DeepAI AI Chat
Log In Sign Up

Early Detection of Spam Domains with Passive DNS and SPF

by   Simon Fernandez, et al.
Université Grenoble Alpes

Spam domains are sources of unsolicited mails and one of the primary vehicles for fraud and malicious activities such as phishing campaigns or malware distribution. Spam domain detection is a race: as soon as the spam mails are sent, taking down the domain or blacklisting it is of relative use, as spammers have to register a new domain for their next campaign. To prevent malicious actors from sending mails, we need to detect them as fast as possible and, ideally, even before the campaign is launched. In this paper, using near-real-time passive DNS data from Farsight Security, we monitor the DNS traffic of newly registered domains and the contents of their TXT records, in particular, the configuration of the Sender Policy Framework, an anti-spoofing protocol for domain names and the first line of defense against devastating Business Email Compromise scams. Because spammers and benign domains have different SPF rules and different traffic profiles, we build a new method to detect spam domains using features collected from passive DNS traffic. Using the SPF configuration and the traffic to the TXT records of a domain, we accurately detect a significant proportion of spam domains with a low false positives rate demonstrating its potential in real-world deployments. Our classification scheme can detect spam domains before they send any mail, using only a single DNS query and later on, it can refine its classification by monitoring more traffic to the domain name.


page 1

page 2

page 3

page 4


MORTON: Detection of Malicious Routines in Large-Scale DNS Traffic

In this paper, we present MORTON, a system that identifies compromised e...

Fast Flux Detection via Data Mining on Passive DNS Traffic

In the last decade, the use of fast flux technique has become establishe...

Detecting Malicious Domains Using Statistical Internationalized Domain Name Features in Top Level Domains

The Domain Name System (DNS) is a core Internet service that translates ...

Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning

Botnets and malware continue to avoid detection by static rules engines ...

RAPTOR: Ransomware Attack PredicTOR

Ransomware, a type of malicious software that encrypts a victim's files ...

Learning detectors of malicious web requests for intrusion detection in network traffic

This paper proposes a generic classification system designed to detect s...

TypoSwype: An Imaging Approach to Detect Typo-Squatting

Typo-squatting domains are a common cyber-attack technique. It involves ...