Since spammers nowadays use such a tactic, we can also collect spam mails in a more efficient way: Instead of waiting at the end-user's mailboxes or spamtraps for mail messages to arrive and then decide whether or not this is spam, we directly interact with the servers that are used to send spam messages. The basic idea is that we execute spambots, i.e., malicious software dedicated to sending spam emails, in a controlled (honeypot) environment and collect all email messages sent by the bots. This enables us to directly interfere with botnet control servers to collect current spam messages sent by a speciﬁc botnet.
We describe this idea in more detail in a short paper that was published at DIMVA'09. The paper is also available on this blog.
Abstract: With increasing security measures in network services, remote exploitation is getting harder. As a result, attackers concentrate on more reliable attack vectors like email: victims are infected using either malicious attachments or links leading to malicious websites. Therefore eﬃcient ﬁltering and blocking methods for spam messages are needed. Unfortunately, most spam ﬁltering solutions proposed so far are reactive, they require a large amount of both ham and spam messages to eﬃciently generate rules to diﬀerentiate between both. In this paper, we introduce a more proactive approach that allows us to directly collect spam message by interacting with the spam botnet controllers. We are able to observe current spam runs and obtain a copy of latest spam messages in a fast and eﬃcient way. Based on the collected information we are able to generate templates that represent a concise summary of a spam run. The collected data can then be used to improve current spam ﬁltering techniques and develop new venues to eﬃciently ﬁlter mails.