Dynamics of Online Scam Hosting Infrastructure

We study the dynamics of scam hosting infrastructure, with an emphasis on the role of fast-flux service networks.
By monitoring changes in DNS records of over 350 distinct spam-advertised domains collected from URLs in 115,000
spam emails received at a large spam sinkhole, we measure the rates and locations of remapping DNS records, and
the rates at which “fresh” IP addresses are used. We find that, unlike the short-lived nature of the scams themselves,
the infrastructure that hosts these scams has relatively persistent features that may ultimately assist detection.


Dynamics of Online Scam Hosting Infrastructure
M. Konte, N. Feamster, J. Jung
In the Proceedings of Passive and Actice Measurement Conference (PAM) , Seoul, Korea, April 2009.


The data sets we gathered for the above study can be downloaded here.