1 / 28

An Effective Defense Against Email Spam Laundering

An Effective Defense Against Email Spam Laundering. Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava. Overview. Introduction Spam Laundering Anti spam techniques Proxy based spam behavior DBSpam Evaluation Review. Introduction.

marin
Download Presentation

An Effective Defense Against Email Spam Laundering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An Effective Defense Against Email Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava

  2. Overview • Introduction • Spam Laundering • Anti spam techniques • Proxy based spam behavior • DBSpam • Evaluation • Review

  3. Introduction • Presently spam makes 60% of emails • Spam has evolved in parallel with anti spam techniques. • Spammers hide using, proxies and compromised computers known as zombies

  4. Introduction cont. • Detecting spam at its source by monitoring bidirectional traffic of a network • DBSpam uses “packet symmetry” to break spam laundering in a network

  5. Spam Laundering Spam Proxy

  6. Anti Spam Techniques • Existing “Anti spam techniques” are classified into, • “Recipient Oriented” • “Sender Oriented” • “HoneySpam”

  7. Anti Spam Techniques (contd.) • Recipient Oriented anti-spam techniques functions • They block email spam from reaching recipients mailbox Or • Remove / mark spam in recipients mailbox

  8. Anti Spam Techniques (contd.) • Recipient Oriented anti-spam techniques are further classified as • Content based • Email address filters • Heuristic filters • Machine learning based filters • Non content based

  9. Anti Spam Techniques (contd.) • Recipient Oriented anti-spam techniques are further classified as • Content based • Non content based • DNSBL • MARID • Challenge response • Delaying • Sender behavior analysis

  10. Anti Spam Techniques (contd.) • Sender Oriented Techniques • Usage Regulations • E.g. blocking port 25, SMTP authentication • Cost based approaches • Charge the sender (postage)

  11. Anti Spam Techniques (contd.) • HoneySpam • It is a honeypot framework based on honeyD • It deters “email address harvesters”, poison spam address databases and blocks spam that goes through the open relay / proxy decoys set by HoneySpam

  12. Proxy based spam behavior • Laundry path of Proxy Spamming

  13. Proxy based spam behavior (contd.) • Connection Correlation • There is one-to-one mapping between the upstream and downstream connections along the spam laundry path • This kind of connection is a common for proxy based spamming • In normal email delivery there is only one connection; between sender and receiving MTA

  14. Proxy based spam behavior (contd.) Spam laundering for single proxy

  15. Proxy based spam behavior (contd.) Spam laundering for multiple proxies

  16. Proxy based spam behavior (contd.) • Message symmetry at application layer leads to packet symmetry at network layer • Exception: one to one mapping between inbound and outbound streams can be violated • Reasons: packet fragmentation, packet compression and packet retransmission

  17. Proxy based spam behavior (contd.) • The packet symmetry is a key to distinguish the suspicious upstream / downstream connections along the spam laundry path from normal background traffic

  18. DBSpam • Goals • Fast detection of spam laundering with high accuracy • Breaking spam laundering via throttling or blocking after detection • Support for spammer tracking • Support for spam message fingerprinting

  19. DBSpam • DBSpam consists of two major components • Spam detection module • Simple connection correlation detection algorithm • Spam suppression module

  20. DBSpam • Deployment of DBSpam • It is placed at a network vantage point which may connect costumer network to the Internet • DBSpam works well if it is deployed at the primary ISP edge router

  21. DBSpam • Packet symmetry for spam TCP is 1 • For a normal TCP connection it is one with very small probability of occurrence • DBSpam uses a statistical method, “sequential probability ratio test” (SPRT)

  22. DBSpam • “sequential probability ratio test” (SPRT) checks probability between bounds for each observation • The algorithm contains a variable X which is checked for correlation • Variables A and B form the bounds • If X is between A and B, the algorithm does another observation, else it stops with a conclusion

  23. Evaluation • DBSpam detection time is mainly decided by the SPRT detection time • Number of observations needed to reach a decision • Actual time spent by SPRT

  24. Evaluation

  25. Strengths • Can detect spam even if its content is encrypted • Low false positives • Does not degrade network performance

  26. weakness • It cannot efficiently detect spam with short reply rounds • Its it more effective only if it can be installed on an ISP edge router

  27. Improvements • DBSpam algorithm should be made more efficient so as to detect new evolving spam

  28. . Thank You

More Related