Early Detection of Spam Domains with Passive DNS and SPF

05/04/2022
by   Simon Fernandez, et al.
0

Spam domains are sources of unsolicited mails and one of the primary vehicles for fraud and malicious activities such as phishing campaigns or malware distribution. Spam domain detection is a race: as soon as the spam mails are sent, taking down the domain or blacklisting it is of relative use, as spammers have to register a new domain for their next campaign. To prevent malicious actors from sending mails, we need to detect them as fast as possible and, ideally, even before the campaign is launched. In this paper, using near-real-time passive DNS data from Farsight Security, we monitor the DNS traffic of newly registered domains and the contents of their TXT records, in particular, the configuration of the Sender Policy Framework, an anti-spoofing protocol for domain names and the first line of defense against devastating Business Email Compromise scams. Because spammers and benign domains have different SPF rules and different traffic profiles, we build a new method to detect spam domains using features collected from passive DNS traffic. Using the SPF configuration and the traffic to the TXT records of a domain, we accurately detect a significant proportion of spam domains with a low false positives rate demonstrating its potential in real-world deployments. Our classification scheme can detect spam domains before they send any mail, using only a single DNS query and later on, it can refine its classification by monitoring more traffic to the domain name.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
08/05/2020

MORTON: Detection of Malicious Routines in Large-Scale DNS Traffic

In this paper, we present MORTON, a system that identifies compromised e...
research
04/17/2018

Fast Flux Detection via Data Mining on Passive DNS Traffic

In the last decade, the use of fast flux technique has become establishe...
research
11/15/2022

Detecting Malicious Domains Using Statistical Internationalized Domain Name Features in Top Level Domains

The Domain Name System (DNS) is a core Internet service that translates ...
research
03/28/2020

Real-Time Detection of Dictionary DGA Network Traffic using Deep Learning

Botnets and malware continue to avoid detection by static rules engines ...
research
02/08/2017

Learning detectors of malicious web requests for intrusion detection in network traffic

This paper proposes a generic classification system designed to detect s...
research
03/05/2018

RAPTOR: Ransomware Attack PredicTOR

Ransomware, a type of malicious software that encrypts a victim's files ...
research
07/31/2023

Learning When to Say Goodbye: What Should be the Shelf Life of an Indicator of Compromise?

Indicators of Compromise (IOCs), such as IP addresses, file hashes, and ...

Please sign up or login with your details

Forgot password? Click here to reset