Abstract:
Email bombing is a form of Denial of Service (DoS) attack that consists of sending huge volumes of email to one or more email addresses to overflow the mailbox or overwhe...Show MoreMetadata
Abstract:
Email bombing is a form of Denial of Service (DoS) attack that consists of sending huge volumes of email to one or more email addresses to overflow the mailbox or overwhelm the server where the mailbox is hosted. While this type of attack is not new, we have seen renewed Distributed Denial of Service (DDoS) attacks by email in the past few years via list-linking attacks, where the victim's email address is subscribed to thousands or even tens of thousands of mailing lists. We describe some of the measures that list owners and email service providers have suggested to mitigate such attacks. We then present a case study of a real-world attack, investigating whether characteristics of attack behavior and email attributes surface a workable hypothesis of early detection paradigms. We test our hypothesis on a dataset of hundreds of millions of emails, representing three months of data from 3,000 medium and large organizations. Our technique helped us detect three previously unknown list-linking attacks in the dataset. We determined that anomalous bursts signify meaningful patterns at the user level, but cannot be extrapolated effectively when analyzing bulk enterprise volume data. Effective spam identification in this case needs to consider the unique nature of the messages in the attack, which lends to their exhibiting linguistic similarities, combined with their temporal proximity. We recommend a layered approach to detection and throttling through per-user volume and time-based methodologies paired with phrasal pattern recognition.
Date of Conference: 15-17 May 2018
Date Added to IEEE Xplore: 11 June 2018
ISBN Information:
Electronic ISSN: 2159-1245