Presentation is loading. Please wait.

Presentation is loading. Please wait.

Delivery for Spam Mitigation Usenix Security 2012 Gianluca Stringhini, Manuel Egele, Apostolis Zarras, Thorsten Holz, Christopher.

Published byAleesha Beasley Modified over 9 years ago

Similar presentations

Presentation on theme: "Delivery for Spam Mitigation Usenix Security 2012 Gianluca Stringhini, Manuel Egele, Apostolis Zarras, Thorsten Holz, Christopher."— Presentation transcript:

1 B@bel:Leveraging Email Delivery for Spam Mitigation Usenix Security 2012 Gianluca Stringhini, Manuel Egele, Apostolis Zarras, Thorsten Holz, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara Ruhr-University Bochum 李佳恆 leegoder@gmail.com

2 Outline  Introducion  Background  Approach  Evaluation  Conclusion

3 Introducion KASPERSKY LAB. Spam Report: April 2012. Email spam Accounting for more than 77% of all email traffic https://www.securelist.com/en/analysis/204792230/Spam_Report_April_2012

4 SYMANTEC CORP. State of spam & phishing report http://www.symantec.com/business/theme.jsp?themeid=state_of_spam About 85% of world-wide spam traffic is sent by botnets

5 Traditional spam dection systems 1.Content analysis 2.Origin base Ex.Blacklists ============new way========== Focus on the email deliivery mechanism (How messages are sent by spammers)

6 Background

7 SMTP (mail user agent ) eg: Outlook (mail transfer agent ) eg: msa.hinet From wiki eg: Hotmail

8 SMTP Conversaction

9 SMTP Reply:220 msr5.hinet.net ESMTP Sendmail 8.14.2/8.14.2; Sun, 29 Jul 2012 17:38:35 +0800 (CST) EHLO adl.com Reply:250-msr5.hinet.net Hello 114-34-35-96.HINET-IP.hinet.net [114.34.35.96], pleased to meet you MAIL FrOm: Reply:250 2.1.0... Sender ok rCpt tO: Reply:250 2.1.5... Recipient ok Data Reply:354 Enter mail, end with "." on a line by itself SubJECT : HI i am dada YOYOYO test !!!`~~~~.... Reply:250 2.0.0 q6T9cZtc012399 Message accepted for delivery

10 SMTP  SMTP RFC defines 14 commands.  Each command consists of four case-insensitive,alphabetic- character command codes  One or more space characters separate command codes  All command are terminated by line terminator( ) Smtp replies :three-digit status code+space+description (one line,e.g., 250 OK) RFC 821

11 Approach

12 SMTP Dialects  Different clients might implement the SMTP protocol in slightly different ways. 1.RFCs Do not always provide a single Format (e.g.,EHLO vs HELO) 2.Using different extension,client might add different parameters 3.Server accept commands that do not comply with the strict SMTP definitions

13 Learning Dialects Passively observe ( )  A set of SMTP conversations  Each conversation is a sequence of pairs E.g., Active probing  Send specifically-crafted replies to a client  And observe its responses

14 Active probing  Standard SMTP replies (e.g., send error)  Addiional SMTP replies (e.g., send twice)  Out-of-order Smtp replies  Missing replies (nerver sends a reply to a command)  Compliant replies (e.g., hOsT)  Incorrect replies (e.g., 9999)  incorrectly-terminated replis (e.g., )

15 Regular expressions MAIL FROM: MAIL FROM:gaga@msa.hinet.net MAIL FROM: Mail From :gaga@msa.hinet.net Mail From : E.g., wiki

16 State machine spam E.g., Gmail

17 Decision state Machine  Wolf WOLF, W. An Algorithm for Nearly-Minimal Collapsing of Finite-State Machine Networks. (ICCAD) (1990).

18 Making a descison E.g.,... E.g., >... E.g.,... C3 unknow C2 unknow

19 The Botnet Feedback Mechanism

20  Some spammers take server feedback into account e.g., recopient address does not exist Cutwail : 35% email address were not exist [38]  Providing False Responses to Spam Emails. [38]http://www.iseclab.org/papers/cutwail-LEET11.pdf

21 Evaluation

22 Enviroment  B@bel  1.Virtual machine zoo  2.gateway  3.learner => decision fsm =>  4.decision maker

23 Evaluating dialects for Classification Run Babel Training set (13 legitimate, 91malware) Legitimate MUAs and MTAs are distinct from Bots Legitimate MUAs and MTAs are all speak distinct dialects (except for Outlook Express and Windows Live Mail) 91malware: 48 dialects Same dialects belong to the same family

24 Evaluating Dialects for Spam Detection  Run Babel  SMTP converastions for 621919 email messages(40days)  7114 bot samples[4] >> bad dialects  MUA+MTA+webmail >> good dialects  Passive spam detection  Decision machine do not recognize the conversaction >> mark as spam

25 Evaluating Dialects for Spam Detection  621919 email (ALL)  260074 spam, 218675 ham,143170 ?? Verify true positive  IP blacklist (30) + resolve domain 99.32% true positive False negative 21% False negative (misused web mail account,dedicated MTA) (half is legitimate MTAs)

26 Limitations and Evasion  Evading dialects detection: Use an existing open source smtp engine (CDO)CDO But spambots are built for performance Bagle(a spam bot) : 20ms / a letter CDO(windows) : 200ms / a letter collaboration data objects library

27 Conclusion  Introduced a novel way to detect and mitigate spam emails  We study how the feedback mechanism used by botnets can be poisoned  Empirical result confirm that our approach can be used to detect and mitigate spam emails.

28 THANKS

Download ppt "Delivery for Spam Mitigation Usenix Security 2012 Gianluca Stringhini, Manuel Egele, Apostolis Zarras, Thorsten Holz, Christopher."

Similar presentations

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.
By Won Lee.  Stands for Simple Mail Transfer Protocol  Used for sending and receiving electronic mail efficiently and reliably  Daily function of life.

By Won Lee.  Stands for Simple Mail Transfer Protocol  Used for sending and receiving electronic mail efficiently and reliably  Daily function of life.
SMTP – Simple Mail Transfer Protocol

SMTP – Simple Mail Transfer Protocol
E-mail (SMTP, MIME) Message transfer protocol (SMTP) vs message format protocols (RFC 822, Multipurpose Internet Mail Extensions or MIME) Message transfer.

(SMTP, MIME) Message transfer protocol (SMTP) vs message format protocols (RFC 822, Multipurpose Internet Mail Extensions or MIME) Message transfer.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.

CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
CPSC 441: FTP & SMTP1 Application Layer: FTP & Instructor: Carey Williamson Office: ICT 740 Class.

CPSC 441: FTP & SMTP1 Application Layer: FTP & Instructor: Carey Williamson Office: ICT Class.
Simple Mail Transfer Protocol (SMTP) CS-328 Dick Steflik.

Simple Mail Transfer Protocol (SMTP) CS-328 Dick Steflik.
Esimerkki: Sähköposti. Lappeenranta University of Technology / JP, PH, AH Electronic Mail Three major components: user agents mail servers simple mail.

Esimerkki: Sähköposti. Lappeenranta University of Technology / JP, PH, AH Electronic Mail Three major components: user agents mail servers simple mail.
SMTP Simple Mail Transfer Protocol. Content I.What is SMTP? II.History of SMTP III.General Features IV.SMTP Commands V.SMTP Replies VI.A typical SMTP.

SMTP Simple Mail Transfer Protocol. Content I.What is SMTP? II.History of SMTP III.General Features IV.SMTP Commands V.SMTP Replies VI.A typical SMTP.
Simple Mail Transfer Protocol

Simple Mail Transfer Protocol
2440: 141 Web Site Administration Email Services Instructor: Enoch E. Damson.

2440: 141 Web Site Administration Services Instructor: Enoch E. Damson.
Introduction 1 Lecture 7 Application Layer (FTP, e-mail) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.

Introduction 1 Lecture 7 Application Layer (FTP, ) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.
563.8.2 Spam Sonia Jahid University of Illinois Fall 2007.

Spam Sonia Jahid University of Illinois Fall 2007.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
Spam Reduction Techniques Using greylisting and SpamAssassin.

Spam Reduction Techniques Using greylisting and SpamAssassin.
E-mail-I CS-3505 Wb_e-mail-I.ppt. Email 4 The most useful feature of the internet 4 Lots of different email programs, but most of them can talk to each.

-I CS-3505 Wb_ -I.ppt. 4 The most useful feature of the internet 4 Lots of different programs, but most of them can talk to each.
Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray,
Lecturer : Ms.Trần Thị Ngọc Hoa Chapter 8 File Transfer Protocol – Simple Mail Transfer Protocol.

Lecturer : Ms.Trần Thị Ngọc Hoa Chapter 8 File Transfer Protocol – Simple Mail Transfer Protocol.
Introduction 1-1 Chapter 2 FTP & Email Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 IC322 Fall.

Introduction 1-1 Chapter 2 FTP & Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 IC322 Fall.
2: Application Layer1 Chapter 2 Application Layer These slides derived from Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross.

2: Application Layer1 Chapter 2 Application Layer These slides derived from Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross.

Similar presentations

Ads by Google