Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Effective Defense Against Email Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava.

Published byAbraham Snow Modified over 8 years ago

Similar presentations

Presentation on theme: "An Effective Defense Against Email Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava."— Presentation transcript:

1 An Effective Defense Against Email Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava

2 Overview Introduction Spam Laundering Anti spam techniques Proxy based spam behavior DBSpam Evaluation Review

3 Introduction Presently spam makes 60% of emails Spam has evolved in parallel with anti spam techniques. Spammers hide using, proxies and compromised computers known as zombies

4 Introduction cont. Detecting spam at its source by monitoring bidirectional traffic of a network DBSpam uses “packet symmetry” to break spam laundering in a network

5 Spam Laundering Spam Proxy

6 Anti Spam Techniques Existing “Anti spam techniques” are classified into, 1. “Recipient Oriented” 2. “Sender Oriented” 3. “HoneySpam”

7 Anti Spam Techniques (contd.) Recipient Oriented anti-spam techniques functions They block email spam from reaching recipients mailbox Or Remove / mark spam in recipients mailbox

8 Anti Spam Techniques (contd.) Recipient Oriented anti-spam techniques are further classified as Content based Email address filters Heuristic filters Machine learning based filters Non content based

9 Anti Spam Techniques (contd.) Recipient Oriented anti-spam techniques are further classified as Content based Non content based DNSBL MARID Challenge response Delaying Sender behavior analysis

10 Anti Spam Techniques (contd.) Sender Oriented Techniques Usage Regulations  E.g. blocking port 25, SMTP authentication Cost based approaches  Charge the sender (postage)

11 Anti Spam Techniques (contd.) HoneySpam It is a honeypot framework based on honeyD It deters “email address harvesters”, poison spam address databases and blocks spam that goes through the open relay / proxy decoys set by HoneySpam

12 Proxy based spam behavior Laundry path of Proxy Spamming

13 Proxy based spam behavior (contd.) Connection Correlation There is one-to-one mapping between the upstream and downstream connections along the spam laundry path This kind of connection is a common for proxy based spamming In normal email delivery there is only one connection; between sender and receiving MTA

14 Proxy based spam behavior (contd.) Spam laundering for single proxy

15 Proxy based spam behavior (contd.) Spam laundering for multiple proxies

16 Proxy based spam behavior (contd.) Message symmetry at application layer leads to packet symmetry at network layer Exception: one to one mapping between inbound and outbound streams can be violated Reasons: packet fragmentation, packet compression and packet retransmission

17 Proxy based spam behavior (contd.) The packet symmetry is a key to distinguish the suspicious upstream / downstream connections along the spam laundry path from normal background traffic

18 DBSpam Goals Fast detection of spam laundering with high accuracy Breaking spam laundering via throttling or blocking after detection Support for spammer tracking Support for spam message fingerprinting

19 DBSpam DBSpam consists of two major components Spam detection module Simple connection correlation detection algorithm Spam suppression module

20 DBSpam Deployment of DBSpam It is placed at a network vantage point which may connect costumer network to the Internet DBSpam works well if it is deployed at the primary ISP edge router

21 DBSpam Packet symmetry for spam TCP is 1 For a normal TCP connection it is one with very small probability of occurrence DBSpam uses a statistical method, “sequential probability ratio test” (SPRT)

22 DBSpam “sequential probability ratio test” (SPRT) checks probability between bounds for each observation The algorithm contains a variable X which is checked for correlation Variables A and B form the bounds If X is between A and B, the algorithm does another observation, else it stops with a conclusion

23 Evaluation DBSpam detection time is mainly decided by the SPRT detection time Number of observations needed to reach a decision Actual time spent by SPRT

24 Evaluation

25 Strengths Can detect spam even if its content is encrypted Low false positives Does not degrade network performance

26 weakness It cannot efficiently detect spam with short reply rounds Its it more effective only if it can be installed on an ISP edge router

27 Improvements DBSpam algorithm should be made more efficient so as to detect new evolving spam

28 . Thank You

Download ppt "An Effective Defense Against Email Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering An Effective Defense Against Spam Laundering Mengjun Xie, Heng Yin, Haining.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering An Effective Defense Against Spam Laundering Mengjun Xie, Heng Yin, Haining.
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.

EE 4272Spring, 2003 Protocols & Architecture A Protocol Architecture is the layered structure of hardware & software that supports the exchange of data.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,

BotGraph: Large Scale Spamming Botnet Detection Yao Zhao Yinglian Xie *, Fang Yu *, Qifa Ke *, Yuan Yu *, Yan Chen and Eliot Gillum ‡ EECS Department,
Office 365 SMTP Relay June 2013. Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.

Office 365 SMTP Relay June Relay Method Send to rcpts in domain Relay to Internet via O365 Configuration Requirements Requires Authentication.

Similar presentations

Ads by Google