We study the dynamics of scam hosting infrastructure, with an emphasis on the role of fast-flux service networks.
By monitoring changes in DNS records of over 350 distinct spam-advertised domains collected from URLs in 115,000
spam emails received at a large spam sinkhole, we measure the rates and locations of remapping DNS records, and
the rates at which “fresh” IP addresses are used. We find that, unlike the short-lived nature of the scams themselves,
the infrastructure that hosts these scams has relatively persistent features that may ultimately assist detection.