Early Detection of Spam Domains with Passive DNS and SPF

TL;DR

This paper presents a method for early detection of spam domains by analyzing passive DNS data and SPF configurations, enabling identification before malicious emails are sent with high accuracy and low false positives.

Contribution

It introduces a novel approach combining passive DNS traffic and SPF record analysis for real-time spam domain detection before email campaigns launch.

Findings

High detection accuracy of spam domains using SPF and DNS traffic features

Ability to identify spam domains before they send emails

Low false positive rate in real-world scenarios

Abstract

Spam domains are sources of unsolicited mails and one of the primary vehicles for fraud and malicious activities such as phishing campaigns or malware distribution. Spam domain detection is a race: as soon as the spam mails are sent, taking down the domain or blacklisting it is of relative use, as spammers have to register a new domain for their next campaign. To prevent malicious actors from sending mails, we need to detect them as fast as possible and, ideally, even before the campaign is launched. In this paper, using near-real-time passive DNS data from Farsight Security, we monitor the DNS traffic of newly registered domains and the contents of their TXT records, in particular, the configuration of the Sender Policy Framework, an anti-spoofing protocol for domain names and the first line of defense against devastating Business Email Compromise scams. Because spammers and benign domains have different SPF rules and different traffic profiles, we build a new method to detect spam domains using features collected from passive DNS traffic. Using the SPF configuration and the traffic to the TXT records of a domain, we accurately detect a significant proportion of spam domains with a low false positives rate demonstrating its potential in real-world deployments. Our classification scheme can detect spam domains before they send any mail, using only a single DNS query and later on, it can refine its classification by monitoring more traffic to the domain name.