160 likes | 289 Views
Analysis of SMTP Connection Characteristics for Detecting Spam Relays. Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou( 邱淑芬 ). Outline. Introduction Spam relay detection Results Conclusion Comments. E-mail. Spam relay.
E N D
Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(邱淑芬)
Outline • Introduction • Spam relay detection • Results • Conclusion • Comments
Spam relay • Sending mail to a destination via a third-party mail server or proxy server in order to hide the address of the source of the mail. • When e-mail servers (SMTP servers) are used, it is known as an "open relay" or "SMTP relay," and this method was commonly used by spammers in the past when SMTP servers were not locked down. • Today, most spam relay is provided by proxy servers and botnets.
Specific problem Spam relay Compromised host Compromised host Compromised host … Spam mail Spam mail Spam mail Mail server Mail server Mail server Mail server Mail server Mail server Mail server Mail server … … …
Legitimate users V.S. spam relays • Number of connections • Legitimate users < spam relays • Connect to a mail server • Legitimate users: Fewer times an hour. • Spam relays: Thousands of emails every hour to hundreds of mail servers. • Daily pattern • Legitimate users: Can exhibit. • Spam relays: Do not exhibit.
Result(1/6) • All the example shows come from a single 24 hour period during Sep. 2005. • Total 89,748 hosts were observed. • 48 hosts had established over 10,000 SMTP connections. • 4 hosts had established over 50,000 SMTP connections.
Result(2/6) Home user Total: 58,000 SMTP connections
Result(3/6) 25,000 connections Mail bombs: occur where very large quantities of email are sent to the same address rendering the address unusable.
Result(4/6) 3,000 connections
Result(6/6) Total: over 1,600,000 connections
Conclusions • This paper has shown how spam relays installed on compromised hosts could be identified by the ISP networks on which they are hosted. • Given the large disparity between the SMTP connection profiles of legitimate mail clients and servers and spam relays, an automated process could easily be developed to detect spam relays.
Comments • 提出了一個簡單的方法來預防spam。 • 偵測到host是spam relay的正確率,方法的有效性? • 如何定義連線數量的門檻值,來判定host為spam relay?