UC San Diego

Much of computer security research today engages a hypothetical adversary: one whose aims and methods are either arbitrary or driven by some pre-supposed model of behavior. However, in many cases, the scope, motivation and technical evolution of actual attacks can be quite different and leads to a model where our research frequently trails the "truth on the ground". At the same time, our present ability to gather, process and analyze data concerning Internet activity is unmatched and thus there are tremendous opportunities in advancing a regime of "data-driven security", wherein our understanding of the adversary, of vulnerable users and of the efficacy of our current defenses and interventions can be placed on a strong empirical footing. The spam problem is a primary example where the abundance of available data, enables a data-focused approach for studying it. Also known as unsolicited bulk e-mail, spam is perhaps the only Internet security phenomenon that leaves no one untouched, and has been continuously growing since the first reported complaint in 1978. Spam is essentially an advertising business which is very complex, with a lot of moving parts, and very specialized, with multiple parties involved. In this dissertation, I focus on the infrastructure and parties of the spam ecosystem responsible for monetization, which I define as the spam value chain. I focus on both advertising and click support, the two primary components of the spam value chain, analyze them, and identify the most effective places for intervention. Our results demonstrate that good understanding of the problem at hand is essential for identifying how to efficiently address it. In this dissertation, I look into the spam ecosystem from the perspective of the attackers, in order to get a solid understanding of how they operate, and propose effective defenses at both the advertising and click support components of the spam value chain. I also present various limitations that come with spam feeds. Such datasets have an important role, as they are the basis of most spam-related studies. My work serves as a preliminary motivation to further refine our understanding of these limitations as a research community