Using Traffic Analysis to Detect Email Spam Richard Clayton TERENA, Lyngby, 22 nd May 2007.

Slides:



Advertisements
Similar presentations
Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.
1 Effective, secure and reliable hosted security and continuity solution.
Authentication Approaches Phillip Hallam-Baker VeriSign Inc.
Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Deliverability How We Get You to the Inbox. +98 % Our Deliverability routinely ranks in the high 90s. There’s another way of saying this: We Get Your.
Consortium Conference 13 July 2012 Operational Developments Ian Lehmann Chief Operations Officer London Grid for Learning.
Methods for Stopping Spam James Lick
Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Protocols and Troubleshooting Brandon Checketts.
1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE INTERCONTINENTAL GROUP Information security in real business firewall security.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Fighting Spam Randy Appleton Northern Michigan University
Sender policy framework. Note: is a good reference source for SPFhttp://
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
1 Fighting Spam at AOL: Lessons Learned and Issues Raised Carl Hutzler Director of Anti-Spam Operations America Online, Inc. 12/9/2005.
1 Authors: Anirudh Ramachandran, Nick Feamster, and Santosh Vempala Publication: ACM Conference on Computer and Communications Security 2007 Presenter:
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
Spam Reduction Techniques Using greylisting and SpamAssassin.
An Effective Defense Against Spam Laundering Paper by: Mengjun Xie, Heng Yin, Haining Wang Presented at:CCS'06 Presentation by: Devendra Salvi.
Size and Cost of the Problem Steve Atkins SpamCon Foundation Word to the Wise.
Team Excel What is SPAM ?. Spam Offense Team Excel '‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.com.
1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.
1 The Business Case for DomainKeys Identified Mail.
Combating Abuse Brian Nisbet NOC Manager HEAnet.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Mail Services.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
Perimeter Defenses: Filters and Firewalls Lesson 17.
Client X CronLab Spam Filter Technical Training Presentation 19/09/2015.
Department of Computer Sciences The University of Texas at Austin Zmail : Zero-Sum Free Market Control of Spam Benjamin J. Kuipers, Alex X. Liu, Aashin.
Introduction to Internet Mail Abridged & Updated by Hervey Allen Noah Sematimba Based on Materials by Philip Hazel.
Content Control Stewart Duncan Technical Manager.
Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.
Tired of Spam? The solution is MailWasher
Modelling Incentives for Blocking Strategies Andrei Serjantov Richard Clayton WEIS 2005 KSG, Harvard 2 nd June 2005.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
Spamming Botnets: Signatures and Characteristics Yinglian Xie, Fang Yu, Kannan Achan, Rina Panigrahy, Geoff Hulten, and Ivan Osipkov. SIGCOMM, Presented.
Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:
Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.
Source pictures for document ”Thoughts about increasing spam annoyance” by License: This material may be distributed only subject.
How a major ISP built a new anti-abuse platform Mike O’Reirdan Comcast Distinguished Engineer Internet Systems Engineering Comcast National Engineering.
© 2009 WatchGuard Technologies WatchGuard ReputationAuthority Rejecting Unwanted & Web Traffic at the Perimeter.
CSCE 201 Security Fall CSCE Farkas2 Electronic Mail Most heavily used network-based application – Over 210 billion per day Used across.
LinxChix And Exim. Mail agents MUA = Mail User Agent Interacts directly with the end user  Pine, MH, Elm, mutt, mail, Eudora, Marcel, Mailstrom,
Sender policy framework. Note: is a good reference source for SPFhttp://
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Role Of Network IDS in Network Perimeter Defense.
CERN - IT Department CH-1211 Genève 23 Switzerland t OIS Update on the anti spam system at CERN Pawel Grzywaczewski, CERN IT/OIS HEPIX fall.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
[1] Control Spam by the Use of Greylisting Torgny Hallenmark LDC - Computing Center Lund University, Sweden TERENA Networking.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Anti-Spam Updates Activity Coordination Meeting March 2006 Kevin Hill.
DDoS Attacks on Financial Institutions Presentation
EN Lecture Notes Spring 2016
Filtering Spoofed Packets
Overview What is Spoofing Types of Spoofing
This is the Sign In page for the Dashboard
… and doesn’t Chris Taylor
Presentation transcript:

Using Traffic Analysis to Detect Spam Richard Clayton TERENA, Lyngby, 22 nd May 2007

Summary Log processing for customers Log processing for non-customers Looking at sampled sFlow data

What problems do ISPs have?  Insecure customers –very few real spammers sending directly ! Botnets –compromised end-user machines SOCKS proxies &c –misconfiguration SMTP AUTH –Exchange “admin” accounts + many others

ISP server (smarthost) yahoo.com hotmail.com example.com example.co.uk beispiel.de etc.etc.etc customer ISP team spammer Complaints customer

ISP’s Real Problem Blacklisting of IP ranges & smarthosts Rapid action necessary to ensure continued service to all other customers But reports may go to the blacklist and not to the ISP (or will lack essential details)

ISP server (smarthost) yahoo.com hotmail.com example.com example.co.uk beispiel.de etc.etc.etc customer BLACK LIST spammer Complaints customer

Spotting outgoing spam Expensive to examine outgoing content Legal/contractual issues with blocking –“false positives” could cost you customers Volume is not a good indicator of spam –many customers with occasional mailshots –daily limits only suitable for consumers “Incorrect” sender doesn’t indicate spam –many customers with multiple domains

Key insight Lots of spam is to ancient addresses Lots of spam is to invented addresses Lots of spam is blocked by remote filters Can process server logs to pick out this information. Spam has delivery failures whereas legitimate mainly works

ISP server (smarthost) yahoo.com hotmail.com example.com example.co.uk beispiel.de etc.etc.etc customer ISP team spammer Complaints customer Logs

Log processing heuristics  Report “too many” failures to deliver –more than 20 works pretty well Ignore “bounces” ! –have null “ ” return path, these often fail –detect rejection daemons without paths Ignore “mailing lists” –most destinations work, only some fail (10%) –more than one mailing list is a spam indicator!

Bonus! also detects viruses Common for mass mailing “worms” to use address book (mainly valid addresses) But remote sites may reject malware AND VERY USEFUL! Virus authors don’t know how to say HELO So virus infections are also detected

Smarthost ISP handling MX host The Internet

Heuristics for incoming Simple heuristics on failures work really well –just as for smarthost Multiple HELO lines very common –often match MAIL FROM (to mislead) –may match RCPT TO (? authenticator ?) Look for outgoing to the Internet Pay attention to spam filter results –but need to discount forwarding

:47:15 Size=2199 !!! !!! !!! -> -> :50:22 Size=2206 !!! !!! -> -> -> -> and 31 more valid destinations :59:15 Size=2228 !!! -> -> -> -> -> and 44 more valid destinations

HELO = lrhnow.usa.net :11: > HELO = lkrw.hotmail.com :11:24 -> HELO = pshw.netscape.net :14: > HELO = zmgp.cs.com :18:06 Size= >

log demon Detection of spam (black) and viruses (red)

Incoming reports (all sources) spam (black), viruses (red), reports (blue)

spamHINTS research project The Internet LINX LINX samples 1 in 2000 packets (using sFlow) and makes the port 25 traffic available for analysis…

Known “open server”

Another known “open server”

Look for excessive variation Look at number of hours active compared with number of four hour blocks active Use incoming to Demon to pick out senders of spam and hence annotate them as good or bad… … did this for a large ISP, but problem is that “if it sends, it’s bad”. Nevertheless…

Spamminess vs hours of activity for IPs active in 5 of 6 possible 4 hour periods

So work continues… sFlow data will always be useful to feed back ongoing activity to abuse teams Analysis may improve when both rings instrumented and when data available in real-time (so can compare historic data) Still to consider variations (and lack of variations) in destination as well as time

Summary Processing outgoing server logs works well –keeps smarthosts out of blacklists Processing incoming server logs effective –some sites may see little “looped back” traffic Trying to processing sampled sFlow data –sampling is making it a real challenge –more work needed on good distinguishers

CEAS papers: : Stopping spam by extrusion detection 2005: Examining incoming server logs 2006: Early results from spamHINTS 2007: traffic: A qualitative snapshot

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.