Researchers Graph Social Networks to spot Spammers

Spammers, it turns out, aren’t like everyone else: they have fewer friends. That, according to new research by Microsoft scientists who have developed a new method of distinguishing attacker-created spam email accounts from legitimate ones.

GraphSpammers, it turns out, aren’t like everyone else: they have fewer friends. That, according to new research by Microsoft scientists who have developed a new method of distinguishing attacker-created spam email accounts from legitimate ones. The new finding, from researchers Yinglian Xie and Fang Yu of Microsoft is described as Social Graphs for Online Service Security. The two are using studies of legitimate and malicious social networks to spot bogus email accounts that are used to push spam, malware, and otherwise malicious links.

The researchers are analyzing natural social connections between users on the Web that are difficult for attackers or botnets to replicate. Spotting a spammer isn’t hard, they say, when you look at his or her patterns of communication.

“If you look at individual malicious-user-created accounts,” Xie tells Rob Knies in a Microsoft Research blog post, “it can be very difficult to tell them from legitimate user accounts. One thing we want to look at is whether we have a way of looking across a large number of users, looking at their connectivity among each other, to be able to differentiate the legitimate user community from the attacker part.

“The intuition here is very simple,” she continues, “if we define connectivity as mutual email exchange, a normal user will talk to other people—send email and receive email. But attackers will mostly send malicious content. They do not receive messages back from legitimate users. Essentially, all the legitimate users are going to be connected in some way into communities. Attackers are more isolated users on the connectivity graph.”

Graphing social networks

The dots on the graph represent assigned or inferred IP addresses, which have been mined from Microsoft’s Hotmail servers.

In studying these graphs, Xie and Yu found legitimate users are enmeshed in the graph, establishing dynamic and multi-directional relationships of sending and receiving messages. In contrast, malicious user lurk on the periphery and only really send unidirectional messages, to the center of the graph.

Using patterns of communications to spot spammers is nothing new. Existing online reputation systems also look at the pattern of outbound messages from accounts to spot malicious users.

In recent months, Microsoft has scored a number of victories in its efforts to stem spam. Among other things, the company helped take down the Coreflood and Rustock botnets respectively. The company continues a search for their operators.

Suggested articles


  • Richard Schneeman on

    What software was used to produce that graph?

  • Wolter on

    Great... So because I don't keep many friends, and since we rarely have bidirectional email conversations, that makes me a spammer?

    Silver bullets aren't.


  • asmiller-ke6seh on

    Sometimes statistics is an inexact science - but it is a science, none-the-less.

  • Jeremy Epstein on

    An interesting idea, but not a particularly new one.  Fraud Sciences (later acquired by PayPal) did essentially the same thing, as described in "Start Up Nation" by Dan Senor and Saul Singer.  From page 25 ' "Good people leave traces of themselves on the Internet - digital footprints - because they have nothing to hide.  Bad people don't because they try to hide themselves.  All we do is look for footprints.  If you can find them, you can minimize risk to an acceptable level and underwrite it."  (They developed the technology using the paradigm used to find terrorists.)

  • Anonymous on

    Hoo boy. Bit of a fail, this. For starters because it would get all new accounts marked as "spam", prevent replies, and prevent new users to become recognised as "legitimate".

    That this is entirely too simplistic, "corporate security" thinking and leaves little room for society to flourish is easily seen from Epstein's comment, quoting yet another corporate type living in a world where good people are those who willingly submit to big brother and if you don't you're automatically bad, a terrorist even. Yesh, well, no. I have a right to privacy even if I don't have murder on my mind and if that blocks your "research", tough cookies. "Research" isn't about molding society to fit into your simplistic model, you newspeak-spouting poseurs, you.

    Run that thing again on the federalist papers and model whether it would've facilitated or hampered the resulting body of political discourse. Any of you noticed that all the pseudonyms used would've started with exactly no friends?

  • dummm on

    What about legitimate no-reply mailing lists?

  • Lindsay on

    For the majority of us that use social media 'legitimately' this is surely a welcomed application.

    With so many using hi tech seo to achieve high level rankings, social media activity can be measured and accredited to genuine businesses/people, who try hard to build a strong online presence.

    I wouldn't be concerned for anyone just starting a social media, there will be algorithm in place to recognise that.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.