figure 1. The Storm spam campaign dataflow and our measurement
and rewriting infrastructure (Section 4). ( 1) Workers request spam
tasks through proxies, ( 2) proxies forward spam workload responses
from master servers, ( 3) workers send the spam, and ( 4) return
delivery reports. our infrastructure infiltrates the c&c channels
between workers and proxies.
Proxy bot 1
Proxy bot 2
Proxy bot 8
to the intended proxy bot. Rules for rewriting can be installed
independently for templates, dictionaries, and email address
target lists. The rewriter logs all C&C traffic between worker
and our proxy bots, between the proxy bots and the master
servers, and all rewriting actions on the traffic.
Measuring spam delivery: To evaluate the effect of spam
filtering along the email delivery path to user inboxes, we
established a collection of test email accounts and arranged
to have Storm worker bots send spam to those accounts.
These accounts were created at several different vantage
points from which we could evaluate the effectiveness of different email filtering methods. When a worker bot reports
success or failure back to the master servers, we remove any
success reports for our email addresses to hide our modifications from the botmaster.
We periodically poll each email account (both inbox and
“junk/spam” folders) for the messages that it received, and
we log them with their timestamps, filtering out any messages not part of this experiment.
Measuring Click-through and Conversion: To evaluate how
often users who receive spam actually visit the sites advertised requires monitoring the advertised sites themselves.
Since it is generally impractical to monitor sites not under
our control, we have used our botnet infiltration method to
arrange to have a fraction of Storm’s spam advertise sites of
our creation instead.
In particular, we have focused on two types of Storm
spam campaigns, a self-propagation campaign designed
to spread the Storm malware (typically under the guise of
advertising an electronic postcard site) and the other advertising a pharmacy site. These are the two most popular
Storm spam campaigns and represent over 40% of recent
Storm activity. 11 We replaced Storm’s links to its own sites
with links to sites under our control, screenshots of which
are shown in Figure 2.
These sites have been “defanged” in two important ways:
the pharmaceutical site does not accept any personal or payment information, and the self-propagation site advertises
a completely benign executable which only phones home to
record an execution and exits.
4. 1. measurement ethics
We have been careful to design experiments that we believe
are both consistent with current U.S. legal doctrine and
are fundamentally ethical as well. While it is beyond the
scope of this paper to fully describe the complex legal landscape in which active security measurements operate, we
believe the ethical basis for our work is far easier to explain:
we strictly reduce harm. First, our instrumented proxy bots
do not create any new harm. That is, absent our involvement, the same set of users would receive the same set of
spam emails sent by the same worker bots. Storm is a large
self-organizing system and when a proxy fails its worker bots
figure 2. Screenshots of the Web sites operated to measure user
click-through and conversion.
(a) Pharmaceutical site