k views • 60 slides
Like Sheep Among Wolves: Characterizing Hateful Users on Twitter Manoel Horta Ribeiro Pedro H.

Like Sheep Among Wolves: Characterizing Hateful Users on Twitter Manoel Horta Ribeiro Pedro H.

Like Sheep Among Wolves: Characterizing Hateful Users on Twitter Manoel Horta Ribeiro Pedro H. Calais Yuri A. Santos Virglio A. F. Almeida Wagner Meira Jr. Motivation |||| In recent years plenty of work was done on characterizing and

311 views • 19 slides
Observatory of Complex Systems http://ocs.unipa.it ELSA Air Traffic Simulator: an Empirically

Observatory of Complex Systems http://ocs.unipa.it ELSA Air Traffic Simulator: an Empirically

Observatory of Complex Systems http://ocs.unipa.it ELSA Air Traffic Simulator: an Empirically grounded Agent Based Model for the SESAR scenario S. Miccich salvatore.micciche@unipa.it Universit degli Studi di Palermo Dipartimento di

334 views • 32 slides
Empirically Estimating Order Constraints for Content Planning in Generation Pablo A. Duboue and

Empirically Estimating Order Constraints for Content Planning in Generation Pablo A. Duboue and

Empirically Estimating Order Constraints for Content Planning in Generation Pablo A. Duboue and Kathleen R. McKeown Computer Science Department Columbia University in the city of New York (ACL 01) A Natural Language Generation Pipeline

442 views • 23 slides
Empirically Estimating Order Constraints for Content Planning in Generation Pablo A. Duboue and

Empirically Estimating Order Constraints for Content Planning in Generation Pablo A. Duboue and

Empirically Estimating Order Constraints for Content Planning in Generation Pablo A. Duboue and Kathleen R. McKeown Computer Science Department Columbia University in the city of New York A Natural Language Generation Pipeline Generation

449 views • 18 slides
Testing times: the effect of time period selection on empirically determined rainfall-runoff

Testing times: the effect of time period selection on empirically determined rainfall-runoff

12:48:16 Testing times: the effect of time period selection on empirically determined rainfall-runoff relationships Jason M Whyte Discipline of Applied Mathematics School of Mathematical Sciences The University of Adelaide

491 views • 17 slides
Bj ork Chapter (3rd edition) 23 : Short rate models; generalities. Empirically: Variations in

Bj ork Chapter (3rd edition) 23 : Short rate models; generalities. Empirically: Variations in

Bj ork Chapter (3rd edition) 23 : Short rate models; generalities. Empirically: Variations in the short rate explains a large percentage of the variation of the whole term structure. (The tail wagging the dog) An

326 views • 7 slides
THE DIFFERENCE BETWEEN A KILLER DEAL AND A DEAL KILLER MARKUS JAKOBSSON PAYPAL THAT DIFFERENCE

THE DIFFERENCE BETWEEN A KILLER DEAL AND A DEAL KILLER MARKUS JAKOBSSON PAYPAL THAT DIFFERENCE

THE DIFFERENCE BETWEEN A KILLER DEAL AND A DEAL KILLER MARKUS JAKOBSSON PAYPAL THAT DIFFERENCE IS OFTEN SMALL 2 Confidential and Proprietary PART 1/3: DEALING WITH WEB SPOOFING JOINT WORK WITH HOSSEIN SIADATI 3 Confidential and

567 views • 32 slides
Rural Mentoring: Leveraging Community Assets and Creating a Culture of Mentoring March 21, 2019

Rural Mentoring: Leveraging Community Assets and Creating a Culture of Mentoring March 21, 2019

Collaborative Mentoring Webinar Series Rural Mentoring: Leveraging Community Assets and Creating a Culture of Mentoring March 21, 2019 2019 Collaborative Mentoring Webinar Series Planning T eam The Collaborative Mentoring Webinar Series is

654 views • 41 slides
Affiliate NetIDs - Where Are We Now? Pat Schlehuber - AITS Who are the Urbana affiliates?

Affiliate NetIDs - Where Are We Now? Pat Schlehuber - AITS Who are the Urbana affiliates?

Affiliate NetIDs - Where Are We Now? Pat Schlehuber - AITS Who are the Urbana affiliates? Non-students/staff/and faculty Members of established programs Allied agencies Special Visiting scholars Vendors

961 views • 20 slides
& Network for Good: A Partnership for [[[ Fundraising Success www.networkforgood.org/npo

& Network for Good: A Partnership for [[[ Fundraising Success www.networkforgood.org/npo

National Wildlife Federation Affiliates & Network for Good: A Partnership for [[[ Fundraising Success www.networkforgood.org/npo Who we are Network for Good is a nonprofit that was started in 2001 by the technology giants AOL, Cisco

196 views • 16 slides
Distribution Ring-fencing Guideline Update Stakeholder workshop 28 & 29 August 2019

Distribution Ring-fencing Guideline Update Stakeholder workshop 28 & 29 August 2019

Distribution Ring-fencing Guideline Update Stakeholder workshop 28 & 29 August 2019 aer.gov.au 1 Introduction Ring-fencing guideline p rogress so far guideline observations. Purpose of this consultation: review of

562 views • 31 slides
Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

798 views • 54 slides
Clinical Trials Network Awards and Texas Clinical Trials Participation Program Awards RFA -

Clinical Trials Network Awards and Texas Clinical Trials Participation Program Awards RFA -

Clinical Trials Network Awards and Texas Clinical Trials Participation Program Awards RFA - Webinar October 19, 2020 AGENDA 12:00 12:05 Welcome James Willson, M.D., CPRIT Chief Scientific Officer Patty Moore, Ph.D., Senior Program

450 views • 12 slides
ASCO STATE ADVOCACY RESOURCES Tracey Weisberg MD New England Cancer Specialists 20162017

ASCO STATE ADVOCACY RESOURCES Tracey Weisberg MD New England Cancer Specialists 20162017

ASCO STATE ADVOCACY RESOURCES Tracey Weisberg MD New England Cancer Specialists 20162017 State Affiliates Chairperson NNECOS is Important!!! State societies are first to usually learn about key mandates that are ongoing in their state

310 views • 15 slides

More recommend