Inferring Spammers in the Network Core

Schatzmann, Dominik; Burkhart, Martin; Spyropoulos, Thrasyvoulos

doi:10.1007/978-3-642-00975-4_23

Cited by 14 publications

(18 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In order to validate the additional spammers we detect, we apply the methodology in [10] identify a more complete set addresses. Figure 3 shows the breakdown of these IP addresses.…”

Section: Resultsmentioning

confidence: 99%

“…From the set of 31,927 IP addresses we found 8,653 which exactly match the bot fingerprint, thus almost doubling again our current bot list. Since these are suspected spammers, we again resort to the spam detection methodology in [10] for validation. This test flagged 8,244 (95%) of these addresses as spammers.…”

Section: Resultsmentioning

confidence: 99%

“…In [10], the authors explore the use of flow-based metrics to detect spammers in the network core. By analyzing traces taken at a major national ISP, they find that 81% of mail servers have a spam load in the range of 70-90%.…”

Section: Related Workmentioning

confidence: 99%

“…To validate our results we use the approach described in Schatzmann et al [10]. In this work, the authors explore the use of flow-based metrics to detect spammers in the network core.…”

Section: B Validationmentioning

confidence: 99%

See 3 more Smart Citations

Fingerprinting custom botnet protocol stacks

DiBenedetto

Gadkari

Diel

et al. 2010

2010 6th IEEE Workshop on Secure Network Protocols

View full text Add to dashboard Cite

Abstract-This paper explores the use of TCP fingerprints for identifying and blocking spammers. Evidence has shown that some bots use custom protocol stacks for tasks such as sending spam. If a receiver could effectively identify the bot TCP fingerprint, connection requests from spam bots could be dropped immediately, thus reducing the amount of spam received and processed by a mail server. Starting from a list of known spammers flagged by a commercial reputation list, we fingerprinted each spammer and found the roughly 90% have only a single known fingerprint typically associated with well known operating system stacks. For the spammers with multiple fingerprints, a particular combination of native/custom protocol stack fingerprints becomes very prominent. This allows us to extract the fingerprint of the custom stack and then use it to detect more bots that were not flagged by the commercial service. We applied our methodology to a trace captured at our regional ISP, and clearly detected bots belonging to the Srizbi botnet.

show abstract

“…In order to validate the additional spammers we detect, we apply the methodology in [10] identify a more complete set addresses. Figure 3 shows the breakdown of these IP addresses.…”

Section: Resultsmentioning

confidence: 99%

Section: Resultsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

“…To validate our results we use the approach described in Schatzmann et al [10]. In this work, the authors explore the use of flow-based metrics to detect spammers in the network core.…”

Section: B Validationmentioning

confidence: 99%

See 2 more Smart Citations

Fingerprinting custom botnet protocol stacks

DiBenedetto

Gadkari

Diel

et al. 2010

2010 6th IEEE Workshop on Secure Network Protocols

View full text Add to dashboard Cite

show abstract

“…Schatzmann et al propose a collaborative content-blind approach that an ISP can deploy to facilitate spam blocking, based on size distribution of the incoming SMTP flows [36]. The idea is that SMTP servers that perform pre-filtering terminate spam flows quickly after processing the envelope; hence flow size from these servers can be used to rate client MTAs for the benefit other SMTP servers that might not use prefiltering.…”

Section: Related Workmentioning

confidence: 99%

A large-scale empirical analysis of email spam detection through network characteristics in a stand-alone enterprise

et al. 2014

View full text Add to dashboard Cite

Spam is a never-ending issue that constantly consumes resources to no useful end. In this paper, we envision spam filtering as a pipeline consisting of DNS blacklists, filters based on SYN packet features, filters based on traffic characteristics and filters based on message content. Each stage of the pipeline examines more information in the message but is more computationally expensive. A message is rejected as spam once any layer is sufficiently confident. We analyze this pipeline, focusing on the first three layers, from a single-enterprise perspective. To do this we use a large email dataset collected over two years. We devise a novel ground truth determination system to allow us to label this large dataset accurately. Using two machine learning algorithms, we study (i) how the different pipeline layers interact with each other and the value added by each layer, (ii) the utility of individual features in each layer, (iii) stability of the layers across time and network events and (iv) an operational use case investigating whether this architecture can be practically useful. We find that (i) the pipeline architecture is generally useful in terms of accuracy as well as in an operational setting, (ii) it generally ages gracefully across long time periods and (iii) in some cases, later layers can compensate for poor performance in the earlier layers. Among the caveats we find are that (i) the utility of network features is not as high in the single enterprise viewpoint as reported in other prior work, (ii) major network events can sharply affect the detection rate, and (iii) the operational (computational) benefit of the pipeline may depend on the efficiency of the final content filter.

show abstract

Filtering spam from bad neighborhoods

Wanrooij¹,

Pras

2010

Int J Network Mgmt

View full text Add to dashboard Cite

SUMMARYOne of the most annoying problems on the Internet is spam. To fight spam, many approaches have been proposed over the years. Most of these approaches involve scanning the entire contents of e-mail messages in an attempt to detect suspicious keywords and patterns. Although such approaches are relatively effective, they also show some disadvantages. Therefore an interesting question is whether it would be possible to effectively detect spam without analyzing the entire contents of e-mail messages. The contribution of this paper is to present an alternative spam detection approach, which relies solely on analyzing the origin (IP address) of e-mail messages, as well as possible links within the e-mail messages to websites (URIs). Compared to analyzing suspicious keywords and patterns, detection and analysis of URIs is relatively simple. The IP addresses and URIs are compared to various kinds of blacklists; a hit increases the probability of the message being spam. Although the idea of using blacklists is well known, the novel idea proposed within this paper is to introduce the concept of 'bad neighborhoods'. To validate our approach, a prototype has been developed and tested on our university's mail server. The outcome was compared to SpamAssassin and mail server log files. The result of that comparison was that our prototype showed remarkably good detection capabilities (comparable to SpamAssassin), but puts only a small load on the mail server.

show abstract

Inferring Spammers in the Network Core

Cited by 14 publications

References 6 publications

Fingerprinting custom botnet protocol stacks

Fingerprinting custom botnet protocol stacks

A large-scale empirical analysis of email spam detection through network characteristics in a stand-alone enterprise

Filtering spam from bad neighborhoods

Contact Info

Product

Resources

About