Understanding the Domain Registration Behavior of Spammers

Shuang Hao, Matthew Thomas, Vern Paxson, Nick Feamster, Christian Kreibich, Chris Grier, Scott Hollenbeck

2  

•  Domain names represent valuable Internet resources

•  Domain abuse –  Spam contains URLs leading to scam sites

•  Top-level domain name: com •  Second-level domain name: bad-domain.com •  Host name: www.bad-domain.com

Overview

Domain Abuse

Hello, By visiting this site you can decide any watch that you like http://www.bad-domain.com/qjkx scam site

3  

•  More agile and reliable for attacks –  Domain space is very big –  Domain cost is small –  Not easy to detect

Overview

Spammers Exploit Domains

4  

Overview

Motivation: Early Detection

Attack (Spamming)

Post-attack

Domain registration

–  Most research focuses on activities after spam is sent

–  Ultimate goal: Detect spammer domains at time-of-registration rather than later at time-of-use

Spam content filtering

IP blacklisting URL crawling DNS traffic analysis etc.

Problem: Window left for spam dissemination and monetization

Pre-attack

5  

•  Motivation

•  Registration Process and Data Collection

•  DNS Infrastructure Used for Spammer Domains

•  Detecting Registration Spikes

•  Domain Life-cycle Role Analysis

•  Summary

Outline

Talk Outline

6  

Background

Domain Registration Process

Database

Top-level nameservers

Update Registry (e.g., Verisign) manages registration database

Registrar (e.g., GoDaddy) brokers registrations

Registrant

7  

Background

Life Cycle Chart

Active (1-10 years)

Auto-Renew Grace

(45 days)

Redemption Grace

(30 days)

Pending Delete (5 days)

Available Available

Re-registration

Renew

8  

Background

Data Collection

What domains newly registered in .com zone

Whether the domains were used in spamming activities after registration

1

Attack (Spamming)

Post-attack Pre-attack

Domain registration

2

9  

•  Verisign .com domain registrations over 5 months –  12,824,401 new .com domains during March – July,

2012 –  Epoch: Zone file updates every 5 minutes –  Registration information

•  Registrars •  Nameservers •  Registration history

•  Spammer domains –  134,455 new .com domains were blacklisted later –  Spam trap, URIBL, and SURBL during March –

October, 2012 (8 months)

Background

Data Statistics

1

2

10  

•  Motivation

•  Registration Process and Data Collection

•  DNS Infrastructure Used for Spammer Domains –  Registrars and Authoritative Nameservers

•  Detecting Registration Spikes

•  Domain Life-cycle Role Analysis

•  Conclusion

Outline

Talk Outline

11  

Infrastructure

Registrars Hosting Spammer Domains

Registrar Spam %

1 eNom, Inc. 27.03%

2 Moniker Online Services, Inc. 19.01%

3 Tucows.com Co. 4.47%

8 OnlineNIC, Inc. 2.13%

9 Center of Ukrainian Internet Names 2.07%

10 Register.com, Inc. 1.89%

•  Confirmation*: A handful of registrars account for the majority of spammer domains

•  Question: What registrars do spammers choose to register domains?

The registrars ranked by the percentages of spammer domains

Spammer domains

All domains added to the zone

70% 20%

*Levchenko,  K.  et  al.  Click  Trajectories:  End-­‐to-­‐End  Analysis  of  the  Spam  Value  Chain.            In  Proceedings  of  the  IEEE  Symposium  and  Security  and  Privacy,  2011  

12   0 10 100 1000 10^4 10^5 10^6 10^7 0

10

100

1000

10^4

10^5

10^6

10^7

Non−s

pam

mer

dom

ain

coun

ts (l

og s

cale

)

Spammer domain counts (log scale)

Moniker OnlineServices, Inc.

GoDaddy.com, LLC

ABSystems Inc

INTERNET.bs Corp.

Tucows.com Co.

Bizcn.com, Inc.

Trunkoz TechnologiesPvt Ltd. d/b/aOwnRegistrar.com

OnlineNIC, Inc.

eNom, Inc.

Center ofUkrainianInternet Names

PDRLtd. d/b/aPublicDomainRegistry.com

Register.com, Inc.

Infrastructure

Spam Proportions on Registrars

•  Question: Do registrars only host spammer domains?

•  Finding: Spammer primarily use popular registrars

13  

Infrastructure

Authoritative Nameservers

•  Question: Do spammers use particular nameservers?

•  Finding: Spammers often use the nameservers provided by the registrars

Example DNS server hosting the greatest number of spammer domains ns1.monikerdns.net

But 99.77% of all domains were registered through the same registrar Moniker Online Services, Inc

14  

•  Motivation

•  Registration Process and Data Collection

•  DNS Infrastructure Used for Spammer Domains

•  Detecting Registration Spikes

•  Domain Life-cycle Role Analysis

•  Summary

Outline

Talk Outline

15  

Spike Pattern

An Example of Bulk Registration

•  Domains registered by eNom every 5 minutes in March 5th, 2012

New domains every 5 minutes

New spammer domains every 5 minutes

•  Question: Do spammers register domains in groups?

16  

Spike Pattern

Distribution of Spammer Domain Registration

•  Distribution of the number of spammer domains registered within the same registrar and epoch

Only 20% of the spammer domains got registered in isolation

•  Finding: Spammers perform registrations in batches

17  

•  Question: How to identify “abnormally large” registration batches?

Spike Pattern

Modeling Registration Batch Size

•  Build hourly model to fit diurnal patterns

•  Compound Poisson to represent the customer purchase behaviors

eNom, Inc., hourly window, 10AM–11AM ET

Spike: low probability

18  

Spike Pattern

Registrations in Spikes

•  Finding: Spammer domains appear in spikes with a much higher likelihood

Spammer domains in spikes

All domains in spikes

42% 15%

19  

•  Motivation

•  Registration Process and Data Collection

•  DNS Infrastructure Used for Spammer Domains

•  Detecting Registration Spikes

•  Domain Life-cycle Role Analysis

•  Conclusion

Outline

Talk Outline

20  

Life Cycle

Life Cycle Categories

•  Brand-new –  The domain has never appeared in the zone before

•  Re-registration –  The domain has previously appeared in the zone

•  Drop-catch: re-registered immediately after its release •  Retread: some time elapses between a domain’s prior

deletion and its re-registration

Active (1-10 years)

Auto-Renew Grace

(45 days)

Redemption Grace

(30 days)

Pending Delete (5 days)

Available Available

Re-registration

Renew

21  

Life Cycle

Prevalence of Different Categories

Conditional probability of being a spammer domain

•  Question: What type of domains is more likely being used in spam?

In spikes

Drop-catch Retread

1.01% 0.33% 1.34%

Brand-new

2.61% 0.37% 4.48%

•  Finding: Spammers commonly re-register expired domains, especially when performing bulk registrations

Re-registration

22  

Life Cycle

Malicious Activities before Retread

•  Question: Do spammers re-register previous spammer domains?

•  Introspect with spam trap and blacklists before the re-registration time (October 2011 – February 2012) –  Only 6.8% had appeared in a blacklist before re-registration

•  Finding: Spammers re-register expired domains with clean histories

23  

Life Cycle

Dormancy before Retread

65% of retread spammer domains were deleted less than 90 days before

•  Question: How long is between deletion and re-registration?

•  Finding: Spammers have a trend to re-register domains that expired more recently

24  

•  Positive actions from specific registrars could have significant impact in impeding spammer domain registrations

•  Pay attention to bulk registrations: spammers find economic and/or management benefit to register domains in large batches

•  In addition to generating names, spammers take advantage of re-registering expired domains, that originally had a clean history

Summary

Takeaways

25  

•  We studied the fine-grained domain registration of .com zone over a 5-month period

•  Registration patterns have powers for distinguishing spammer domains, but no striking signal that separates good domains from bad ones

•  Next steps –  Develop a detector against spammer domains at

registration time –  Investigate further the reasons of spammer registration

strategies

Summary

Summary

http://www.cc.gatech.edu/~shao