Understanding the network level behavior of spammers - PowerPoint PPT Presentation

About This Presentation
Title:

Understanding the network level behavior of spammers

Description:

A list of open-relay mail servers or open proxies or of. IP addresses known to send spam ... FREE BSD. 5.0. 64. Solaris. 2.5.1,2.6,2.7,2.8. 255. Windows. 98 ... – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 23
Provided by: sag7
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: Understanding the network level behavior of spammers


1
Understanding the network level behavior of
spammers
  • Published by Anirudh Ramachandran, Nick
    Feamster
  • Published in ACMSIGCOMM 2006
  • Presented by Bharat Soundararajan

2
OUTLINE
  • Spam
  • - Basics of spam
  • - Spam statistics
  • - Spamming methods
  • - Spam filtering
  • Network level behavior of spam
  • - Network level spam filtering
  • - Data Collection Method
  • - Tools used for data
    collection
  • - Evaluations
  • - Drawbacks

3
SPAM
4
What is Spam?
  • E-mail spam, also known as "bulk e-mail" or "junk
    e-mail," is a subset of spam that involves nearly
    identical messages sent to numerous recipients by
    e-mail.
  • Spammers use unsecured mail servers to send out
    millions of illegitimate emails
  • 2007 - (February) 90 billion per day

5
Spam statistics
6
Spamming Methods
  • Direct spamming
  • By purchasing upstream connectivity from
    spam-friendly ISPs
  • Open relays and proxies
  • Mail servers that allow unauthenticated Internet
    hosts to connect and relay mail through them
  • Botnets
  • Using the worm to infect mail servers and
  • sending mail through them e.g.bobax
  • BGP Spectrum Agility
  • Short lived BGP route announcements

7
Botnet command and control
  • Already captured Command and control center
    information
  • is used for the sinkhole to act like command
    and control
  • center
  • All bots now try to contact the command and
    control
  • sinkhole and they collected a packet trace to
    determine the
  • members of botnet
  • They observed a significantly higher percentage
    of infected
  • hosts is windows using Pof passive
    fingerprinting tool
  • Information collected is not accurate

8
Sink hole
9
Dns blacklisting
  • A list of open-relay mail servers or open
    proxiesor of
  • IP addresses known to send spam
  • Data collected from Spam-trap addresses or
  • honeypots
  • 80 of all spam received from mail relays
  • appear in at least one of eight blacklists
  • 50 of spam was listed in two or more
  • blacklists

10
Spam filtering
  • Spammers are able to easily alter the
  • contents of the email
  • SpamAssasin a spam filter used for filtering
  • is mainly source Ip and other variables
  • which is easily changed by spammers
  • They have less flexibility when comes to
  • altering the network level details of email

11
Spam filtering by this paper
  • - Comparing data with the logs from a large
    ISP
  • - Analyzing the network level behavior using
  • those logs in the sinkhole
  • - Update the filter content using those
    comparison

12
Network-level Spam Filtering
  • Network-level properties are harder to change
    than content
  • Network-level properties
  • IP addresses and IP address ranges
  • Change of addresses over time
  • Distribution according to operating system,
    country and AS
  • Characteristics of botnets and short-lived route
    announcements
  • Help develop better spam filters

13
Data collected when the spam is received
  • IP address of the mail relay
  • Trace route to that IP address, to help us
    estimate the network location of the mail relay
  • Passive p0f TCP fingerprint, to determine the
    OS of the mail relay
  • Result of DNS blacklist (DNSBL) lookups for that
    mail relay at eight different DNSBLs

14
Mail avenger
  • few of the environment variables Mail Avenger
    sets
  • CLIENT_NETPATH the network route to the client
  • SENDER the sender address of the message
  • CLIENT_SYNOS a guess of the client's operating
    system type

15
Distribution across ASes
Still about 40 of spam coming from the U.S.
16
Pof fingerprinting
  • Passive Fingerprinting is a method to learn more
    about the
  • enemy, without them knowing it
  • Specifically, you can determine the operating
    system and other
  • characteristics of the remote host
  • TTL what TTL is used for the operating system
  • Window Size what window size the operating
    system uses
  • DF whether the operating system set the dont
    fragment bit
  • TOS Did the operating system specify what
    type of service

17
OS guess from ttl values
18
Distribution Among Operating Systems
About 4 of known hosts are non-Windows. These
hosts are responsible for about 8 of received
spam.
19
Spam Distribution
IP Space
20
Advantages
  • A key to better and efficient filtering
  • Reporting of information about spam helps in
    updating the blacklist

21
Weaknesses
  • They cannot distinguish between spam obtained
    from different techniques
  • They didnt precisely measure using bobax botnet

22
THANK YOU
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Understanding the network level behavior of spammers" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!