Identifying New Spam Domains by Hosting IPs: Improving Domain Blacklisting

This paper studies the possibility of using hosting IP addresses to identify potential spam domains. Current domain blacklisting may not be effective if spammers keep replacing blacklisted domains with newly registered domains. In this study, we cluster spam domains based on their hosting IP addresses and associated email subjects. We found some hosting IP addresses were heavily used by spammers to host a large number of domains and persisted for much longer period of time than related domains. Our results show that hosting IP blacklisting should be effective against many point-of-sale spam campaigns, such as pharmaceutical, sexual enhancement and luxury good spam, which mainly use static IP addresses to host their websites. The IP addresses remain active from several days to even a couple of months before replaced by a set of new IPs. Therefore, even when new spam domains appear from time to time, they can be immediately detected as spam domains by looking up the hosting IP address. The reported IP addresses are also useful for law enforcement investigators to identify ISPs that provide bulletproof hosting services to spammers. The detection and termination of spam domains and their hosts will severely impede spammers’ capability to generate revenue from spam.