Week 5 - Email spam and affiliate programs Flashcards
(10 cards)
Describe the backend and frontend components of a typical spam operation (6 marks)
Backend:
- Bulletproof hosting providers who ignore takedown requests
- Payment processors that facilitate transactions despite risks
- Affiliate program infrastructure managing store, cart, and product delivery
Frontend:
- Harvested email lists
- Infected computers (botnets) to send spam
- Command & control (C&C) infrastructure
Spammers set up the frontend, while the backend is maintained by affiliate programs. Underground forums (e.g., Spamit) help connect actors.
How do affiliate programs support spam campaigns, and what is their economic model? (6 marks)
Affiliate programs supply criminals with a complete backend service: web stores, payment processing, and order fulfilment. Spammers just need to generate traffic.
They earn commissions (typically 30-50%) for each successful sale. Examples include GlavMed and SpamIt, which made $73M and $85M respectively between 2007 - 2010.
These programs often use bulletproof hosting and unregulated payment processors to stay online.
Discuss the roles of different actors in the spam ecosystem and how trust influences their operations (7 marks)
Botmasters - manage the bots that send spam
Spammers - rent access to botnets and craft campaigns
Harvesters - collect email addresses
Affiliate admins - maintain backend infrastructure
They coordinate through invite-only underground forums like spamdot.biz. Trust is essential; relationships are long-term, with some actors specialising in a single role.
Spammers usually follow ‘manuals’ with advice timing, list hygience, and avoiding blacklists.
Explain how the Cutwail botnet operated and what made it effective? (8 marks)
- Delivered via Pushdo botnet (dropper malware)
- Used single-tie C&C with custom XOR encryption
- Had a sophisticated web interface allowing = monitoring bots, testing against SpamAssassin, avoidance of blacklisted bots
- Customers rented Cutwail and installed bots via Pushdo
Cutwail’s modularity and easy client interface made it widely rentable, scalable, and efficient for spam operations.
What are the main spam mitigation strategies and their associated limitations? (6 marks)
Engineering: Filters using content and origin analysis (e.g., blacklists, DMARC), but spammers constantly adapt.
Legal: Botnet takedowns and prosecutions, though hindered by cross-border issues.
Economic: Cutting off payment processors and bulletproof hosts — can be effective but hard to enforce.
Educational: User awareness campaigns (e.g., antivirus, suspicious links), slow to show impact.
No single method is sufficient; It is a multidisciplinary approach is most effective.
What factors contributed to the success of the Storm botnet, and how did researchers study it? (7 marks)
- Storm used a multi-tier, partly peer-to-peer architecture that made it resilient
- It infected over 1 million machines, spreading via spam email attachments.
- Researchers infiltrated it with fake pharmaceutical pages under their control
- This allowed click and purchased tracking despite a 0.0004% conversion rate, the botnet was profitable
- Success relied on scale, repeated customers, and automation.
Why is email spam still profitable despite very low conversion rates? (6 marks)
Operational costs are minimal using botnets and automation. Affiliate programs provide infrastructure and payouts. Even 0.0004% conversion can generate substantial revenue at scale. Repeat customers drive long-term profits. Access to millions of emails offsets low success rates.
Compare the infrastructure of the Cutwail and Storm botnets.
Cutwail: single-tier C&C system; clients rented servers and bots; had a web interface for bot and spam control
Storm: multi-tier and partly P2P; bots with public IPs acted as relays; more robust and decentralised, but harder to manage centrally
What did researchers discover when they hijacked the Torpig botnet, and how was it possible? (8 marks)
Exploited weakness: deterministic DGA, unregistered domains, no C&C authentication.
This is then redirected to the botnet to their own servers
Collected:
8,310 bank credentials
1,660 card numbers (49% US-based)
297,000 account login pairs from 52,000 users
Showed the scale of data theft and value of botnet hijacks for research
List two economic and two engineering countermeasures against spam botnets and their limitations (6 marks)
Economic:
- Pressure banks and processors to stop enabling criminals = they find alternatives
- Target hosting providers = bulletproof hosts resist legal action
Engineering:
- Content filters (e.g., SpamAssassin) = spammers adapt messages
- Origin tracking (e.g., DMRAC, SPF) = spammers use IP churn and spoofing
