CERT.br honeyTARG Honeynet Project

The Spampots Project, coordinated by CERT.br and part of the honeyTARG Honeynet Project, uses low-interaction honeypots to gather data related to the abuse of the Internet infrastructure by spammers. The main goals are:

measure the problem from a different point of view: abuse of infrastructure X spams received at the destination
help develop the spam characterization research
measure the abuse of network infrastructure to send spam
develop better ways to
- identify phishing and malware
- identify botnets via the abuse of open proxies and relays

Data Mining Research

The spam characterization and data mining research, SpamMining, is being developed by the e-Speed Laboratory, from the Federal University of Minas Gerais (UFMG) Computer Science Department (DCC).

The SpamMining is led by:

Current Setup

Currently we have sensors deployed in 09 countries. These sensors were deployed with the invaluable help and cooperation of these organizations: AusCERT (Australia), CERT.at (Austria), CLCERT (Chile), CSIRT ANTEL (Uruguay). CSIRT USP (Brazil), CSIRT UTPL (Ecuador), SurfCERT (Netherlands) and TWCERT (Taiwan).

All data is collected periodically by CERT.br, and used to generate statistics of the current behaviour, as well as stored in the data analysis servers, to be processed by the SpamMining team. This is an overview of the Architecture:

In a previous setup, from 2006 to 2007, the honeypots were located only in Brazilian Broadband networks, and were used to understand the abuse of these specific networks. Information about this first phase of the project can be found here:

CERT.br Conferences' Presentations, which include several about the current and previous phases.
Preliminary Results of the SpamPots Projects (whitepaper in Portuguese)

Papers in English

Exploring the Spam Arms Race to Characterize Spam Evolution
Pedro H. Calais Guerra, Dorgival Guedes, Wagner Meira Jr., Cristine Hoepers, Marcelo H. P. C. Chaves, Klaus Steding-Jessen.
Collaboration, Electronic messaging, Anti-Abuse and Spam Conference (CEAS'10), 2010, Redmond, USA.
PDF File (240 KB)
Spam Miner: A Platform for Detecting and Characterizing Spam Campaigns (demo paper)
Pedro H. Calais Guerra, Douglas Pires, Marco Túlio Ribeiro, Dorgival Guedes, Wagner Meira Jr., Cristine Hoepers, Marcelo H. P. C. Chaves, Klaus Steding-Jessen.
International Conference on Knowledge Discovery and Data Mining (KDD'09), 2009, Paris, France.
PDF File (400 KB)
Spamming Chains: A New Way of Understanding Spammer Behavior
Pedro H. Calais Guerra, Dorgival Guedes, Wagner Meira Jr., Cristine Hoepers, Marcelo H. P. C. Chaves, Klaus Steding-Jessen.
Sixth Conference on e-Mail and Anti-Spam (CEAS'09), 2009, Mountain View, USA.
PDF File (4.2 MB)
A Campaign-based Characterization of Spamming Strategies
Pedro H. Calais Guerra, Douglas Pires, Dorgival Guedes, Wagner Meira Jr., Cristine Hoepers, Klaus Steding-Jessen.
Fifth Conference on e-Mail and Anti-Spam (CEAS'08), 2008, Mountain View, USA.
PDF File (240 KB)

Papers in Portuguese

Identificação e Caracterização de Spammers a partir de Listas de Destinatários
Pedro H. Calais Guerra, Marco Túlio Ribeiro, Dorgival Guedes, Wagner Meira Jr., Cristine Hoepers, Marcelo H. P. C. Chaves, Klaus Steding-Jessen.
Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC'10), 2010, Gramado, RS, Brazil.
PDF File (512 KB)
Caracterização do Encadeamento de Conexões para Envio de Spams
Pedro H. Calais Guerra, Dorgival Guedes, Wagner Meira Jr., Cristine Hoepers, Marcelo H. P. C. Chaves, Klaus Steding-Jessen.
XXVII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC'09), 2009, Recife, Brazil.
PDF File (4.1 MB)
Caracterização de Estratégias de Disseminação de Spams
Pedro H. Calais Guerra, Dorgival Guedes, Wagner Meira Jr., Cristine Hoepers, Klaus Steding-Jessen.
XXVI Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC'08), 2008, Rio de Janeiro, Brazil.
PDF File (320 KB)