280 likes | 419 Views
An Effective Defense Against Email Spam Laundering. Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava. Overview. Introduction Spam Laundering Anti spam techniques Proxy based spam behavior DBSpam Evaluation Review. Introduction.
E N D
An Effective Defense Against Email Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava
Overview • Introduction • Spam Laundering • Anti spam techniques • Proxy based spam behavior • DBSpam • Evaluation • Review
Introduction • Presently spam makes 60% of emails • Spam has evolved in parallel with anti spam techniques. • Spammers hide using, proxies and compromised computers known as zombies
Introduction cont. • Detecting spam at its source by monitoring bidirectional traffic of a network • DBSpam uses “packet symmetry” to break spam laundering in a network
Spam Laundering Spam Proxy
Anti Spam Techniques • Existing “Anti spam techniques” are classified into, • “Recipient Oriented” • “Sender Oriented” • “HoneySpam”
Anti Spam Techniques (contd.) • Recipient Oriented anti-spam techniques functions • They block email spam from reaching recipients mailbox Or • Remove / mark spam in recipients mailbox
Anti Spam Techniques (contd.) • Recipient Oriented anti-spam techniques are further classified as • Content based • Email address filters • Heuristic filters • Machine learning based filters • Non content based
Anti Spam Techniques (contd.) • Recipient Oriented anti-spam techniques are further classified as • Content based • Non content based • DNSBL • MARID • Challenge response • Delaying • Sender behavior analysis
Anti Spam Techniques (contd.) • Sender Oriented Techniques • Usage Regulations • E.g. blocking port 25, SMTP authentication • Cost based approaches • Charge the sender (postage)
Anti Spam Techniques (contd.) • HoneySpam • It is a honeypot framework based on honeyD • It deters “email address harvesters”, poison spam address databases and blocks spam that goes through the open relay / proxy decoys set by HoneySpam
Proxy based spam behavior • Laundry path of Proxy Spamming
Proxy based spam behavior (contd.) • Connection Correlation • There is one-to-one mapping between the upstream and downstream connections along the spam laundry path • This kind of connection is a common for proxy based spamming • In normal email delivery there is only one connection; between sender and receiving MTA
Proxy based spam behavior (contd.) Spam laundering for single proxy
Proxy based spam behavior (contd.) Spam laundering for multiple proxies
Proxy based spam behavior (contd.) • Message symmetry at application layer leads to packet symmetry at network layer • Exception: one to one mapping between inbound and outbound streams can be violated • Reasons: packet fragmentation, packet compression and packet retransmission
Proxy based spam behavior (contd.) • The packet symmetry is a key to distinguish the suspicious upstream / downstream connections along the spam laundry path from normal background traffic
DBSpam • Goals • Fast detection of spam laundering with high accuracy • Breaking spam laundering via throttling or blocking after detection • Support for spammer tracking • Support for spam message fingerprinting
DBSpam • DBSpam consists of two major components • Spam detection module • Simple connection correlation detection algorithm • Spam suppression module
DBSpam • Deployment of DBSpam • It is placed at a network vantage point which may connect costumer network to the Internet • DBSpam works well if it is deployed at the primary ISP edge router
DBSpam • Packet symmetry for spam TCP is 1 • For a normal TCP connection it is one with very small probability of occurrence • DBSpam uses a statistical method, “sequential probability ratio test” (SPRT)
DBSpam • “sequential probability ratio test” (SPRT) checks probability between bounds for each observation • The algorithm contains a variable X which is checked for correlation • Variables A and B form the bounds • If X is between A and B, the algorithm does another observation, else it stops with a conclusion
Evaluation • DBSpam detection time is mainly decided by the SPRT detection time • Number of observations needed to reach a decision • Actual time spent by SPRT
Strengths • Can detect spam even if its content is encrypted • Low false positives • Does not degrade network performance
weakness • It cannot efficiently detect spam with short reply rounds • Its it more effective only if it can be installed on an ISP edge router
Improvements • DBSpam algorithm should be made more efficient so as to detect new evolving spam
. Thank You