Detection of zombie PCs based on email spam analysis

Hyun Cheol Jeong, Huy Kang Kim, Sangjin Lee, Eunjin Kim

Research output: Contribution to journalArticle

7 Citations (Scopus)

Abstract

While botnets are used for various malicious activities, it is well known that they are widely used for email spam. Though the spam filtering systems currently in use block IPs that send email spam, simply blocking the IPs of zombie PCs participating in a botnet is not enough to prevent the spamming activities of the botnet because these IPs can easily be changed or manipulated. This IP blocking is also insufficient to prevent crimes other than spamming, as the botnet can be simultaneously used for multiple purposes. For this reason, we propose a system that detects botnets and zombie PCs based on email spam analysis. This study introduces the concept of "group pollution level" - the degree to which a certain spam group is suspected of being a botnet - and "IP pollution level" - the degree to which a certain IP in the spam group is suspected of being a zombie PC. Such concepts are applied in our system that detects botnets and zombie PCs by grouping spam mails based on the URL links or attachments contained, and by assessing the pollution level of each group and each IP address. For empirical testing, we used email spam data collected in an email spam trap system - Korea's national spam collection system. Our proposed system detected 203 botnets and 18,283 zombie PCs in a day and these zombie PCs sent about 70% of all the spam messages in our analysis. This shows the effectiveness of detecting zombie PCs by email spam analysis, and the possibility of a dramatic reduction in email spam by taking countermeasure against these botnets and zombie PCs.

Original languageEnglish
Pages (from-to)1445-1446
Number of pages2
JournalKSII Transactions on Internet and Information Systems
Volume6
Issue number5
DOIs
Publication statusPublished - 2012 May 25

Keywords

  • Bot-net
  • Email spam
  • Internet worm
  • Malware
  • Zombie PC

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems

Fingerprint Dive into the research topics of 'Detection of zombie PCs based on email spam analysis'. Together they form a unique fingerprint.

  • Cite this