This paper introduces a technique used by the Infoblox Cyber Intelligence Unit to identify malicious campaigns from email spam. The methods described here allow us to automatically process large volumes of data to focus our resources for manual analysis. In this sense, the techniques act as a sieve for email spam. Specifically, we use bipartite graphs constructed from email metadata and compute the set of connected components within them to identify likely individual campaigns. We studied the results using these graph algorithms over an 18 month period and have developed a set of best practices for their use. We have not seen a similar practice published elsewhere, so will show the results of our research and describe the methods we used.

Join for free to read