Abstract
Laundering e-mail spam through open-proxies or compromised PCs is a widely-used trick to conceal real spam sources and reduce spamming cost in the underground e-mail spam industry. Spammers have plagued the Internet by exploiting a large number of spam proxies. The facility of breaking spam laundering and deterring spamming activities close to their sources, which would greatly benefit not only e-mail users but also victim ISPs, is in great demand but still missing. In this article, we reveal one salient characteristic of proxy-based spamming activities, namely packet symmetry, by analyzing protocol semantics and timing causality. Based on the packet symmetry exhibited in spam laundering, we propose a simple and effective technique, DBSpam, to online detect and break spam laundering activities inside a customer network. Monitoring the bidirectional traffic passing through a network gateway, DBSpam utilizes a simple statistical method, Sequential Probability Ratio Test, to detect the occurrence of spam laundering in a timely manner. To balance the goals of promptness and accuracy, we introduce a noise-reduction technique in DBSpam, after which the laundering path can be identified more accurately. Then DBSpam activates its spam suppressing mechanism to break the spam laundering. We implement a prototype of DBSpam based on libpcap, and validate its efficacy on spam detection and suppression through both theoretical analyses and trace-based experiments.
- Andreolini, M., Bulgarelli, A., Colajanni, M., and Mazzoni, F. 2005. Honeyspam: Honeypots fighting spam at the source. In Proceedings of the 1st USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI’05). Cambridge, MA, 77--83. Google ScholarDigital Library
- Bächer, P., Holz, T., Kötter, M., and Wicherski, G. 2005. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots/.Google Scholar
- Back, A. 1997. Hashcash: A denial of service counter-measure. http://www.hashcash.org/papers/hashcash.pdf.Google Scholar
- Blosser, J. and Josephsen, D. 2004. Scalable centralized bayesian spam mitigation with bogofilter. In Proceedings of the 18th USENIX Large Installation Systems Administration Conference (LISA’04). Atlanta, GA, 1--20. Google ScholarDigital Library
- Blum, A., Song, D. X., and Venkataraman, S. 2004. Detection of interactive stepping stones: Algorithms and confidence bounds. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID’04). Sophia Antipolis, France.Google Scholar
- CBL. 2007. Composite blocking list. http://cbl.abuseat.org.Google Scholar
- Delany, M. 2006. Domain-based e-mail authentication using public keys advertised in the DNS (DomainKeys). RFC 4870.Google Scholar
- Garriss, S., Kaminsky, M., Freedman, M. J., Karp, B., Mazieres, D., and Yu, H. 2006. Re: Reliable e-mail. In Proceedings of the 3rd USENIX Symposium on Networked Systems Design and Implementation (NSDI’06). San Jose, CA, 297--310. Google ScholarDigital Library
- Gburzynski, P. and Maitan, J. 2004. Fighting the spam wars: A re-mailer approach with restrictive aliasing. ACM Trans. Intern. Techn. 4, 1, 1--30. Google ScholarDigital Library
- Gellens, R. and Klensin, J. C. 1998. Message submission. RFC 2476. Google ScholarDigital Library
- Graham, P. 2002. A plan for spam. http://www.paulgraham.com/spam.html.Google Scholar
- Hershkop, S. and Stolfo, S. J. 2005. Combining e-mail models for false positive reduction. In Proceedings of the 11th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (SIGKDD’05). Chicago, IL, 98--107. Google ScholarDigital Library
- Hunter, T., Terry, P., and Judge, A. 2003. Distributed tarpitting: Impeding spam across multiple servers. In Proceedings of the 17th USENIX Systems Administration Conference (LISA’03). San Diego, CA, 223--236. Google ScholarDigital Library
- Ioannidis, J. 2003. Fighting spam by encapsulating policy in e-mail addresses. In Proceedings of the 10th Annual Network and Distributed System Security Symposium (NDSS’03). San Diego, CA, 1--8.Google Scholar
- Jung, J., Paxson, V., Berger, A. W., and Balakrishnan, H. 2004. Fast portscan detection using sequential hypothesis testing. In Proceedings of the 25th IEEE Symposium on Security and Privacy (SSP’04). Oakland, CA, 211--225.Google Scholar
- Jung, J. and Sit, E. 2004. An empirical study of spam traffic and the use of DNS black lists. In Proceedings of ACM SIGCOMM Internet Measurement Conference (ICM’04). Taormina, Italy, 370--375. Google ScholarDigital Library
- Klensin, J. 2001. Simple mail transfer protocol. RFC 2821. Google ScholarDigital Library
- Krishnamurthy, B. and Blackmond, E. 2004. SHRED: Spam harassment reduction via economic disincentives. http://www.research.att.com/ bala/papers/shred-ext.pdf.Google Scholar
- Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and Jones, L. 1996. Socks protocol version 5. RFC 1928. Google ScholarDigital Library
- Li, K., Pu, C., and Ahamad, M. 2004. Resisting spam delivery by tcp damping. In Proceedings of the 1st Conference on E-mail and Anti-Spam. Mountain View, CA, 191--198.Google Scholar
- Li, K. and Zhong, Z. 2006. Fast statistical spam filter by approximate classifications. In Proceedings of ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS’06). St. Malo, France, 347--358. Google ScholarDigital Library
- Lyon, J. and Wong, M. W. 2004. Sender id: Authenticating e-mail. RFC 4406.Google Scholar
- MARID. 2004. MTA authorization records in DNS. http://www.ietf.org/html.charters/OLD/marid-charter.html.Google Scholar
- MessageLabs. 2006. Messagelabs intelligence annual e-mail security report 2006. http://www.messagelabs.com/Threat_Watch/.Google Scholar
- Microsoft. 2003. The penny black project. http://research.microsoft.com/research/sv/PennyBlack/.Google Scholar
- Postini. 2006. Sender behavior analysis. http://www.postini.com.Google Scholar
- Prakash, V. V. 2007. Vipul’s razor. http://razor.sourceforge.net/.Google Scholar
- Provos, N. 2004. A virtual honeypot framework. In Proceedings of the 13th USENIX Security Symposium (SECURITY’04). San Diego, CA, 1--14. Google ScholarDigital Library
- Radosavac, S., Baras, J. S., and Koutsopoulos, I. 2005. A framework for mac protocol misbehavior detection in wireless networks. In Proceedings of the 4th ACM Workshop on Wireless Security (WiSe’05). Cologne, Germany, 33--42. Google ScholarDigital Library
- Ramachandran, A., Dagon, D., and Feamster, N. 2006. Can DNS-based blacklists keep up with bots? In Proceedings of the 3rd Conference on E-mail and Anti-Spam (CEAS’06). Mountain View, CA, 55--56.Google Scholar
- Ramachandran, A. and Feamster, N. 2006. Understanding the network-level behavior of spammers. In Proceedings of the ACM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM’06). Pisa, Italy, 291--302. Google ScholarDigital Library
- Rhyolite. 2000. Distributed checksum clearinghouse (dcc). http://www.rhyolite.com/anti-spam/dcc/.Google Scholar
- Roesch, M. 1999. Snort: Lightweight intrusion detection for networks. In Proceedings of the 13th USENIX Systems Administration Conference (LISA’99). Seattle, WA, 229--238. Google ScholarDigital Library
- SecurityTracker. 2001. Formmail.pl web-to-e-mail cgi script allows unauthorized users to send mail anonymously. http://www.securitytracker.com/alerts/2001/Mar/1001108.html.Google Scholar
- SORBS. 2006. Spam and open relay blocking system (sorbs). http://www.sorbs.net/.Google Scholar
- SpamAssassin. 2006. The apache spam assassin project. http://spamassassin.apache.org/.Google Scholar
- Spamhaus. 2005. Increasing spam threat from proxy hijackers. http://www.spamhaus.org/news.lasso?article=156.Google Scholar
- SpamLinks. 2006. Challenge/response spam filters. http://spamlinks.net/filter-cr.htm.Google Scholar
- TopLayer. 2006. http://www.toplayer.com.Google Scholar
- Turner, A. 2006. Tcpreplay. http://tcpreplay.synfin.net/trac/.Google Scholar
- Twining, R. D., Williamson, M. M., Mowbray, M., and Rahmouni, M. 2004. E-mail prioritization: Reducing delays on legitimate mail caused by junk mail. In Proceedings of USENIX Annual Technical Conference (USENIX’04). Boston, MA, 45--58. Google ScholarDigital Library
- Wald, A. 2004. Sequential Analysis. Dover Publications.Google Scholar
- Walfish, M., Zamfirescu, J., Balakrishnan, H., Karger, D., and Shenker, S. 2006. Distributed quota enforcement for spam control. In Proceedings of the 3rd USENIX Symposium on Networked Systems Design and Implementation (NSDI’06). San Jose, CA, 281--296. Google ScholarDigital Library
- Watson, D., Holz, T., and Mueller, S. 2005. Know your enemy: Phishing. http://www.honeynet.org/papers/phishing/.Google Scholar
- Williamson, M. M. 2003. Design, implementation and test of an e-mail virus throttle. In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC’03). Las Vegas, NV, 76--85. Google ScholarDigital Library
- Wong, M. W. and Schlitt, W. 2006. Sender policy framework (SPF) for authorizing use of domains in e-mail, version 1. RFC 4408.Google Scholar
- Woolridge, D., Law, J., and Kawasaki, M. 2004. The qmail spam throttle mechanism. http://spamthrottle.qmail.ca/man/qmail-spamthrottle.5.html.Google Scholar
- Yerazunis, B. 2003. CRM114 - the controllable regex mutilator. http://crm114.sourceforge.net.Google Scholar
- Zhang, Y. and Paxson, V. 2000. Detecting stepping stones. In Proceedings of the 9th USENIX Security Symposium (SECURITY’00). Denver, CO, 171--184. Google ScholarDigital Library
- Zhou, F., Zhuang, L., Zhao, B. Y., Huang, L., Joseph, A. D., and Kubiatowicz, J. 2003. Approximate object location and spam filtering on peer-to-peer systems. In Proceedings of the 4th ACM/IFIP/USENIX International Middleware Conference (MIDDLEWARE’03), Rio de Janeiro, Brazil. M. Endler and D. Schmidt, eds. Lecture Notes in Computer Science, vol. 2672. Springer Berlin, Germany, 1--20.Google Scholar
Index Terms
- Thwarting E-mail Spam Laundering
Recommendations
An effective defense against email spam laundering
CCS '06: Proceedings of the 13th ACM conference on Computer and communications securityLaundering email spam through open-proxies or compromised PCs is a widely-used trick to conceal real spam sources and reduce spamming cost in underground email spam industry. Spammers have been plaguing the Internet by exploiting a large number of spam ...
@spam: the underground on 140 characters or less
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityIn this work we present a characterization of spam on Twitter. We find that 8% of 25 million URLs posted to the site point to phishing, malware, and scams listed on popular blacklists. We analyze the accounts that send spam and find evidence that it ...
The Making of a Spam Zombie Army: Dissecting the Sobig Worms
Sobig.E, the latest variant of the Sobig worm, has several curious attributes, including using a URL for infection directions. Worse, the worm facilitates the attacker's launch of spam from infected systems.
Comments