an effective defense against email spam laundering n.
Skip this Video
Loading SlideShow in 5 Seconds..
An Effective Defense Against Email Spam Laundering PowerPoint Presentation
Download Presentation
An Effective Defense Against Email Spam Laundering

Loading in 2 Seconds...

  share
play fullscreen
1 / 28
Download Presentation

An Effective Defense Against Email Spam Laundering - PowerPoint PPT Presentation

marin
102 Views
Download Presentation

An Effective Defense Against Email Spam Laundering

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. An Effective Defense Against Email Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava

  2. Overview • Introduction • Spam Laundering • Anti spam techniques • Proxy based spam behavior • DBSpam • Evaluation • Review

  3. Introduction • Presently spam makes 60% of emails • Spam has evolved in parallel with anti spam techniques. • Spammers hide using, proxies and compromised computers known as zombies

  4. Introduction cont. • Detecting spam at its source by monitoring bidirectional traffic of a network • DBSpam uses “packet symmetry” to break spam laundering in a network

  5. Spam Laundering Spam Proxy

  6. Anti Spam Techniques • Existing “Anti spam techniques” are classified into, • “Recipient Oriented” • “Sender Oriented” • “HoneySpam”

  7. Anti Spam Techniques (contd.) • Recipient Oriented anti-spam techniques functions • They block email spam from reaching recipients mailbox Or • Remove / mark spam in recipients mailbox

  8. Anti Spam Techniques (contd.) • Recipient Oriented anti-spam techniques are further classified as • Content based • Email address filters • Heuristic filters • Machine learning based filters • Non content based

  9. Anti Spam Techniques (contd.) • Recipient Oriented anti-spam techniques are further classified as • Content based • Non content based • DNSBL • MARID • Challenge response • Delaying • Sender behavior analysis

  10. Anti Spam Techniques (contd.) • Sender Oriented Techniques • Usage Regulations • E.g. blocking port 25, SMTP authentication • Cost based approaches • Charge the sender (postage)

  11. Anti Spam Techniques (contd.) • HoneySpam • It is a honeypot framework based on honeyD • It deters “email address harvesters”, poison spam address databases and blocks spam that goes through the open relay / proxy decoys set by HoneySpam

  12. Proxy based spam behavior • Laundry path of Proxy Spamming

  13. Proxy based spam behavior (contd.) • Connection Correlation • There is one-to-one mapping between the upstream and downstream connections along the spam laundry path • This kind of connection is a common for proxy based spamming • In normal email delivery there is only one connection; between sender and receiving MTA

  14. Proxy based spam behavior (contd.) Spam laundering for single proxy

  15. Proxy based spam behavior (contd.) Spam laundering for multiple proxies

  16. Proxy based spam behavior (contd.) • Message symmetry at application layer leads to packet symmetry at network layer • Exception: one to one mapping between inbound and outbound streams can be violated • Reasons: packet fragmentation, packet compression and packet retransmission

  17. Proxy based spam behavior (contd.) • The packet symmetry is a key to distinguish the suspicious upstream / downstream connections along the spam laundry path from normal background traffic

  18. DBSpam • Goals • Fast detection of spam laundering with high accuracy • Breaking spam laundering via throttling or blocking after detection • Support for spammer tracking • Support for spam message fingerprinting

  19. DBSpam • DBSpam consists of two major components • Spam detection module • Simple connection correlation detection algorithm • Spam suppression module

  20. DBSpam • Deployment of DBSpam • It is placed at a network vantage point which may connect costumer network to the Internet • DBSpam works well if it is deployed at the primary ISP edge router

  21. DBSpam • Packet symmetry for spam TCP is 1 • For a normal TCP connection it is one with very small probability of occurrence • DBSpam uses a statistical method, “sequential probability ratio test” (SPRT)

  22. DBSpam • “sequential probability ratio test” (SPRT) checks probability between bounds for each observation • The algorithm contains a variable X which is checked for correlation • Variables A and B form the bounds • If X is between A and B, the algorithm does another observation, else it stops with a conclusion

  23. Evaluation • DBSpam detection time is mainly decided by the SPRT detection time • Number of observations needed to reach a decision • Actual time spent by SPRT

  24. Evaluation

  25. Strengths • Can detect spam even if its content is encrypted • Low false positives • Does not degrade network performance

  26. weakness • It cannot efficiently detect spam with short reply rounds • Its it more effective only if it can be installed on an ISP edge router

  27. Improvements • DBSpam algorithm should be made more efficient so as to detect new evolving spam

  28. . Thank You