Analyzing network and content characteristics of spim using honeypots

Authors:
Aarjav J. Trivedi;Paul Q. Judge;Sven Krasser
Affiliations:
Applied Research, Secure Computing Corporation;Applied Research, Secure Computing Corporation;Applied Research, Secure Computing Corporation
Venue:
SRUTI'07 Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet
Year:
2007

Citing 8
Cited 2

Honeypots: Tracking Hackers

Honeypots: Tracking Hackers
Characterizing a spam traffic

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Computer Network Security

Computer Network Security
On instant messaging worms, analysis and countermeasures

Proceedings of the 2005 ACM workshop on Rapid malcode
HoneySpam: honeypots fighting spam at the source

SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
A virtual honeypot framework

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Detecting and filtering instant messaging spam: a global and personalized approach

NPSEC'05 Proceedings of the First international conference on Secure network protocols
A protocol for secure public instant messaging

FC'06 Proceedings of the 10th international conference on Financial Cryptography and Data Security

Secure instant messaging in enterprise-like networks

Computer Networks: The International Journal of Computer and Telecommunications Networking
Humans and bots in internet chat: measurement, analysis, and automated classification

IEEE/ACM Transactions on Networking (TON)

Quantified Score

Hi-index	0.00

Visualization

Abstract

Instant messaging spam (spim), while less widespread than email spam, is a challenging problem which has received little attention in formal research. Spim is harder to study than spam because of the "walled garden" nature of popular instant messaging platforms. We designed and deployed a proxy based IM honeypot with protocol decoding and analyzed content characteristics of spim and network characteristics of hosts sending spim. Our analysis strongly suggests that adversaries make use of botnets and well coordinated command and control mechanisms in sending spim. Current anti-spim mechanisms rely heavily on content filtering, whitelisting and blacklisting. Our analysis suggests that the same botnets are being employed by spimmers and spammers. Hence network-layer and cross-protocol information sharing between email and IM anti-spam solutions and the use of cross-protocol IP reputation would significantly improve blocking rates. By comparing spim and ham IM data, we also identify several heuristics that can be used to distinguish spim traffic from spam traffic.