Chapter 10. Patterns of Activity

In several of the earlier chapters, I stressed the importance of unique text strings that can serve as signatures, or fingerprints, for a particular operation, whether it is a spam campaign, a phishing attempt, or some other scam. Finding the same signatures in other email messages or web sites may allow you to link two or more examples together and perhaps derive more information than each instance could provide by itself.

This chapter shows you some ways to discover good signatures, to search for them, and to use them to track patterns of activity.


A signature can be any unique feature that characterizes an email message, a web page, or a larger entity such as an entire web site. In almost all cases, signatures take the form of unique strings, such as a specific name or URL, but they can also be the organization of files in a directory or the structure of a URL. Strings are much easier to search for than these broader patterns, but both play a role in finding linked documents and sites.

Here are some examples of good signatures that illustrate their diversity:

Unique words

An unusual name of a person or location, or a word from a language other than that used in a document. For example, the username “kentas” in the URL

IP addresses and hostnames

Addresses are inherently specific, but they tend to be changed frequently in spam messages.

Specific URLs and patterns within URLs

Although ...

Get Internet Forensics now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.