open pdf file in asp.net using c#: Add text to pdf file online software control project winforms azure web page UWP 2008-ccs-spamalytics0-part597

Spamalytics: An Empirical Analysis

of Spam Marketing Conversion

ChrisKanich

∗

ChristianKreibich

†

KirillLevchenko

∗

BrandonEnright

∗

GeoffreyM.Voelker

∗

Vern Paxson

†

StefanSavage

∗

†

InternationalComputerScienceInstitute

∗

Dept.ofComputerScienceandEngineering

Berkeley,USA

UniversityofCalifornia,SanDiego,USA

christian@icir.org,vern@cs.berkeley.edu

{ckanich,klevchen,voelker,savage}@cs.ucsd.edu

bmenrigh@ucsd.edu

ABSTRACT

The“conversion rate” of spam— theprobability that an unso-

licitede-mailwillultimatelyelicita“sale”—underliestheentire

spamvalueproposition.However,ourunderstandingofthiscritical

behaviorisquitelimited,andtheliteraturelacksanyquantitative

studyconcerningitstruevalue.Inthispaperwepresentamethod-

ologyformeasuringtheconversionrateofspam.Usingaparasitic

inﬁltration ofan existing botnet’sinfrastructure,weanalyzetwo

spamcampaigns:onedesignedtopropagateamalwareTrojan,the

othermarketingon-linepharmaceuticals. Fornearlyahalfbillion

spame-mailsweidentifythenumberthataresuccessfullydeliv-

ered, thenumberthatpassthrough popularanti-spamﬁlters, the

numberthatelicituservisitstotheadvertisedsites,andthenumber

of“sales”and“infections”produced.

CategoriesandSubjectDescriptors

K.4.1[PublicPolicyIssues]:ABUSEANDCRIMEINVOLVING

COMPUTERS

GeneralTerms

Measurement,Security,Economics

Keywords

Spam,UnsolicitedEmail,Conversion

1. INTRODUCTION

Spam-basedmarketingisacuriousbeast.Weallreceivethead-

vertisements—“Excellenthardnessiseasy!”—butfewofushave

encounteredapersonwhoadmitstofollowingthroughonthisof-

ferandmakingapurchase. Andyet,therelentlessnessbywhich

suchspamcontinuallyclogsInternetinboxes,despiteyearsofen-

ergeticdeploymentofanti-spamtechnology,providesundeniable

testamentthatspammersﬁndtheircampaignsproﬁtable.Someone

isclearlybuying.Buthowmany,howoften,andhowmuch?

Permissiontomakedigitalorhard copiesofallorpartofthisworkfor

personalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesare

notmadeordistributedforproﬁtorcommercialadvantageandthatcopies

bearthisnoticeandthefullcitationontheﬁrstpage.Tocopyotherwise,to

republish,topostonserversortoredistributetolists,requirespriorspeciﬁc

permissionand/orafee.

CCS’08,October27–31,2008,Alexandria,Virginia,USA.

Unravelingsuchquestionsisessentialforunderstandingtheeco-

nomicsupportforspamandhencewhereanystructuralweaknesses

maylie. Unfortunately, spammersdonotﬁlequarterlyﬁnancial

reports,andtheundergroundnatureoftheiractivitiesmakesthird-

partydatagatheringachallengeatbest.Absentanempiricalfoun-

dation, defendersareoftenlefttospeculateastohowsuccessful

spamcampaignsareandtowhatdegreetheyareproﬁtable.Forex-

ample,IBM’sJoshuaCormanwaswidelyquotedasclaimingthat

spamsentbytheStormwormalonewasgenerating“millionsand

millionsofdollarseveryday”[2].Whilethisclaimcouldinfactbe

true,weareunawareofanypublicdataormethodologycapableof

conﬁrmingorrefutingit.

Thekeyproblemisourlimitedvisibilityintothethreebasicpa-

rametersofthespamvalueproposition:thecosttosendspam,off-

setby the“conversionrate”(probability thatan e-mailsentwill

ultimatelyyielda“sale”),andthemarginalproﬁtpersale.Theﬁrst

andlastoftheseareself-contained andcanatleastbeestimated

basedonthecostschargedbythird-partyspamsendersandthrough

thepricingandgrossmarginsofferedbyvariousInternetmarket-

ing“afﬁliateprograms”.

However,theconversion ratedepends

fundamentallyongroupactions—onwhathundredsofmillions

ofInternetusersdowhenconfrontedwithanewpieceofspam—

andismuchhardertoobtain.Whilearangeofanecdotalnumbers

exist,weareunawareofanywell-documentedmeasurementofthe

spamconversionrate.

Inpart,thisproblemismethodological. Therearenoapparent

methodsforindirectlymeasuringspamconversion.Thus,theonly

obvious wayto extractthisdataisto build an e-commercesite,

marketitviaspam,andthenrecordthenumberofsales.Moreover,

tocapturethespammer’sexperiencewithfullﬁdelity,suchastudy

mustalsomimictheiruseofillicitbotnetsfordistributinge-mail

andproxyinguser responses. Ineffect,thebestwaytomeasure

spamistobeaspammer.

Inthispaper,wehaveeffectivelyconductedthisstudy,though

sidesteppingtheobviouslegalandethicalproblemsassociatedwith

sendingspam.

Critically,ourstudymakesuseofanexistingspam-

Ourcursoryinvestigationssuggestthatcommissionsonpharma-

ceuticalafﬁliateprogramstendtohoveraround40-50%,whilethe

retailcostforspamdeliveryhasbeenestimatedatunder$80per

million[22].

Thebestknownamongtheseanecdotalﬁgurescomesfromthe

WallStreetJournal’s2003investigationofHowardCarmack(a.k.a

the“BuffaloSpammer”),revealingthatheobtaineda0.00036con-

version rateontenmillionmessagesmarketing anherbalstimu-

lant[4].

Weconductedourstudyundertheethicalcriteriaofensuringneu-

tralactionssothatusersshouldneverbeworseoffduetoourac-

Add text to pdf file online - insert text into PDF content in C#.net, ASP.NET, MVC, Ajax, WinForms, WPF

XDoc.PDF for .NET, providing C# demo code for inserting text to PDF file

adding text to a pdf file; add text to pdf file reader

Add text to pdf file online - VB.NET PDF insert text library: insert text into PDF content in vb.net, ASP.NET, MVC, Ajax, WinForms, WPF

Providing Demo Code for Adding and Inserting Text to PDF File Page in VB.NET Program

how to add text fields to pdf; how to add text to a pdf document

mingbotnet.Byinﬁltratingitscommandandcontrolinfrastructure

parasitically,weconvincedittomodifyasubsetofthespamital-

readysends,therebydirectinganyinterestedrecipientstoservers

underourcontrol,ratherthanthosebelongingtothespammer. In

turn, our servers presented Web sites mimicking those actually

hosted by thespammer, but“defanged”to removefunctionality

thatwouldcompromisethevictim’ssystemorreceivesensitiveper-

sonalinformationsuchasname,addressorcreditcardinformation.

Usingthismethodology,wehavedocumentedthreespamcam-

paigns comprising over 469millione-mails. Weidentiﬁedhow

muchofthisspamissuccessfullydelivered,howmuchisﬁltered

bypopularanti-spamsolutions,and,mostimportantly,howmany

users“click-through”tothesitebeingadvertised(responserate)

andhowmanyofthoseprogresstoa“sale”or“infection”(conver-

sionrate).

Theremainderofthispaperisstructuredasfollows. Section2

describestheeconomicbasisforspamandreviewspriorresearch

inthisarea. Section3describestheStormbotnet,andSection4

describesour experimentalmethodology using Storm. Section5

describesourspamﬁlteringandconversionresults,Section6an-

alyzestheeffectsofblacklistingonspamdelivery, andSection7

analyzesthepossibleinﬂuencesonspamresponses.Wesynthesize

ourﬁndingsinSection8andconclude.

2. BACKGROUND

Directmarketinghasarichhistory,datingbacktothe19thcen-

turydistributionoftheﬁrstmail-ordercatalogs.Whatmakesdirect

marketingsoappealingisthatonecandirectlymeasureitsreturn

oninvestment. Forexample, theDirectMailAssociationreports

thatdirectmailsalescampaignsproducearesponserateof 2.15

percentonaverage[5]. Meanwhile,roughestimatesofdirectmail

costpermille(CPM)– thecosttoaddress, produceand deliver

materialstoathousandtargets–rangebetween$250and$1000.

Thus,followingtheseestimatesitmightcost$250,000tosendout

amillionsolicitations,whichmightthenproduce21,500responses.

Thecostofdevelopingtheseprospects(roughly$12each)canbe

directlycomputedand,assumingeachprospectcompletesasaleof

anaveragevalue,onecanbalancethisrevenuedirectlyagainstthe

marketingcoststodeterminetheproﬁtabilityofthecampaign.As

longastheproductoftheconversionrateandthemarginalproﬁt

persaleexceedsthemarginaldeliverycost,thecampaignisprof-

itable.

Giventhisunderlyingvalueproposition,itisnotatallsurpris-

ingthatbulkdirecte-mailmarketingemergedveryquickly after

e-mailitself.Themarginalcosttosendane-mailistinyand,thus,

ane-mail-basedcampaigncanbeproﬁtableevenwhentheconver-

sionrateisnegligible. Unfortunately,aperversebyproductofthis

dynamicisthatsendingasmuchspamaspossibleislikelytomax-

imizeproﬁt.

Theresultingsocialnuisancebegatavibrantanti-spamcommu-

nity,eventually producingamulti-billiondollarindustryfocused

onthesameproblem. However, witheachanti-spaminnovation

spammersadaptedinkindand,whiletheresultingco-evolutionhas

notsigniﬁcantly changedthespamproblem, ithaschangedhow

spamispurveyed.Forexample,theadventofreal-timeIPblacklist-

ingdeployedinMailTransferAgents(MTAs)forcedspammersto

relaytheirmessagesthrough“untainted”third-partyhosts—driv-

ingthecreationofmodernlarge-scalebotnets. Similarly,content-

basedanti-spamﬁltersinturnforcedspammerstocreatesophisti-

catedpolymorphismengines,modifyingeachspammessagetobe

tivities,whilestrictlyreducingharmforthosesituationsinwhich

userpropertywasatrisk.

distinct. Aswell,itforcedthemtosendevenmorespam. Thus,

ithasbeenestimatedthatover120billionspammessagesarenow

senteachday[11].

However, whilespamhas longbeenunderstood tobean eco-

nomicproblem, itisonlyrecently thattherehasbeensigniﬁcant

effortinmodeling spameconomicsandunderstandingthevalue

propositionfromthespammer’spointofview.Rarelydospammers

talk aboutﬁnancialaspectsoftheiractivitiesthemselves, though

suchaccountsdoexist[14,21].Judgeetal.describeaprototypical

modelofspamproﬁtability,includingboththebasicvaluepropo-

sitionaswellastheimpactofanti-spamﬁlteringandlawenforce-

ment. Theyspeculatethatresponseratesaslowas0.000001are

sufﬁcienttomaintainproﬁtability[17]. Khong[13]likewiseem-

ploysaneconomiccostmodelofspam,comparingthesuccessof

severalanti-spamstrategies.GoodmanandRounthwaiteconstruct

amorecomplexmodel,aimedatderivingthecostfactorsforsend-

ingspam,andconcludedepressinglythattheoptimalstrategyfor

sendingspamistosendasfastaspossible[9].SerjantovandClay-

tonexploretheseissuesfromthestandpointofanISPandtryto

understandhowtoplaceappropriateincentivesaroundtheuseof

anti-spamblacklists[19].

However,theworkthatismostcloselyrelatedtoourown are

theseveralpapersconcerning“StockSpam”[7,8,10].Stockspam

referstothepracticeofsendingpositive“touts”foralow-volume

securityinordertomanipulateitspriceand thereby proﬁtonan

existing position inthestock. Whatdistinguishesstock spamis

thatitismonetizedthroughpricemanipulationandnotviaasale.

Consequently, itisnotnecessary to measuretheconversionrate

tounderstandproﬁtability. Instead,proﬁtabilitycanbeinferredby

correlatingstockspammessagevolumewithchangesinthetrading

volumeandpricefortheassociatedstocks.

TheworkofMaandChenissimilartooursinthatitanalyzesin

detailthestructureofaspammingoperation. However,theirfocus

isonredirectionchainsemployedbyspammersasasearchengine

optimizationstrategy[20].

3. THESTORMBOTNET

ThemeasurementsinthispaperarecarriedoutusingtheStorm

botnetanditsspammingagents. Whileacompletetechnicalde-

scription ofStormisoutsidethescopeof this paper, wereview

keymechanismsinStorm’scommunicationprotocolsandorgani-

zationalhierarchy.

Stormisapeer-to-peer botnetthatpropagatesviaspam(usu-

allybydirectingrecipientstodownloadanexecutablefromaWeb

site). Stormcommunicatesusingtwoseparateprotocols:theﬁrst

isanencryptedversionoftheUDP-basedOvernetprotocol(inturn

basedontheKademliaDHT[16])and isusedprimarilyasadi-

rectoryservicetoﬁndothernodes. Aswell,Stormusesacustom

TCP-basedprotocolformanagingcommandandcontrol—thedi-

rectionsinforming eachbotwhatactionsitshouldtake. Wede-

scribeeachofthesebelow.

3.1 Overnetprotocol

Therearefourbasicmessagestofacilitatethebasicfunctioning

ofOvernet:Connect,Search,Publicize,andPublish. Duringthe

bootstrapphase,aStormnodeonlyhastheinitiallistofpeersthat

itwasshippedwith. TogathermorepeersStormchoosesaOID

pseudo-randomlyfromthe128-bitOvernetaddressspaceandpro-

ceedstoConnecttoallthepeersinitsbootstraplist.Eachavailable

peercontactedreturnsalistofupto20peers. Stormdoesthisfor

afewroundsuntilithasgatheredenoughpeerstobeadequately

connectedinOvernet.Onceanewnodehaslearnedaboutenough

peersitswitchesto Publicizing itspresencetonearbypeersand

VB.NET PDF Password Library: add, remove, edit PDF file password

This VB.NET example shows how to add PDF file password with access permission setting. passwordSetting.IsAssemble = True ' Add password to PDF file.

adding text to pdf; how to insert a text box in pdf

VB.NET PDF Text Extract Library: extract text content from PDF

With this advanced PDF Add-On, developers are able to extract target text content from source PDF document and save extracted text to other file

adding text to a pdf form; how to insert text in pdf using preview

Figure1: TheStormbotnethierarchy.

periodicallysearchingforitsownOIDtostayconnectedandlearn

aboutnewclose-bypeerstokeepupwithchurn.

Overnetalsoprovidestwomessagesforstoringandﬁndingcon-

tentinthenetwork: PublishandSearchwhichexportastandard

DHT(key,value)pairinterface. However,Stormusesthisinter-

faceinan unusualway. Inparticular,thekeysencodeadynam-

ically changing rendezvouscodethatallowStormnodesto ﬁnd

eachotherondemand.

AStormnodegeneratesandusesthreerendezvouskeyssimulta-

neously:onebasedonthecurrentdate,onebasedontheprevious

date,andonebasedonthenextdate.Todeterminethecorrectdate,

StormﬁrstsetsthesystemclockusingNTP.

Inparticular, eachkey is basedon acombinationof thetime

(with24-hourresolution)mixedwitharandomintegerbetween0

and31. Thusthereare32uniqueStormkeysinuseperdaybut

asingleStormbotwillonlyuse1of the32. Becausekeysare

basedontime,StormusesNTPtosyncabot’sclockandattempts

to normalizethetimezone. Even so, tomakesurebotsaround

theworldcanstayinsync,Stormuses3daysofkeysatonce,the

previous,current,andnextday.

Inturn,thesekeysareusedtorendezvouswithStormnodesthat

implementthecommand andcontrol(C&C) channel. AStorm

nodethatwishestooffertheC&Cservicewillusethetime-based

hashingalgorithmtogenerateakeyandencodeitsownIPaddress

andTCPportintothevalue.Itwillthensearchfortheappropriate

peersclosetothekeyandpublishits(key,value)pairtothem. A

peerwishingtolocateaC&Cchannelcangenerateatime-based

keyandsearchforpreviouslypublishedvaluestodecodeandcon-

necttotheTCPnetwork.

3.2 Stormhierarchy

TherearethreeprimaryclassesofStormnodesinvolvedinsend-

ingspam(showninFigure1).Workerbotsmakerequestsforwork

and, uponreceivingorders, sendspamasrequested. Proxy bots

actasconduitsbetweenworkersandmasterservers. Finally,the

masterserversprovidecommandstotheworkersandreceivetheir

statusreports. Inourexperiencethereareaverysmallnumberof

masterservers(typicallyhostedatso-called“bullet-proof”hosting

centers)andthesearelikelymanagedbythebotmasterdirectly.

However,thedistinctionbetweenworkerandproxyisonethat

isdeterminedautomatically.WhenStormﬁrstinfectsahostittests

ifitcanbereachedexternally. Ifso,thenitiseligibletobecomea

proxy.Ifnot,thenitbecomesaworker.

3.3 Spamengine

Having decided to become a worker, a new bot ﬁrst checks

whetheritcanreachtheSMTPserverofapopularWeb-basedmail

provideronTCPport25.Ifthischeckfailstheworkerwillremain

activebutnotparticipateinspammingcampaigns.

Figure2outlinesthebroadstepsforlaunchingspamcampaigns

whentheportcheckissuccessful.Theworkerﬁndsaproxy(using

thetime-varyingprotocoldescribedearlier)andthensendsanup-

daterequest(viatheproxy)toanassociatedmasterserver(Step1),

whichwillrespondwithaspamworkloadtask(Step2). Aspam

workload consistsof threecomponents: oneor morespamtem-

plates,adeliverylistofe-mailaddresses,andasetofnamed“dic-

tionaries”.Spamtemplatesarewritteninacustommacrolanguage

forgeneratingpolymorphicmessages[15]. Themacrosinsertele-

mentsfromthedictionaries(e.g.,targete-mailaddresses,message

subjectlines),randomidentiﬁers(e.g.,SMTPmessageidentiﬁers,

IPaddresses),thedateandtime,etc.,intomessageﬁeldsandtext.

GeneratedmessagesappearasiftheyoriginatefromavalidMTA,

andusepolymorphiccontentforevadingspamﬁlters.

Upon receiving a spam workload, a worker bot generates a

uniquemessageforeachoftheaddressesonthedeliverylistand

attemptstosendthemessagetotheMXoftherecipientviaSMTP

(Step3). Whentheworkerbothasexhausteditsdeliverylist, it

requeststwoadditionalspamworkloadsandexecutesthem.Itthen

sendsadeliveryreportbacktoitsproxy(Step4). Thereportin-

cludesaresultcodeforeachattempteddelivery.Ifanattemptwas

successful,itincludesthefulle-mailaddressoftherecipient;oth-

erwise,itreportsanerrorcodecorrespondingtothefailure. The

proxy, in turn, relaysthesestatus reportsback to theassociated

masterserver.

Tosummarize,Stormusesathree-levelself-organizinghierarchy

comprisedof worker bots, proxybotsandmasterservers. Com-

mandandcontrolis“pull-based”,drivenbyrequestsfromindivid-

ualworkerbots. Theserequestsaresenttoproxieswho,inturn,

automaticallyrelaytheserequeststomasterserversandsimilarly

forwardanyattendantresponsesbacktototheworkers.

4. METHODOLOGY

Ourmeasurementapproachisbasedonbotnetinﬁltration—that

is, insinuating ourselvesinto abotnet’s “command and control”

(C&C)network,passivelyobservingthespam-relatedcommands

anddataitdistributesand, whereappropriate,activelychanging

individualelementsof thesemessagesin transit. Storm’sarchi-

tecturelendsitselfparticularlywelltoinﬁltrationsincetheproxy

bots,bydesign,interposeonthecommunicationsbetweenindivid-

ualworkerbotsandthemasterserverswhodirectthem.Moreover,

sinceStormcompromiseshostsindiscriminately(normallyusing

malwaredistributedviasocialengineeringWebsites)itisstraight-

forwardtocreateaproxybotondemandbyinfecting aglobally

reachablehostunderourcontrolwiththeStormmalware.

Figure2alsoillustratesourbasicmeasurementinfrastructure.At

thecore,weinstantiateeightunmodiﬁedStormproxybotswithina

controlledvirtualmachineenvironmenthostedonVMWareESX3

servers.Thenetworktrafﬁcforthesebotsisthenroutedthrougha

centralizedgateway,providingameansforblockingunanticipated

behaviors(e.g.,participationinDDoSattacks)andaninterposition

pointforparsingC&Cmessagesand“rewriting”themastheypass

fromproxiestoworkers.Mostcritically,bycarefullyrewritingthe

spamtemplateanddictionaryentriessentbymasterservers,wear-

rangeforworkerbotstoreplacetheintendedsitelinksintheirspam

withURLsofourchoosing.Fromthisbasiccapabilitywesynthe-

sizeexperimentstomeasuretheclick-throughandconversionrates

forseverallargespamcampaigns.

Suchbotsarestill“useful”forothertaskssuchasmountingcoor-

dinatedDDoSattacksthatStormperpetratesfromtimetotime.

C# PDF File & Page Process Library SDK for C#.net, ASP.NET, MVC

Read: PDF Text Extract; C# Read: PDF Image Extract; C# Write: Insert text into PDF; C# Write: Add Image to PDF; C# Protect: Add Password

add text to pdf using preview; how to add text to pdf document

C# PDF Text Extract Library: extract text content from PDF file in

How to C#: Extract Text Content from PDF File. Add necessary references: RasterEdge.Imaging.Basic.dll. RasterEdge.Imaging.Basic.Codec.dll.

add text field to pdf acrobat; how to insert text in pdf reader

Figure2: TheStorm spamcampaigndataﬂow(Section 3.3)

andourmeasurementandrewritinginfrastructure(Section4).

(1)Workersrequest spam tasksthrough proxies, (2) proxies

forward spam workload responses from master servers, (3)

workerssendthespamand(4)returndelivery reports. Our

infrastructureinﬁltratestheC&Cchannelsbetweenworkers

andproxies.

Intheremainderofthissectionweprovideadetaileddescription

ofourStormC&Crewritingengine,discusshowweusethistool

toobtainempiricalestimatesforspamdelivery,click-throughand

conversionratesanddescribetheheuristicsusedfordifferentiating

realuservisitsfromthosedrivenbyautomated crawlers, honey-

clients, etc. With thiscontext, wethen review theethicalbasis

uponwhichthesemeasurementswereconducted.

4.1 C&Cprotocolrewriting

OurruntimeC&Cprotocolrewriterconsistsoftwocomponents.

AcustomClick-basednetwork elementredirects potentialC&C

trafﬁcto aﬁxed IPaddress and port, wherea user-space proxy

serverimplemented inPythonacceptsincomingconnectionsand

impersonatestheproxybots. Thisserverinturnforwardsconnec-

tionsbackintotheClickelement,whichredirectsthetrafﬁctothe

intendedproxybot. Toassociateconnectionstotheproxyserver

withthoseforwardedbytheproxyserver,theClickelementinjects

aSOCKS-styledestinationheaderintotheﬂows.Theproxyserver

usesthisheadertoforwardaconnectiontoaparticularaddressand

port,allowingtheClickelementtomaketheassociation.Fromthat

pointon,trafﬁcﬂowstransparentlythroughtheproxyserverwhere

C&Ctrafﬁcisparsedandrewrittenasrequired.Rulesforrewriting

can beinstalledindependentlyfortemplates,dictionaries, ande-

mailaddresstargetlists.TherewriterlogsallC&Ctrafﬁcbetween

workerandourproxybots,betweentheproxybotsandthemaster

servers,andallrewritingactionsonthetrafﬁc.

SinceC&C trafﬁcarriveson arbitrary ports, wedesigned the

proxyserversothatitinitiallyhandlesanytypeofconnectionand

fallsbacktopassivepass-throughforanynon-C&Ctrafﬁc. Since

theproxyserver needs to maintain aconnection for each of the

(many)workers,weuseapreforked,multithreadeddesign.Apool

of30processesallowedustohandlethefullworkerloadforthe

eightStormproxybotsatalltimes.

4.2 Measuringspamdelivery

Toevaluatetheeffectofspamﬁlteringalongthee-maildelivery

pathtouserinboxes,weestablishedacollectionofteste-mailac-

countsandarrangedtohaveStormworkerbotssendspamtothose

accounts.Wecreatedmultipleaccountsatthreepopularfreee-mail

providers(Gmail,Yahoo!,andHotmail),accountsﬁlteredthrough

ourdepartmentcommercialspamﬁlteringappliance(aBarracuda

SpamFirewallModel300withslightlymorepermissivespamtag-

gingthanthedefaultsetting),andmultipleSMTP“sinks”atdis-

tinctinstitutionsthatacceptanymessagesenttothem(theseserved

as“controls”toensurethatspame-mailswerebeingsuccessfully

delivered, absentanyreceiver-sidespamﬁltering). Whenworker

botsrequestspamworkloads, our rewriterappendsthesee-mail

addressestotheendofeachdeliverylist. Whenaworkerbotre-

portssuccessorfailurebacktothemasterservers,weremoveany

successreportsforoure-mailaddressestohideourmodiﬁcations

fromthebotmaster.

We periodically poll each e-mail account (both inbox and

“junk/spam”folders)forthemessagesthatitreceived,andwelog

themwiththeirtimestamps. However,someofthemessageswe

receive have nothing to do with our study and mustbeﬁltered

out. Thesemessagesoccurforarangeofreasons,includingspam

generatedby“dictionarybots”thatexhaustivelytargetpotentiale-

mailaddresses,orbecausetheaddressesweuseareunintentionally

“leaked”(thiscanhappenwhen aStormworkerbotconnectsto

ourproxyandthenleavesbeforeithasﬁnishedsendingitsspam;

whenitreconnectsviaanewproxythedeliveryreporttothemas-

terserverswillincludeour addresses). Toﬁltersuche-mail,we

validatethateachmessageincludesbothasubjectlineusedbyour

selectedcampaignsandcontainsalinktooneoftheWebsitesun-

derourcontrol.

4.3 Measuringclick-throughandconversion

Toevaluatehowoftenuserswhoreceivespamactuallyvisitthe

sitesadvertisedrequiresmonitoringtheadvertisedsitesthemselves.

Sinceitisgenerallyimpracticaltomonitorsitesnotunderourcon-

trol,wehavearrangedtohaveafractionofStorm’sspamadvertise

sitesofourcreationinstead.

Inparticular,wehavefocusedontwotypesofStormspamcam-

paigns,aself-propagationcampaigndesignedtospreadtheStorm

malware (typically under the guise of advertising an electronic

postcardsite)andtheotheradvertisingapharmacysite. Theseare

thetwo mostpopularStormspamcampaignsandrepresentover

40%ofrecentStormactivity[15].

Foreachofthesecampaigns,theStormmasterserversdistribute

aspeciﬁc“dictionary”thatcontainsthesetoftargetURLstobein-

sertedintospame-mailsastheyaregeneratedbyworkerbots. To

divertuservisitstooursitesinstead,therewriterreplacesanydic-

tionariesthatpassthroughourproxieswithentriesonlycontaining

URLstoourWebservers.

Ingeneral,westriveforverisimilitudewiththeactualStormop-

eration. Thus,wearecarefultoconstructtheseURLsinthesame

mannerastherealStormsites(whetherthisisrawIPaddresses,as

used in theself-propagation campaigns, ortheparticular “noun-

noun.com”naming schema usedby thepharmacy campaign) to

ensurethegeneratedspamisqualitativelyindistinguishablefrom

the“realthing”. Animportantexception,uniquetothepharmacy

campaign,isanidentiﬁerweaddtotheendofeachURLbymodi-

VB.NET PDF insert image library: insert images into PDF in vb.net

try with this sample VB.NET code to add an image As String = Program.RootPath + "\\" 1.pdf" Dim doc New PDFDocument(inputFilePath) ' Get a text manager from

how to enter text in pdf form; how to add text box in pdf file

VB.NET PDF File Compress Library: Compress reduce PDF size in vb.

Also able to uncompress PDF file in VB.NET programs. Offer flexible and royalty-free developing library license for VB.NET programmers to compress PDF file.

how to add text to pdf file; how to add text fields to a pdf document

(a)Pharmaceuticalsite

(b)Postcard-themedself-propagationsite

Figure3: Screenshotsof theWebsitesoperatedto measure

userclick-throughandconversion.

fyingtheassociatedspamtemplate.Thisidentiﬁerallowsustoun-

ambiguouslyassociateindividualspammessageswithsubsequent

accessesto thesite. We did notadd this identiﬁer to theself-

propagationcampaignssincetheirURLstypicallyconsistentirely

ofrawIPaddresses. Theadditionofatextidentiﬁersufﬁxmight

thusappearoutofplace,reducingverisimilitude,andperhapsbias

userclickbehavior.

Finally, wecreatedtwo Web sitesto mimicthoseused in the

associated campaigns (screenshots of these sites are shown in

Figure3). Thepharmaceuticalsite, primarily marketing “male-

enhancement”drugssuchasViagra,isanearly-precisereplicaof

thesitenormallyadvertisedbyStormdowntousingthesamenam-

ingconventionforthedomainsthemselves. Oursitemirrorsthe

originalsite’suserinterface,theadditionofproductsadvertisedfor

saletoa“shoppingcart”,andnavigationupto,butnotincluding,

theinputofpersonalandpaymentinformation(therearearange

ofcomplexregulatory, legalandethicalissuesin accepting such

information).Instead,whenauserclickson“Checkout”wereturn

a404errormessage. Welogallaccessestothesite,allowingus

todeterminewhenavisitorattemptstomakeapurchaseandwhat

thecontentoftheirshoppingcartisatthetime. Weassumethata

purchaseattemptisaconversion,whichwespeculateisareason-

ableassumption, although our methodologydoesnotallowusto

validatethattheuserwouldhaveactuallycompletedthepurchase

orthattheircreditcardinformationwouldhavebeenvalid.

Theself-propagation campaign is Storm’s keymechanismfor

growth. ThecampaignenticesuserstodownloadtheStormmal-

wareviadeception;forexamplebytellingthemitispostcardsoft-

wareessentialfor viewing amessageor jokesentto thembya

friend. Unlikethepharmacyexample,wewerenotabletomirror

thegraphicalcontentofthepostcardsite,sinceitwasitselfstolen

fromalegitimateInternetpostcardsite.Instead,wecreatedaclose

analogdesignedtomimictheoveralllookandfeel. Wealso“de-

fanged”oursitebyreplacingitslinktotheStormmalwarewiththat

ofabenignexecutable. Ifrun, ourexecutableisdesignedtoper-

formsasimpleHTTPPOSTwithaharmlesspayload(“data=1”)

toaserver underourcontrol,andthen exit. Asaroughtimeout

mechanism, theexecutablewillnotsend themessageifthesys-

temdateis2009orlater. Sincethepostcardsiteweimpersonated

servedthreedifferentexecutablesunderdifferentnames,weserved

threeexecutableswithdifferenttargetﬁlenamesinthePOSTcom-

mandaswell.Again,allaccessestothesiteareloggedandweare

abletoidentifywhenourbinaryhasbeendownloaded. Moreover,

bycorrelatingwiththePOSTsignal,weareabletodetermineifa

particulardownloadisultimatelyexecutedonthevisitor’smachine

(andhenceisaconversion). Downloadsandexecutionscandiffer

becausetheuserhassecondthoughtsaboutallowinganexecution

orbecausetheuser’ssecuritysoftwarepreventsitfromexecuting

(indeed,weobservedthatseveralanti-virusvendorsdevelopedsig-

naturesforourbenignexecutablewithinafewdaysofourintro-

ducingit).

4.4 Separatingusersfromcrawlers

Aswithoure-mailaccounts,notallvisitstoourWebsiteare

prospectiveconversions. Thereisarangeofautomatedandsemi-

automated processesthatvisitour sites, ranging frompureWeb

crawlers,to“honeyclient”systemsdesignedtogatherintelligence

onspamadvertisedsites,tosecurityresearcherstryingtoidentify

newmalware.

Toﬁlter outsuchvisits(whichwegenericallycall“crawlers”)

fromintentfulones, wehavedeveloped aseries ofheuristicsto

identifycrawlersandusethisdatatopopulateaglobalIPblacklist

acrossallofourWebsites.Weoutlinetheseheuristicsbelow.

First, weconsider allhosts thataccessthepharmacysitethat

do not use aURLcontaining theunique identiﬁer discussed in

Section4.3 to be crawlers. Second, weblacklisthosts that ac-

cessrobots.txt(site-speciﬁcinstructionsmeantonlyforWeb

crawlers)andhoststhatmakemalformedrequests(mostoftenex-

ploitattempts). Third,weblacklistallhoststhatdisablejavascript

anddonotloadembeddedimages. Weassumethattypicalusers

do notbrowseundertheseconditions, whereassomelarge-scale

anti-spamhoneypotsthatfollowembeddedlinksinsuspectedspam

exhibitthisbehaviortoreduceload.

In additiontoblacklistingbased onthebehavior ofindividual

sitevisits,anothercommonpatternweobservedwasthesameIP

addressaccessingthepharmacysiteusingseveraldifferentunique

identiﬁers,presumablyaspartofaspamdefenseormeasurement

mechanism.Consequently,weblacklistanIPaddressseenaccess-

ingthepharmacy sitewithmorethan oneuniqueidentiﬁerwith

thesameUser-Agentﬁeld. Thisheuristicdoesnotﬁlterusers

browsingbehindlargerWebproxyservices,butdoesﬁltertheho-

mogeneousaccessesseenfromspamhoneyclients. Similarly,we

also blacklist any host thatrequeststhedownloaded executable

fromthepostcardsitetenormoretimes,undertheassumptionthat

suchhostsareusedbyresearchersorotherobserversinterestedin

trackingupdatestotheStormmalware.

Finally,ithasbecomecommonforanti-malwareresearchersto

ﬁndnewversionsoftheStormmalwarebydirectlyaccessingthe

self-propagationdictionary entries. To detectsuch userswein-

jectednewIPaddresses(neveradvertisedinspammessages)into

theself-propagationdictionary duringaperiodof inactivity (i.e.,

when noself-propagationspamwasbeingsent). Anyvisitorsto

VB.NET PDF File Split Library: Split, seperate PDF into multiple

page PDF document file to one-page PDF files or they can separate source PDF file to smaller VB.NET PDF Splitting & Disassembling DLLs. Add necessary references

how to add text fields in a pdf; add text pdf acrobat professional

C# PDF File Split Library: Split, seperate PDF into multiple files

page of your defined page number which starts from 0. For example, your original PDF file contains 4 pages. C# DLLs: Split PDF Document. Add necessary references

add text to pdf file online; how to enter text in a pdf document

Mar 07

Mar 12

Mar 17

Mar 22

Mar 27

Apr 01

Apr 06

Apr 11

Apr 16

0.5

1.5

2.5

Date

Emails assigned per hour (millions)

Postcard

Pharmacy

April Fool

Figure4: Numberofe-mailmessagesassignedperhourfor

eachcampaign.

AMPAIGN

ATES

ORKERS

E-

MAILS

Pharmacy

Mar21–Apr15

31,348

347,590,389

Postcard

Mar9–Mar15

17,639

83,665,479

AprilFool

Mar31–Apr2

3,678

38,651,124

Total 469,906,992

Table1: Campaignsusedintheexperiment.

theseIPaddressescouldnothaveresultedfromspam,andwethere-

forealsoaddedthemtoourcrawlerblacklist.

Itisstillpossiblethatsomeoftheaccesseswereviafull-featured,

low-volumehoneyclients,buteveniftheseexistwebelievetheyare

unlikelytosigniﬁcantlyimpactthedata.

4.5 Measurementethics

Wehavebeencarefultodesignexperimentsthatwebelieveare

bothconsistentwithcurrentU.S.legaldoctrineandarefundamen-

tallyethicalaswell. Whileitisbeyondthescopeofthispaperto

fullydescribethecomplexlegallandscapeinwhichactivesecurity

measurementsoperate,webelievetheethicalbasis for ourwork

isfareasiertoexplain:westrictlyreduceharm. First,ourinstru-

mentedproxy botsdonotcreateanynewharm. Thatis, absent

ourinvolvement,thesamesetofuserswouldreceivethesameset

ofspame-mailssentbythesameworker bots. Stormisalarge

self-organizingsystemandwhenaproxyfailsitsworkerbotsau-

tomaticallyswitchtootheridleproxies(indeed,whenourproxies

failweseeworkersquicklyswitchaway).Second,ourproxiesare

passiveactorsanddonotthemselvesengageinanybehaviorthat

isintrinsicallyobjectionable;theydonotsendspame-mail,they

donotcompromisehosts, nor do they evencontactworker bots

asynchronously.Indeed,theironlyfunctionistoprovideaconduit

betweenworkerbotsmakingrequestsandmasterserversproviding

responses. Finally,wherewedomodifyC&Cmessagesintransit,

theseactionsthemselvesstrictlyreduceharm.Userswhoclickon

spamalteredbythesechangeswillbedirectedtooneofourinnocu-

ousdoppelgangerWebsites. Unlikethesitesnormallyadvertised

byStorm,oursitesdonotinfectuserswithmalwareanddonotcol-

lectusercreditcardinformation.Thus,nousershouldreceivemore

spamduetoourinvolvement,butsomeuserswillreceivespamthat

islessdangerousthatitwouldotherwisebe.

Mar 24

Mar 29

Apr 02

Apr 06

Apr 10

Apr 14

100

200

300

400

500

600

Time

Number of connected workers

Proxy 1

Proxy 2

Proxy 3

Proxy 4

Proxy 5

Proxy 6

Proxy 7

Proxy 8

Figure5: Timelineofproxybotworkload.

OMAIN

REQ

hotmail.com

8.47%

yahoo.com

5.05%

gmail.com

3.17%

aol.com

2.37%

yahoo.co.in

1.13%

sbcglobal.net

0.93%

mail.ru

0.86%

shaw.ca

0.61%

wanadoo.fr

0.61%

msn.com

0.58%

Total 23.79%

Table 2: The 10 most-targeted e-mailaddress domains and

theirfrequencyinthecombinedlistsoftargetedaddressesover

allthreecampaigns.

5. EXPERIMENTALRESULTS

Wenowpresenttheoverallresultsofourrewritingexperiment.

WeﬁrstdescribethespamworkloadobservedbyourC&Crewrit-

ingproxy.Wethencharacterizetheeffectsofﬁlteringonthespam

workloadalongthedeliverypathfromworkerbotstouserinboxes,

aswellasthenumberofuserswhobrowsetheadvertisedWebsites

andactonthecontentthere.

5.1 Campaigndatasets

OurstudycoversthreespamcampaignssummarizedinTable1.

The“Pharmacy”campaignisa26-daysample(19activedays)of

anon-goingStormcampaignadvertisinganon-linepharmacy.The

“Postcard”and“AprilFool”campaignsaretwodistinctandserial

instancesofself-propagationcampaigns,whichattempttoinstall

anexecutableontheuser’smachineundertheguiseofbeingpost-

cardsoftware. Foreachcampaign,Figure4showsthenumberof

messagesperhourassignedtobotsformailing.

Storm’sauthorshaveshowngreatcunninginexploitingthecul-

turalandsocialexpectationsofusers—hencetheAprilFoolcam-

paignwasrolledoutforalimitedrunaroundApril1st. OurWeb

sitewasdesignedtomimictheearlierPostcardcampaignandthus

ourdataprobablydoesnotperfectlyreﬂectuserbehaviorforthis

campaign,butthetwoaresimilarenoughinnaturethatwesurmise

thatanyimpactissmall.

Webegantheexperimentwith8proxybots,ofwhich7survived

untiltheend.OneproxycrashedlateonMarch31.Thetotalnum-

berofworkerbotsconnectedtoourproxieswas75,869.

Figure5showsatimelineoftheproxybotworkload.Thenum-

berofworkersconnectedtoeachproxyisroughlyuniformacross

VB.NET PDF File Merge Library: Merge, append PDF files in vb.net

by directly tagging the second PDF file to the target one, this PDF file merge function VB.NET Project: DLLs for Merging PDF Documents. Add necessary references

add text to pdf document online; adding text to pdf form

C# PDF Password Library: add, remove, edit PDF file password in C#

in C#.NET framework. Support to add password to PDF document online or in C#.NET WinForms for PDF file protection. Able to create a

how to add text to a pdf in preview; adding text to pdf document

targeted

addresses

email not

delivered

blocked by

spam ﬁlter

ignored

by user

user left site

crawler

converter

Figure6: Thespamconversionpipeline.

TAGE

HARMACY

OSTCARD

PRIL

OOL

A–SpamTargets

347,590,389

100%

83,655,479

100%

40,135,487

100%

B–MTADelivery(est.)

82,700,000

23.8%

21,100,000

25.2%

10,100,000

25.2%

C–InboxDelivery

—

D–UserSiteVisits

10,522

0.00303%

3,827

0.00457%

2,721

0.00680%

E–UserConversions

0.0000081%

316

0.000378%

225

0.000561%

Table3:Filteringateachstageofthespamconversionpipelinefortheself-propagationandpharmacycampaigns.Percentagesrefer

totheconversionraterelativetoStageA.

allproxies(23workerbotsonaverage), butshowsstrongspikes

correspondingtonewself-propagationcampaigns. Atpeak, 539

workerbotswereconnectedtoourproxiesatthesametime.

Mostworkersonlyconnectedtoourproxiesonce: 78%ofthe

workersonlyconnectedtoourproxiesasingletime,92%atmost

twice,and99%atmostﬁvetimes. ThemostproliﬁcworkerIP

address,ahostinanacademicnetworkinNorthCarolina, USA,

contactedourproxies269times;furtherinspectionidentiﬁedthis

asaNATegresspointfor 19 individualinfections. Conversely,

mostworkersdonotconnecttomorethanoneproxy:81%ofthe

workersonlyconnectedtoasingleproxy,12%totwo,3%tofour,

4%connectedtoﬁveormore,and90workerbotsconnectedtoall

ofourproxies. Onaverage, workerbotsremainedconnectedfor

40minutes,althoughover40%workersconnectedforlessthana

minute.Thelongestconnectionlastedalmost81hours.

The workers were instructed to send postcard spam to a to-

tal of 83,665,479 addresses, of which 74,901,820 (89.53%) are

unique. TheAprilFoolcampaigntargeted38,651,124addresses,

ofwhich36,909,792 (95.49%)areunique. Pharmacyspamtar-

geted347,590,389addresses,ofwhich213,761,147(61.50%)are

unique. Table2shows the15mostfrequentlytargeteddomains

ofthethreecampaigns.Theindividualcampaigndistributionsare

identicalinorderingandtoaprecisionofonetenthofapercentage,

thereforeweonlyshowtheaggregatebreakdown.

5.2 Spamconversionpipeline

Conceptually,webreakdownspamconversion intoapipeline

withﬁve“ﬁltering”stagesinamannersimilartothatdescribedby

AycockandFriess[6]. Figure6illustratesthispipelineandshows

thetypeofﬁlteringateachstage.Thepipelinestartswithdelivery

listsoftargete-mailaddressessenttoworkerbots(StageA).For

awiderangeofreasons(e.g.,thetargetaddressisinvalid,MTAs

refusedeliverybecauseofblacklists, etc.),workerswillsuccess-

fullydeliveronlyasubsetoftheirmessagestoanMTA(StageB).

PAM

ILTER

HARMACY

OSTCARD

PRIL

OOL

Gmail

0.00683%

0.00176%

0.00226%

Yahoo

0.00173%

0.000542%

none

Hotmail

none

Barracuda

0.131%

N/A

0.00826%

Table4: Numberofmessages deliveredto auser’sinbox as

a fraction of those injected for test accounts at free e-mail

providersandacommercialspamﬁlteringappliance.Thetest

account fortheBarracudaappliancewasnotincludedinthe

Postcardcampaign.

Atthispoint,spamﬁltersatthesitecorrectlyidentifymanymes-

sagesasspam,anddropthemorplacethemasideinaspamfolder.

Theremainingmessageshavesurvivedthegauntletandappearin

auser’sinboxasvalidmessages(StageC).Usersmaydeleteor

otherwiseignorethem,butsomeuserswillactonthespam,click

ontheURLinthemessage,andvisittheadvertisedsite(StageD).

Theseusersmaybrowsethesite,butonlyafraction“convert”on

thespam(StageE)byattemptingtopurchaseproducts(pharmacy)

orbydownloadingandrunninganexecutable(self-propagation).

Weshowthespamﬂowintwoparts,“crawler”and“converter”,

todifferentiatebetweenrealandmasqueradingusers(Section4.4).

Forexample,thedeliverylistsgiventoworkerscontainhoneypot

e-mailaddresses.Workersdeliverspamtothesehoneypots,which

thenusecrawlerstoaccessthesitesreferencedbytheURLinthe

messages(e.g.,ourownSpamscatterproject[3]). Sincewewant

tomeasurethespamconversionrateforactualusers,weseparate

outtheeffectsofautomatedprocesseslikecrawlers—anecessary

aspectofstudyinganartifactthatisalsobeingactivelystudiedby

othergroups[12].

Table3showstheeffectsofﬁlteringateachstageofthecon-

versionpipelineforboththeself-propagationandpharmaceutical

campaigns.Thenumberoftargetedaddresses(A)issimplytheto-

talnumberofaddressesonthedeliverylistsreceivedbytheworker

botsduringthemeasurementperiod,excludingthetestaddresses

weinjected.

Weobtain the number of messages delivered to an MTA (B)

byrelyingon delivery reportsgeneratedbytheworkers. Unfor-

tunately,anexactcountofsuccessfullydeliveredmessagesisnot

possiblebecauseworkersfrequentlychangeproxiesorgoofﬂine,

causingbothextraneous(resultingfromaprevious,non-interposed

proxysession)andmissingdeliveryreports.Wecan,however,es-

timatetheaggregatedeliveryratio(B/A)foreachcampaignusing

thesuccessratioofallobserveddeliveryreports.Thisratioallows

ustothenestimatethenumberofmessagesdeliveredtotheMTA

andeventodosoonaper-domainbasis.

Thenumber ofmessagesdelivered toa user’sinbox (C)isa

much harder valuetoestimate. Wedo notknowwhatspamﬁl-

tering,ifany,isusedbyeachmailprovider,andthenbyeachuser

individually,andthereforecannotreasonablyestimatethisnumber

intotal. Itispossible,however, todeterminethisnumberforin-

dividualmailprovidersorspamﬁlters. Thethreemailproviders

andthespamﬁlteringapplianceweusedinthisexperimenthada

methodforseparatingdeliveredmailsinto“junk”andinboxcat-

egories. Table4givesthenumberofmessagesdeliveredauser’s

inboxforthefreee-mailproviders,whichtogetheraccountedfor

about16.5%ofaddressestargetedbyStorm(Table2),aswellas

ourdepartment’scommercialspamﬁlteringappliance.Itisimpor-

tanttonotethattheseareresultsfromonespamcampaignovera

shortperiodoftimeandshouldnotbeusedasmeasuresoftherel-

ativeeffectivenessforeachservice.Thatsaid,weobservethatthe

popularWebmailprovidersalldoaveryagoodjobatﬁlteringthe

campaignsweobserved,althoughitiscleartheyusedifferentmeth-

odstogetthere(forexample,HotmailrejectsmostStormspamat

theMTA-level,whileGmailacceptsasigniﬁcantfractiononlyto

ﬁlteritlaterasjunk).

Thenumberofvisits(D)isthenumberofaccessestoourem-

ulatedpharmacyandpostcardsites,excludinganycrawlersasde-

terminedusingthemethodsoutlinedinSection4.2. Wenotethat

crawlerrequestscamefromasmallfractionofhostsbutaccounted

forthemajorityofallrequeststoourWebsites.Forthepharmacy

site,forinstance,ofthe11,720uniqueIPaddressesseenaccessing

thesitewithavaliduniqueidentiﬁer,only10.2%wereblacklisted

ascrawlers. Incontrast,55.3%ofalluniqueidentiﬁersusedinre-

questsoriginatedfromthesecrawlers. Forallnon-imagerequests

madetothesite,87.43%weremadebyblacklistedIPaddresses.

Thenumberof conversions(E) is thenumberof visitsto the

purchasepageofthepharmacysite,orthenumberofexecutionsof

thefakeself-propagationprogram.

OurresultsforStormspamcampaignsshowthatthespamcon-

versionrateisquitelow.Forexample,outof350millionpharmacy

campaigne-mailsonly28conversionsresulted(andnocrawlerever

completedapurchasesoerrorsincrawlerﬁlteringplaysnorole).

However,averylowconversionratedoesnotnecessaryimplylow

revenueorproﬁtability.Wediscusstheimplicationsoftheconver-

sionrateonthespamconversionpropositionfurtherinSection8.

5.3 Timetoclick

Theconversionpipelineshowswhatfractionofspamultimately

resulted visits to theadvertised sites. However, itdoes notre-

ﬂectthelatencybetweenwhenthespamwassentandwhenauser

clickedonit. Thelongerittakesuserstoact,thelongerthescam

hostinginfrastructurewillneedtoremainavailabletoextractrev-

enuefromthespam[3]. Putanotherway,howlongdoesaspam-

advertisedsiteneedtobeavailabletocollectitspotentialrevenue?

10s

1min

10min

0.2

0.4

0.6

0.8

Time to click

Fraction of clicks

Crawlers

Users

Converters

Figure7: Time-to-clickdistributionsforaccessestothephar-

macysite.

Figure7showsthecumulativedistributionofthe“time-to-click”

for accessesto thepharmacy site. Thetime-to-clickisthetime

fromwhenspamissent(whenaproxyforwardsaspamworkload

toaworkerbot)towhenauser“clicks”ontheURLinthespam

(whenahostﬁrstaccessestheWebsite). Thegraphshowsthree

distributionsfortheaccessesbyallusers,theuserswhovisitedthe

purchasepage(“converters”),andtheautomatedcrawlers(14,716

such accesses). Notethatwefocusonthepharmacysitesince,

absentauniqueidentiﬁer,wedonothaveamechanismtolinkvisits

totheself-propagationsitetospeciﬁcspammessagesandtheirtime

ofdelivery.

Theuserandcrawlerdistributionsshowdistinctlydifferentbe-

havior. Almost30% ofthecrawleraccesses arewithin20 sec-

onds ofworker botssending spam. Thisbehavior suggeststhat

thesecrawlersareconﬁguredtoscansitesadvertisedinspamim-

mediatelyupondelivery. Another10%ofcrawleraccesseshave

atime-to-clickof1day,suggestingcrawlersconﬁguredtoaccess

spam-advertisedsitesperiodicallyinbatches.Incontrast,only10%

oftheuserpopulationaccessesspamURLsimmediately,andthe

remainingdistributionissmoothwithoutanydistinctmodes. The

distributionsforallusersanduserswho“convert”areroughlysimi-

lar,suggestinglittlecorrelationbetweentime-to-clickandwhether

auser visitingasitewillconvert. Whilemostuser visits occur

within theﬁrst24 hours, 10% oftimes-to-clickareaweek to a

month,indicatingthatadvertisedsitesneedtobeavailableforlong

durationstocapturefullrevenuepotential.

6. EFFECTSOFBLACKLISTING

Amajoreffectontheefﬁcacyofspamdeliveryistheemploy-

mentbynumerousISPsofaddress-basedblacklistingtorejecte-

mailfromhostspreviouslyreportedassourcingspam. Toassess

theimpactofblacklisting, during thecourseofour experiments

wemonitoredtheCompositeBlockingList(CBL)[1],ablacklist

sourceusedbytheoperatorsofsomeofourinstitutions. Atany

giventimetheCBLlistsontheorderof4–6millionIPaddresses

thathavesente-mailtovariousspamtraps.Wewereabletomonitor

theCBLfromMarch21–April2,2008,fromthestartofthePhar-

macycampaignuntiltheendoftheAprilFoolcampaign.Although

themonitoringdoesnotcoverthefullextentofallcampaigns,we

believeourresultstoberepresentativeoftheeffectsofCBLduring

thetimeframeofourexperiments.

Figure9: Geographiclocationsof thehoststhat“convert” onspam: the541 hoststhatexecutetheemulatedself-propagation

program(lightgrey),andthe28hoststhatvisitthepurchasepageoftheemulatedpharmacysite(black).

0.0

0.2

0.4

0.6

0.8

1.0

0.0

0.2

0.4

0.6

0.8

1.0

Delivery Rate Prior to Blacklisting

Delivery Rate Post Blacklisting

lll

l l

lll

l l

lll

open pdf file in asp.net using c# : Add text to pdf file online software control project winforms azure web page UWP 2008-ccs-spamalytics0-part597