1 / 22

Understanding the network level behavior of spammers

Understanding the network level behavior of spammers. Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat Soundararajan. OUTLINE. Spam - Basics of spam - Spam statistics - Spamming methods

jeanette-leroy
Télécharger la présentation

Understanding the network level behavior of spammers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat Soundararajan

  2. OUTLINE • Spam - Basics of spam - Spam statistics - Spamming methods - Spam filtering • Network level behavior of spam - Network level spam filtering - Data Collection Method - Tools used for data collection - Evaluations - Drawbacks

  3. SPAM

  4. What is Spam? • E-mail spam, also known as "bulk e-mail" or "junk e-mail," is a subset of spam that involves nearly identical messages sent to numerous recipients by e-mail. • Spammers use unsecured mail servers to send out millions of illegitimate emails • 2007 - (February) 90 billion per day

  5. Spam statistics

  6. Spamming Methods • Direct spamming • By purchasing upstream connectivity from “spam-friendly ISPs” • Open relays and proxies • Mail servers that allow unauthenticated Internet hosts to connect and relay mail through them • Botnets Using the worm to infect mail servers and sending mail through them e.g.bobax • BGP Spectrum Agility Short lived BGP route announcements

  7. Botnet command and control • Already captured Command and control center information • is used for the sinkhole to act like command and control • center • All bots now try to contact the command and control • sinkhole and they collected a packet trace to determine the • members of botnet • They observed a significantly higher percentage of infected • hosts is windows using Pof passive fingerprinting tool • Information collected is not accurate

  8. Sink hole

  9. Dns blacklisting • A list of open-relay mail servers or open proxies—or of • IP addresses known to send spam • Data collected from Spam-trap addresses or • honeypots • 80% of all spam received from mail relays • appear in at least one of eight blacklists • > 50% of spam was listed in two or more • blacklists

  10. Spam filtering • Spammers are able to easily alter the • contents of the email • SpamAssasin : a spam filter used for filtering • is mainly source Ip and other variables • which is easily changed by spammers • They have less flexibility when comes to • altering the network level details of email

  11. Spam filtering by this paper - Comparing data with the logs from a large ISP - Analyzing the network level behavior using those logs in the sinkhole - Update the filter content using those comparison

  12. Network-level Spam Filtering • Network-level properties are harder to change than content • Network-level properties • IP addresses and IP address ranges • Change of addresses over time • Distribution according to operating system, country and AS • Characteristics of botnets and short-lived route announcements • Help develop better spam filters

  13. Data collected when the spam is received • IP address of the mail relay • Trace route to that IP address, to help us estimate the network location of the mail relay • Passive “p0f” TCP fingerprint, to determine the OS of the mail relay • Result of DNS blacklist (DNSBL) lookups for that mail relay at eight different DNSBLs

  14. Mail avenger • few of the environment variables Mail Avenger sets • CLIENT_NETPATH the network route to the client • SENDER the sender address of the message • CLIENT_SYNOS a guess of the client's operating system type

  15. Distribution across ASes Still about 40% of spam coming from the U.S.

  16. Pof fingerprinting • Passive Fingerprinting is a method to learn more about the • enemy, without them knowing it • Specifically, you can determine the operating system and other • characteristics of the remote host • TTL – what TTL is used for the operating system • Window Size – what window size the operating system uses • DF – whether the operating system set the don’t fragment bit • TOS – Did the operating system specify what type of service

  17. OS guess from ttl values

  18. Distribution Among Operating Systems About 4% of known hosts are non-Windows. These hosts are responsible for about 8% of received spam.

  19. Spam Distribution IP Space

  20. Advantages • A key to better and efficient filtering • Reporting of information about spam helps in updating the blacklist

  21. Weaknesses • They cannot distinguish between spam obtained from different techniques • They didn’t precisely measure using bobax botnet

  22. THANK YOU

More Related