Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Traffic Analysis to Detect Email Spam Richard Clayton TERENA, Lyngby, 22 nd May 2007.

Published byPhoenix Flemming Modified over 9 years ago

Similar presentations

Presentation on theme: "Using Traffic Analysis to Detect Email Spam Richard Clayton TERENA, Lyngby, 22 nd May 2007."— Presentation transcript:

1 Using Traffic Analysis to Detect Email Spam Richard Clayton TERENA, Lyngby, 22 nd May 2007

2 Summary Log processing for customers Log processing for non-customers Looking at sampled sFlow data

3 What problems do ISPs have?  Insecure customers –very few real spammers sending directly ! Botnets –compromised end-user machines SOCKS proxies &c –misconfiguration SMTP AUTH –Exchange “admin” accounts + many others

4 ISP email server (smarthost) yahoo.com hotmail.com example.com example.co.uk beispiel.de etc.etc.etc customer ISP abuse@ team spammer Complaints customer

5 ISP’s Real Problem Blacklisting of IP ranges & smarthosts –listme@listme.dsbl.org Rapid action necessary to ensure continued service to all other customers But reports may go to the blacklist and not to the ISP (or will lack essential details)

6 ISP email server (smarthost) yahoo.com hotmail.com example.com example.co.uk beispiel.de etc.etc.etc customer BLACK LIST spammer Complaints customer

7 Spotting outgoing spam Expensive to examine outgoing content Legal/contractual issues with blocking –“false positives” could cost you customers Volume is not a good indicator of spam –many customers with occasional mailshots –daily limits only suitable for consumers “Incorrect” sender doesn’t indicate spam –many customers with multiple domains

8 Key insight Lots of spam is to ancient email addresses Lots of spam is to invented addresses Lots of spam is blocked by remote filters Can process server logs to pick out this information. Spam has delivery failures whereas legitimate email mainly works

9 ISP email server (smarthost) yahoo.com hotmail.com example.com example.co.uk beispiel.de etc.etc.etc customer ISP abuse@ team spammer Complaints customer Logs

10 Log processing heuristics  Report “too many” failures to deliver –more than 20 works pretty well Ignore “bounces” ! –have null “ ” return path, these often fail –detect rejection daemons without paths Ignore “mailing lists” –most destinations work, only some fail (10%) –more than one mailing list is a spam indicator!

11 Bonus! also detects viruses Common for mass mailing “worms” to use address book (mainly valid addresses) But remote sites may reject malware AND VERY USEFUL! Virus authors don’t know how to say HELO So virus infections are also detected

12 Smarthost ISP email handling MX host The Internet

13 Heuristics for incoming email Simple heuristics on failures work really well –just as for smarthost Multiple HELO lines very common –often match MAIL FROM (to mislead) –may match RCPT TO (? authenticator ?) Look for outgoing email to the Internet Pay attention to spam filter results –but need to discount forwarding

14 2007-05-19 10:47:15 vzjwcqk0n@msa.hinet.net Size=2199 !!! 0930456496@yahoo.com !!! 09365874588@fdf.sdfads !!! 0939155631@yahoo.com.yw -> 0931244221@fetnet.net -> 0932132625@pchome.com.tw 2007-05-19 10:50:22 985eubg@msa.hinet.net Size=2206 !!! cy-i88222@ms.cy.edw.tw !!! cynthia0421@1111.com.tw -> cy.tung@msa.hinet.net -> cy3219@hotmail.com -> cy_chiang@hotmail.com -> cyc.aa508@msa.hinet.net and 31 more valid destinations 2007-05-19 10:59:15 4uzdcr@msa.hinet.net Size=2228 !!! peter@syzygia.com.tw -> peter.y@seed.net.tw -> peter.zr.kuo@foxconn.com -> peter548@ms37.hinet.net -> peter62514@yahoo.com.tw -> peter740916@yahoo.com.tw and 44 more valid destinations

15 HELO = lrhnow.usa.net 2007-05-19 23:11:22 kwntefsqhi@usa.netSize= 8339 -> ken@example1.demon.co.uk HELO = lkrw.hotmail.com 2007-05-19 23:11:24 zmjkuzzs@hotmail.comSize=11340 -> ken@example2.demon.co.uk HELO = pshw.netscape.net 2007-05-19 23:14:52 dscceljzmy@netscape.netSize= 6122 -> steve.xf@example3.demon.co.uk HELO = zmgp.cs.com 2007-05-19 23:18:06 wmqjympdr@cs.com Size= 6925 -> kroll@example4.demon.co.uk

16 Email log processing @ demon Detection of spam (black) and viruses (red)

17 Incoming reports (all sources) spam (black), viruses (red), reports (blue)

18 spamHINTS research project The Internet LINX LINX samples 1 in 2000 packets (using sFlow) and makes the port 25 traffic available for analysis…

19 Known “open server”

20 Another known “open server”

21 Look for excessive variation Look at number of hours active compared with number of four hour blocks active Use incoming email to Demon to pick out senders of spam and hence annotate them as good or bad… … did this for a large ISP, but problem is that “if it sends, it’s bad”. Nevertheless…

22

23 Spamminess vs hours of activity for IPs active in 5 of 6 possible 4 hour periods

24 So work continues… sFlow data will always be useful to feed back ongoing activity to abuse teams Analysis may improve when both rings instrumented and when data available in real-time (so can compare historic data) Still to consider variations (and lack of variations) in destination as well as time

25 Summary Processing outgoing server logs works well –keeps smarthosts out of blacklists Processing incoming server logs effective –some sites may see little “looped back” traffic Trying to processing sampled sFlow data –sampling is making it a real challenge –more work needed on good distinguishers

26 http://www.cl.cam.ac.uk/~rnc1 CEAS papers: http://www.ceas.cc 2004: Stopping spam by extrusion detection 2005: Examining incoming server logs 2006: Early results from spamHINTS 2007: Email traffic: A qualitative snapshot

Download ppt "Using Traffic Analysis to Detect Email Spam Richard Clayton TERENA, Lyngby, 22 nd May 2007."

Similar presentations

Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association.

Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.

Research Summary Nick Feamster. The Big Picture Improving Internet availability by making networks easier to operate Three approaches –From the ground.
1 Effective, secure and reliable hosted email security and continuity solution.

1 Effective, secure and reliable hosted security and continuity solution.
Authentication Approaches Phillip Hallam-Baker VeriSign Inc.

Authentication Approaches Phillip Hallam-Baker VeriSign Inc.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Deliverability How We Get You to the Inbox. +98 % Our Deliverability routinely ranks in the high 90s. There’s another way of saying this: We Get Your.

Deliverability How We Get You to the Inbox. +98 % Our Deliverability routinely ranks in the high 90s. There’s another way of saying this: We Get Your.
Consortium Conference 13 July 2012 Operational Developments Ian Lehmann Chief Operations Officer London Grid for Learning.

Consortium Conference 13 July 2012 Operational Developments Ian Lehmann Chief Operations Officer London Grid for Learning.
Methods for Stopping Spam James Lick

Methods for Stopping Spam James Lick
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Email Protocols and Troubleshooting Brandon Checketts.

Protocols and Troubleshooting Brandon Checketts.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.

Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE INTERCONTINENTAL GROUP Information security in real business firewall security.

FROM RICHARD RODRIGUES JOHN ANIMALU FELIX SHULMAN THE HONORARY MEMBERS OF THE INTERCONTINENTAL GROUP Information security in real business firewall security.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.

Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Fighting Spam Randy Appleton Northern Michigan University

Fighting Spam Randy Appleton Northern Michigan University
Sender policy framework. Note: is a good reference source for SPFhttp://www.openspf.org/

Sender policy framework. Note: is a good reference source for SPFhttp://
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
1 Fighting Spam at AOL: Lessons Learned and Issues Raised Carl Hutzler Director of Anti-Spam Operations America Online, Inc. 12/9/2005.

1 Fighting Spam at AOL: Lessons Learned and Issues Raised Carl Hutzler Director of Anti-Spam Operations America Online, Inc. 12/9/2005.

Similar presentations

Ads by Google