Skip to Main Content
Most recent spam emails are being sent by bots which often operate with others in the form of a botnet and in many cases, they contain URLs that navigate spam receivers to malicious Web servers for the purpose of carrying out various cyber attacks such as malware infection, phishing attacks, etc. In order to characterize the infrastructure of spam based attacks and identify botnets, previous research has been focused on clustering spam according to similarities based on email contents or URLs or their domain names. However, there is a fatal weakness in that the three criteria are easily influenced by changes in spam messages and trends. In this paper, we present a new spam clustering method based on IP addresses resolved from URLs within spam emails. By examining three weeks of spam gathered in our SMTP server, we observed that the accuracy of our clustering method is superior to that of domain name and URL based clustering methods, and we have obtained many useful results related to characteristics and clusters of spam that can be utilized for further analysis of spam based attacks.