Abstract
Despite a large amount of effort devoted in the past years trying to limit unsolicited mail, spam is still a major global concern. Content-analysis techniques and blacklists, the most popular methods used to identify and block spam, are beginning to lose their edge in the battle. We argue here that one not only needs to look into the network-related characteristics of spam traffic, as has been recently suggested, but also to look deeper into the network core, to counter the increasing sophistication of spammers. At the same time, local knowledge available at a given server can often be irreplaceable in identifying specific spammers.
To this end, in this paper we show how the local intelligence of mail servers can be gathered and correlated passively, scalably, and with low-processing cost at the ISP-level providing valuable network-wide information. First, we use a large network flow trace from a major national ISP, to demonstrate that the pre-filtering decisions and thus spammer-related knowledge of individual mail servers can be easily and accurately tracked and combined at the flow level. Then, we argue that such aggregated knowledge not only allows ISPs to monitor remotely what their “own” servers are doing, but also to develop new methods for fighting spam.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
IRONPORT: 2008 internet security trends, http://www.ironport.com
Harris, E.: The next step in the spam control war: Greylisting (2003)
SpamCop: Spamcop blocking list, http://www.spamcop.net/bl.shtml
Spamhaus: The spamhaus block list, http://www.spamhaus.org/sbl
Wong, M., Schlitt, W.: Sender Policy Framework (SPF). RFC 4408
Ramachandran, A., Dagon, D., Feamster, N.: Can DNS-based blacklists keep up with bots. In: Conference on Email and Anti-Spam, CEAS 2006 (2006)
Duan, Z., Gopalan, K., Yuan, X.: Behavioral Characteristics of Spammers and Their Network Reachability Properties. In: IEEE International Conference on Communications, ICC 2007 (2007)
Ramachandran, A., Feamster, N., Vempala, S.: Filtering Spam with Behavioral Blacklisting. In: ACM conference on Computer and Communications Security, CCS 2007 (2007)
Beverly, R., Sollins, K.: Exploiting Transport-Level Characteristics of Spam. In: CEAS 2008 (2008)
Clayton, R.: Using Early Results from the spamHINTS. In: CEAS 2006 (2006)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection. In: USENIX Security Symposium (July 2008)
Syed, N.A., Feamster, N., Gray, A., Krasser, S.: Snare: Spatio-temporal network-level automatic reputation engine. Technical Report GT-CSE-08-02, Georgia Tech. (2008)
Desikan, P., Srivastava, J.: Analyzing network traffic to detect e-mail spamming machines. In: ICDM Workshop on Privacy and Security Aspects of Data Mining (2004)
Gomes, L.H., Almeida, R.B., Bettencourt, L.M.A., Almeida, V., Almeida, J.M.: Comparative Graph Theoretical Characterization of Networks of Spam and Legitimate Email. Arxiv physics/0504025 (2005)
SWITCH: The swiss education and research network, http://www.switch.ch
Gomes, L.H., Cazita, C., Almeida, J.M., Almeida, V., Meira, W.: Characterizing a spam traffic. In: ACM SIGCOMM conference on Internet measurement, IMC 2004 (2004)
Fawcett, T.: An introduction to roc analysis. Pattern Recognition Letters 27 (2006)
Schatzmann, D., Burkhart, M., Spyropoulos, T.: Flow-level characteristics of spam and ham. Technical Report 291, Computer Engineering and Networks Laboratory, ETH Zurich (2008)
Ramachandran, A., Seetharaman, S., Feamster, N., Vazirani, V.: Fast monitoring of traffic subpopulations. In: ACM SIGCOMM Conference on Internet Measurement, IMC 2008 (2008)
Klensin, J.: Simple mail transfer protocol. RFC 2821 (April 2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Schatzmann, D., Burkhart, M., Spyropoulos, T. (2009). Inferring Spammers in the Network Core. In: Moon, S.B., Teixeira, R., Uhlig, S. (eds) Passive and Active Network Measurement. PAM 2009. Lecture Notes in Computer Science, vol 5448. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00975-4_23
Download citation
DOI: https://doi.org/10.1007/978-3-642-00975-4_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-00974-7
Online ISBN: 978-3-642-00975-4
eBook Packages: Computer ScienceComputer Science (R0)