Clustering spam domains and hosts: Anti-spam forensics with data mining

Spam related cyber crimes, including phishing, malware and online fraud, are a serious threat to society. Spam filtering has been the major weapon against spam for many years but failed to reduce the number of spam emails. To hinder spammers' capability of sending spam, their supporting infrastructure needs to be disrupted. Terminating spam hosts will greatly reduce spammers' profit and thwart their ability to commit spam-related cyber crimes. This research proposes an algorithm for clustering spam domains based on the hosting IP addresses and related email subjects. The algorithm can also detect significant hosts over a period of time. Experimental results show that when domain names are investigated, many seemingly unrelated spam emails are actually related. By using wildcard DNS records and constantly replacing old domains with new domains, spammers can effectively defeat URL or domain based blacklisting. Spammers also refresh hosting IP addresses occasionally, but less frequently than domains. The identified domains and their hosting IP addresses can be used by cyber-crime investigators as leads to trace the identities of spammers and shut down the related spamming infrastructure. This paper demonstrates how data mining can help to detect spam domains and their hosts for anti-spam forensic purposes.;Keywords: spam, forensics, clustering, data mining...