Anticipating New Spam Domains Through Machine Learning

Researchers from France have devised a method for identifying newly-registered domains that are likely to be used in a'hit and run' fashion by high-volume email spammers – sometimes, even before the spammers have sent out one unwanted email. The technique is based on analysis of the way that that the Sender Policy Framework (SPF), a method of verifying email provenance, has been set up on newly-registered domains. Thanks to the use of passive DNS (Domain Name System) sensors, the researchers were able to obtain near real-time DNS data from Seattle-based company Farsight, yielding SPF activity for TXT records for a range of domains. Using a class weight algorithm originally designed for processing imbalanced medical data, and implemented in the scikit-learn machine learning Python library, the researchers were able to detect three quarters of the pending spam domains within moments, or even in advance of their operation. 'With a single request to the TXT record, we detect 75% of the spam domains, possibly before the start of the spam campaign.