Characterizing the Scam Hosting Infrastructure

Industry has responded to the ever-growing presence of spam by attacking the spam distribution infrastructure, essentially trying to prevent spam email from ever landing in the inbox of end-users. Recently, industry and academia have begun investigating the web hosting infrastructure of spam campaigns, attacking spammers where it hurts most, in their pocketbooks. Spammers have responded by introducing cooperative interme- diaries that redirect traffic, effectively decoupling the spam-advertised URL from the final destination website. In this study, we analyze not only the URLs in spam messages, but the less-studied redirection infrastructure that takes the user to a target website or other malicious host. Our initial results show that among all the hosts that can be reached directly from URLs embedded in email bodies, 64.87% are cooperative redirection hosts. However, these redirection hosts are only used to protect a small portion (11.33%) of final destination websites. Additionally, we find that around 70% of embedded URLs resolve to two ranges of IP space (61.0.0.0/8 and 124.0.0.0/8). By further analyzing the relationship between the final destinations and redirection hosts, we find that 74.19% of the final destination hosts are located in the same AS with their redirection hosts.