Clustering Spam Domains and Destination Websites: Digital Forensics with Data Mining

Abstract

Spam related cyber crimes have become a serious threat to society. Current spam research mainly aims to detect spam more effectively. We believe the identification and disruption of the supporting infrastructure used by spammers is a more effective way of stopping spam than filtering. The termination of spam hosts will greatly reduce the profit a spammer can generate and thwart his ability to send more spam. This research proposes an algorithm for clustering spam domains extracted from spam emails based on the hosting IP addresses and tracing the IP addresses over a period of time. The results show that many seemingly unrelated spam campaigns are actually related if the domain names in the URLs are investigated; spammers have a sophisticated mechanism for combating URL blacklisting by registering many new domain names every day and flushing out old domains; the domains are hosted at different IP addresses across several networks, mostly in China where legislation is not as tight as in the United States; old IP addresses are replaced by new ones from time to time, but still show strong correlation among them. This paper demonstrates an effective use of data mining to relate spam emails for the purpose of identifying the supporting infrastructure used for spamming and other cyber criminal activities. [PUBLICATION ABSTRACT]