Detection of zombie PCs based on email spam analysis

Hyun Cheol Jeong, Huy Kang Kim, Sangjin Lee, Eunjin Kim

Research output: Contribution to journalArticle

7 Citations (Scopus)

Abstract

While botnets are used for various malicious activities, it is well known that they are widely used for email spam. Though the spam filtering systems currently in use block IPs that send email spam, simply blocking the IPs of zombie PCs participating in a botnet is not enough to prevent the spamming activities of the botnet because these IPs can easily be changed or manipulated. This IP blocking is also insufficient to prevent crimes other than spamming, as the botnet can be simultaneously used for multiple purposes. For this reason, we propose a system that detects botnets and zombie PCs based on email spam analysis. This study introduces the concept of "group pollution level" - the degree to which a certain spam group is suspected of being a botnet - and "IP pollution level" - the degree to which a certain IP in the spam group is suspected of being a zombie PC. Such concepts are applied in our system that detects botnets and zombie PCs by grouping spam mails based on the URL links or attachments contained, and by assessing the pollution level of each group and each IP address. For empirical testing, we used email spam data collected in an email spam trap system - Korea's national spam collection system. Our proposed system detected 203 botnets and 18,283 zombie PCs in a day and these zombie PCs sent about 70% of all the spam messages in our analysis. This shows the effectiveness of detecting zombie PCs by email spam analysis, and the possibility of a dramatic reduction in email spam by taking countermeasure against these botnets and zombie PCs.

Original languageEnglish
Pages (from-to)1445-1446
Number of pages2
JournalKSII Transactions on Internet and Information Systems
Volume6
Issue number5
DOIs
Publication statusPublished - 2012 May 25

Fingerprint

Electronic mail
Spamming
Pollution
Computer crime
Botnet
Websites
Testing

Keywords

  • Bot-net
  • Email spam
  • Internet worm
  • Malware
  • Zombie PC

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems

Cite this

Detection of zombie PCs based on email spam analysis. / Jeong, Hyun Cheol; Kim, Huy Kang; Lee, Sangjin; Kim, Eunjin.

In: KSII Transactions on Internet and Information Systems, Vol. 6, No. 5, 25.05.2012, p. 1445-1446.

Research output: Contribution to journalArticle

@article{6fb5dbd139aa40f6ac7d01e6cced866e,
title = "Detection of zombie PCs based on email spam analysis",
abstract = "While botnets are used for various malicious activities, it is well known that they are widely used for email spam. Though the spam filtering systems currently in use block IPs that send email spam, simply blocking the IPs of zombie PCs participating in a botnet is not enough to prevent the spamming activities of the botnet because these IPs can easily be changed or manipulated. This IP blocking is also insufficient to prevent crimes other than spamming, as the botnet can be simultaneously used for multiple purposes. For this reason, we propose a system that detects botnets and zombie PCs based on email spam analysis. This study introduces the concept of {"}group pollution level{"} - the degree to which a certain spam group is suspected of being a botnet - and {"}IP pollution level{"} - the degree to which a certain IP in the spam group is suspected of being a zombie PC. Such concepts are applied in our system that detects botnets and zombie PCs by grouping spam mails based on the URL links or attachments contained, and by assessing the pollution level of each group and each IP address. For empirical testing, we used email spam data collected in an email spam trap system - Korea's national spam collection system. Our proposed system detected 203 botnets and 18,283 zombie PCs in a day and these zombie PCs sent about 70{\%} of all the spam messages in our analysis. This shows the effectiveness of detecting zombie PCs by email spam analysis, and the possibility of a dramatic reduction in email spam by taking countermeasure against these botnets and zombie PCs.",
keywords = "Bot-net, Email spam, Internet worm, Malware, Zombie PC",
author = "Jeong, {Hyun Cheol} and Kim, {Huy Kang} and Sangjin Lee and Eunjin Kim",
year = "2012",
month = "5",
day = "25",
doi = "10.3837/tiis.2012.05.011",
language = "English",
volume = "6",
pages = "1445--1446",
journal = "KSII Transactions on Internet and Information Systems",
issn = "1976-7277",
publisher = "Korea Society of Internet Information",
number = "5",

}

TY - JOUR

T1 - Detection of zombie PCs based on email spam analysis

AU - Jeong, Hyun Cheol

AU - Kim, Huy Kang

AU - Lee, Sangjin

AU - Kim, Eunjin

PY - 2012/5/25

Y1 - 2012/5/25

N2 - While botnets are used for various malicious activities, it is well known that they are widely used for email spam. Though the spam filtering systems currently in use block IPs that send email spam, simply blocking the IPs of zombie PCs participating in a botnet is not enough to prevent the spamming activities of the botnet because these IPs can easily be changed or manipulated. This IP blocking is also insufficient to prevent crimes other than spamming, as the botnet can be simultaneously used for multiple purposes. For this reason, we propose a system that detects botnets and zombie PCs based on email spam analysis. This study introduces the concept of "group pollution level" - the degree to which a certain spam group is suspected of being a botnet - and "IP pollution level" - the degree to which a certain IP in the spam group is suspected of being a zombie PC. Such concepts are applied in our system that detects botnets and zombie PCs by grouping spam mails based on the URL links or attachments contained, and by assessing the pollution level of each group and each IP address. For empirical testing, we used email spam data collected in an email spam trap system - Korea's national spam collection system. Our proposed system detected 203 botnets and 18,283 zombie PCs in a day and these zombie PCs sent about 70% of all the spam messages in our analysis. This shows the effectiveness of detecting zombie PCs by email spam analysis, and the possibility of a dramatic reduction in email spam by taking countermeasure against these botnets and zombie PCs.

AB - While botnets are used for various malicious activities, it is well known that they are widely used for email spam. Though the spam filtering systems currently in use block IPs that send email spam, simply blocking the IPs of zombie PCs participating in a botnet is not enough to prevent the spamming activities of the botnet because these IPs can easily be changed or manipulated. This IP blocking is also insufficient to prevent crimes other than spamming, as the botnet can be simultaneously used for multiple purposes. For this reason, we propose a system that detects botnets and zombie PCs based on email spam analysis. This study introduces the concept of "group pollution level" - the degree to which a certain spam group is suspected of being a botnet - and "IP pollution level" - the degree to which a certain IP in the spam group is suspected of being a zombie PC. Such concepts are applied in our system that detects botnets and zombie PCs by grouping spam mails based on the URL links or attachments contained, and by assessing the pollution level of each group and each IP address. For empirical testing, we used email spam data collected in an email spam trap system - Korea's national spam collection system. Our proposed system detected 203 botnets and 18,283 zombie PCs in a day and these zombie PCs sent about 70% of all the spam messages in our analysis. This shows the effectiveness of detecting zombie PCs by email spam analysis, and the possibility of a dramatic reduction in email spam by taking countermeasure against these botnets and zombie PCs.

KW - Bot-net

KW - Email spam

KW - Internet worm

KW - Malware

KW - Zombie PC

UR - http://www.scopus.com/inward/record.url?scp=84861887103&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84861887103&partnerID=8YFLogxK

U2 - 10.3837/tiis.2012.05.011

DO - 10.3837/tiis.2012.05.011

M3 - Article

AN - SCOPUS:84861887103

VL - 6

SP - 1445

EP - 1446

JO - KSII Transactions on Internet and Information Systems

JF - KSII Transactions on Internet and Information Systems

SN - 1976-7277

IS - 5

ER -