An Effective Defense Against Email Spam Laundering - PowerPoint PPT Presentation

About This Presentation
Title:

An Effective Defense Against Email Spam Laundering

Description:

An Effective Defense Against Email Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi – PowerPoint PPT presentation

Number of Views:112
Avg rating:3.0/5.0
Slides: 34
Provided by: Preferred99
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: An Effective Defense Against Email Spam Laundering


1
An Effective Defense Against Email Spam
Laundering
  • Paper by Mengjun Xie, Heng Yin, Haining Wang
  • Presented atCCS'06
  • Presentation by Devendra Salvi

2
Overview
  • Introduction
  • Spam Laundering
  • Anti spam techniques
  • Proxy based spam behavior
  • DBSpam
  • Evaluation
  • Review

3
Introduction
  • Presently spam makes 80 of emails
  • Spam has evolved in parallel with anti spam
    techniques.
  • Spammers hide using, proxies and compromised
    computers

4
Introduction (contd.)
  • Detecting spam at its source by monitoring
    bidirectional traffic of a network
  • DBSpam uses packet symmetry to break spam
    laundering in a network

5
Spam Laundering
Spam Proxy
6
Anti Spam Techniques
  • Existing Anti spam techniques are classified
    into,
  • Recipient Oriented
  • Sender Oriented
  • HoneySpam

7
Anti Spam Techniques (contd.)
  • Recipient Oriented anti-spam techniques functions
  • They block / delay email spam from reaching
    recipients mailbox
  • Or
  • Remove / mark spam in recipients mailbox

8
Anti Spam Techniques (contd.)
  • Recipient Oriented anti-spam techniques are
    further classified as
  • Content based
  • Email address filters
  • Heuristic filters
  • Machine learning based filters
  • Non content based

9
Anti Spam Techniques (contd.)
  • Recipient Oriented anti-spam techniques are
    further classified as
  • Content based
  • Non content based
  • DNSBL
  • MARID
  • Challenge response
  • Tempfailing
  • Delaying
  • Sender behavior analysis

10
Anti Spam Techniques (contd.)
  • Sender Oriented Techniques
  • Usage Regulations
  • E.g. blocking port 25, SMTP authentication
  • Cost based approaches
  • Charge the sender (postage)

11
Anti Spam Techniques (contd.)
  • HoneySpam
  • It is a honeypot framework based on honeyD
  • It deters email address harvesters, poison spam
    address databases and blocks spam that goes
    through the open relay / proxy decoys set by
    HoneySpam

12
Proxy based spam behavior
  • Laundry path of Proxy Spamming

13
Proxy based spam behavior (contd.)
  • Connection Correlation
  • There is one-to-one mapping between the upstream
    and downstream connections along the spam laundry
    path
  • This kind of connection is a common for proxy
    based spamming
  • In normal email delivery there is only one
    connection between sender and receiving MTA

14
Proxy based spam behavior (contd.)
  • Connection Correlation
  • The detection of such spam-proxy-related
    connection correlation is difficult because
  • Spammers may use encryption for content
  • It sits at network vantage points and may induce
    unaffordable overhead

15
Proxy based spam behavior (contd.)
  • Spam laundering for single and multiple proxies

16
Proxy based spam behavior (contd.)
  • Message symmetry at application layer leads to
    packet symmetry at network layer
  • Exception one to one mapping between inbound and
    outbound streams can be violated
  • Reasons packet fragmentation, packet compression
    and packet retransmission

17
Proxy based spam behavior (contd.)
  • The packet symmetry is a key to distinguish the
    suspicious upstream / downstream connections
    along the spam laundry path from normal
    background traffic

18
DBSpam
  • Goals
  • Fast detection of spam laundering with high
    accuracy
  • Breaking spam laundering via throttling or
    blocking after detection
  • Support for spammer tracking
  • Support for spam message fingerprinting

19
DBSpam
  • DBSpam consists of two major components
  • Spam detection module
  • Simple connection correlation detection algorithm
  • Spam suppression module

20
DBSpam
  • Deployment of DBSpam
  • It is placed at a network vantage point which may
    connect costumer network to the Internet
  • DBSpam works well if it is deployed at the
    primary ISP edge router

21
DBSpam
  • Packet symmetry for spam TCP is 1
  • For a normal TCP connection it is one with very
    small probability of occurrence
  • DBSpam uses a statistical method, sequential
    probability ratio test (SPRT)

22
DBSpam
  • sequential probability ratio test (SPRT) checks
    probability between bounds for each observation
  • The algorithm contains a variable X which is
    checked for correlation
  • Variables A and B form the bounds
  • If X is between A and B, the algorithm does
    another iteration, else it stops with a conclusion

23
DBSpam
24
Evaluation
  • How fast DBSpam can detect spam laundering ?
  • How accurate the detection results were ?
  • How many system resources it consumes ?

25
Evaluation
  • DBSpam detection time is mainly decided by the
    SPRT detection time
  • Number of observations needed to reach a decision
  • Actual time spent by SPRT

26
Evaluation
  • SPRT can filter out 95 non-spam traffic in four
    observations

27
Evaluation
  • The actual detection time is approximately 6
    reply rounds of SMTP connection

28
Evaluation
  • Accuracy
  • The probability is less than 0.0002 in all
    traces, indicating that false positive
    probability of SPRT is fairly small
  • False negatives are calculated using ratio of
    number of packets missed to number of spam
    packets missed

29
Evaluation
  • Resource Consumption
  • Trace Information
  • Resource consumption

30
Review
  • Strengths
  • Can detect spam sources by isolating and tracking
    proxies
  • Truncates spam at near its source
  • Can detect spam even if its content is encrypted
  • Low false positives
  • Does not degrade network performance

31
Review
  • Weaknesses
  • It cannot efficiently detect spam with short
    reply rounds
  • Its it more effective if it can be installed on
    an ISP edge router
  • The paper does not discuss about spam suppression
    techniques

32
Review
  • Improvements
  • With evolving spam, DBSpam will have to tweak its
    spam detection algorithm

33
  • Questions ?
Write a Comment
User Comments (0)
About PowerShow.com