• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

Identifying the Behavioral Patterns of a Spam Network

By Thomas Mathew
Posted on October 14, 2014
Updated on March 5, 2020

Share

FacebookTweetLinkedIn

In 2013, email spam accounted for approximately 69% of all internet email traffic [Kaspersky]. Economists predict email spam costs American businesses and consumers approximately $20 billion annually, with spammers making a return of approximately $200 million per year [Rao, Reiley]. Rao and Reiley also note that spam provides nefarious individuals with one of the cheapest returns on investment as the production of spam is incredibly cheap.
Today’s blog post investigates a spam network and identifies behavioral patterns that could be useful for further research. Spam is interesting because it can be highly networked activity that requires coordination between multiple end computers distributed throughout the globe.
 

The Spam Run

In late August, the OpenDNS Security Labs team noticed an unusual surge in DNS queries for a mail server. The figure below shows the rate of DNS queries/min over the span of 24 hours. Visual inspection indicates that a definite surge occurred towards the end of the day. The steepness in the slope for queries/min made us suspicious about the reason behind the spike. For comparison, we created a DNS query/min graph for the previous day to get an idea of more baseline query requests. The second graph shows that traffic follows an expected diurnal cycle with traffic easing off in the early morning and evening.
19_08_spike
18_08_normal
Query spikes are a good first predicator for suspicious behavior but do not usually provide enough evidence to label behavior as malicious. Therefore, to get a better picture of the attack we captured 68 IPs that had an unusually high query rate and mapped them geographically. The image below shows their geographic distribution:
IP Distribution
The IPs had a wide geographic distribution with a small cluster in Ukraine. Furthermore, each of these IPs belonged to networks belonging to residential ISP providers. This new information validated our initial suspicions that the uptick in the queries had come from a spam run. It was now time to investigate the nature and scope of the spam run.
 

The Network

To get a better picture of the spam network, we ran a query which collected all of the DNS queries made by the 68 suspicious IPs for the current and past day. These logs were then filtered down to contain only MX records and A records for mail servers. With structured data, we needed to use a data structure which would highlight the interconnections between the different agents.
Structuring the data as a bipartite graph between IPs to mail servers/domains serves as an easy way to understand the data. A bipartite graph is a graph composed of two independent sets. It allows us to easily calculate which IPs contact the same or similar mail servers. The figure below is a example of the spam network, consisting of 1000 mail servers and six suspected spam IPs. Mail servers are the blue nodes, and IPs are red nodes. Each of the IPs have a cluster of mail servers that only they contact and a few mail servers that are contacted by the whole group. The same structure exists for the larger version of the graph (68 IPs, 40k domains, and 281k edges).
spam_network
Analyzing the type of mail servers contacted reveals an interesting hierarchy. The most frequently contacted mail servers were servers belonging to large, well-known mail providers such as Yahoo, Google, and AOL. A second tier followed which consisted mainly of academic institutions. This was followed a mid-tier of various proxy websites. Finally, at the bottom was a set of low-profile websites. Low profile websites contacted by suspicious IPs had two features in common—they all received sporadic traffic (sub 500 queries per day) and were located in the same geographic zone as the IP sending them email. These low profile websites represent the nodes with degree one in the graph.
With such geographic variance amongst the IPs, it comes as no surprise that domains residing in 19 different country TLDs received spam. The .jp TLD received the most queries with ~800k.
Now that we had a better idea of how the IPs were structured in relation to the domains, we wanted to understand how they might be possibly sending mail or communicating with one another. To do this, we went back to the bipartite graph and did some edge analysis, looking for domains that lay in the ‘sweet spot’ of degree counts. We knew that nodes that were talking to a high percentage of the 68 IPs might be in some way connected to the general spam network.
 

Results

This general technique led us to identify four domains of interest. The first was the periodic request to an IP in Mexico. Some further investigation on this IP led to some interesting results: this IP served as the mail server for a set of Russian hosted domains. This itself was suspicious—a domain hosted in Russia, relying on a mail server located in Mexico. Also suspicious was the fact that this mail server was associated with a set of constantly changing domain names and IPs. In the span of one month there were a total of 3 IP changes and 10 domain name changes. Below is a graph showing the querying frequency of this domain over the course of the day:
148_query_count
Only five of the 68 IPs did not make attempts to contact this dial-up IP during the course of the day. We suspect this IP is used as a email forwarder or open-relay for the spam campaign.
From the remaining three suspicious domains, two shared similar structure with the IP in Mexico (multiple domain names associated with changing IP addresses). The last domain was a mail server misconfigured so it could serve as an open relay.
 

Conclusion

Spam is interesting because it often serves as the vector of infection for botnets or banking trojans. The majority of websites targeted by spam were small e-commerce businesses. It would not be surprising if these spam campaigns target small e-commerce websites with promises of boosting their SEO positions—e-commerce operators unknowingly click on the possibly fraudulent SEO link and become compromised. Therefore, a point of further research is to determine how many of these websites targeted by spam become either compromised websites or part of a botnet. This type of analysis can be useful in developing models that predict relationships between receiving spam and possible future infected domains or users.
 

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella