Presentation is loading. Please wait.

Presentation is loading. Please wait.

Spam detection using IP geolocation O-talk Andriy Stetsko.

Published byBasil Oliver Dawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Spam detection using IP geolocation O-talk Andriy Stetsko."— Presentation transcript:

1 Spam detection using IP geolocation O-talk Andriy Stetsko

2 2 Outline Possible sources of geolocation data Overview of available geolocation databases Results of tests of selected geoip databases performance test coverage & accuracy tests Results of tests of Bayes classifier detection accuracy when geolocation information IS NOT used geolocation information IS used

3 3 Sources of geolocation data (1) Public WHOIS database maps IPs & real-world entries organization address ≠ geolocation of IP Users answer to location questions on web-site entries can be wrong Applications HTTP Accept-Charset header sent by browser not always available can be falsified

4 4 Sources of geolocation data (2) Round trip time to landmark ICMP echo message not all target hosts respond to ICMP echo target host may consider it as attack poor with regard to hosts with high latency connections target host can delay its replies ISP obtain (purchase) network topology

5 5 Overview of geolocation databases (1) IP2Location 18 databases MaxMind GeoIP Country, GeoIP City GeoLite Country, GeoLite City Quova Digital-element IPligence Lite, Basic, Max Lite Free

6 6 Overview of geolocation databases (2) Geobytes IPInfoDB (compiled from GeoLite City) Country City ● 3 IP digits precision ● 4 IP digits precision Software77 IP::Country::Fast IP::Country::DB_File built from publicly available statistics files of Regional Internet Registries

7 7 Databases to test

8 8 Performance test Test measures time needed to process 1000000 requests Test was repeated 10 times for each database

9 9 Coverage & accuracy tests (1) Test was done for 840 IP addresses Coverage = (840 - #Uncovered) / 840 Accuracy = (840 - #Incorrect) / 840

10 10 Coverage & accuracy tests (2) Database #3 Database #4

11 11 Bayes detection accuracy (1) SpamAssassin v. 3.3.1 running on Perl v. 5.10.1 RelayCountry plugin analyses “Received” headers adds “X-Relay-Countries” header Database of e-mails 10762 spam & 9072 ham e-mails contain headers added by spam detection software

12 12 Bayes detection accuracy (2) Test #4: No difference between detection accuracy of Bayes classifier when RelayCountry plugin is used and when it is not used

13 13 Bayes detection accuracy (3) Test #1 and #2: introduction of geolocation info increased detection accuracy but not so much ham recognition accuracy was the same in both cases detection accuracy in Test#2 was worse than in Test#1 Test #3: detection accuracy was higher than in Tests #1 and #2

14 14 Conclusion & future work Geolocation info increases detection accuracy of SpamAssassin Bayes classifier increase weights of tokens containing geolocation info Token expiration has great impact on detection accuracy of Bayes classifier propose more effective expiration policy Explore correlation between e-mail charset and country code (returned by RelayCountry) of e-mail sender Explore correlation between TLD of sender e-mail and country code (returned by RelayCountry module) of e-mail sender Configuration tool for RelayCountry plugin

15 15 Thank you for your attention!

Download ppt "Spam detection using IP geolocation O-talk Andriy Stetsko."

Similar presentations

Dude, where’s that IP? Circumventing measurement-based IP geolocation Presented by: Steven Zittrower.

Dude, where’s that IP? Circumventing measurement-based IP geolocation Presented by: Steven Zittrower.
NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
Phillipa Gill, Yashar Ganijali Dept. of CS University of Toronto Bernard Wong Dept. of CS Cornell University David Lie Dept. of Electrical and Computer.

Phillipa Gill, Yashar Ganijali Dept. of CS University of Toronto Bernard Wong Dept. of CS Cornell University David Lie Dept. of Electrical and Computer.
Networks Adapting Computers to Telecommunications Media.

Networks Adapting Computers to Telecommunications Media.
CPSC 441 Tutorial - Network Tools 1 Network Tools CPSC 441 – Computer Communications Tutorial.

CPSC 441 Tutorial - Network Tools 1 Network Tools CPSC 441 – Computer Communications Tutorial.
IP: The Internet Protocol

IP: The Internet Protocol
Web and Internet Part I ST: Introduction to Web Interface Design Prof. Angela Guercio Spring 2007.

Web and Internet Part I ST: Introduction to Web Interface Design Prof. Angela Guercio Spring 2007.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.08 ping & traceroute.

CISCO NETWORKING ACADEMY Chabot College ELEC ping & traceroute.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Module 1: Reviewing the Suite of TCP/IP Protocols.

Module 1: Reviewing the Suite of TCP/IP Protocols.
1 Figure 3-33: Internet Control Message Protocol (ICMP) ICMP is for Supervisory Messages at the Internet Layer ICMP and IP  An ICMP message is delivered.

1 Figure 3-33: Internet Control Message Protocol (ICMP) ICMP is for Supervisory Messages at the Internet Layer ICMP and IP  An ICMP message is delivered.
TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.

TELE202 Lecture 10 Internet Protocols (2) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Internet Protocols (1) »Source: chapter 15 ¥This Lecture »Internet.
Guide to TCP/IP, Third Edition

Guide to TCP/IP, Third Edition
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 9 Internet Control Message.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 9 Internet Control Message.
ICMP : Internet Control Message Protocol. Introduction ICMP is often considered part of the IP layer. It communicates error messages and other conditions.

ICMP : Internet Control Message Protocol. Introduction ICMP is often considered part of the IP layer. It communicates error messages and other conditions.
Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.

Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.
Examining TCP/IP.

Examining TCP/IP.
CIS 1310 – HTML & CSS 1 Introduction to the Internet.

CIS 1310 – HTML & CSS 1 Introduction to the Internet.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Similar presentations

Ads by Google