Lightweight Detection of Spamming Botnets

A botnet is one of the largest problems against the Internet society because it is used to mount Distributed Denial of Service (DDoS), to steal users credentials, to send spam email, and so on. To cope with the problem, this paper presents a method of detecting spamming botnets, exploiting the information in a hash table of spams produced in our spam filter. To partition the spams based on the similarity of their messages, we cluster the spams in the hash table in three steps by 1) removing the collision (due to the hashing) in each bucket of the table, 2) merging the clusters obtained in step 1), using the fingerprints of message bodies, and 3) further merging the second-step clusters based on the spam-specific words in the Subject headers of spams. We identify a bot using the IP address in the first internal Received header that is prepended to the list of Received headers by the first internal server of a receiving organization. By simulation, we can cluster about 18,000 real-world spams in about 4,000 seconds with no misclustering on our commodity workstation. The active IP space for bots to send spams is almost the same as the one reported in the literature, except of a slight expansion.