B@BEL: Leveraging Email Delivery for Spam Mitigation

Download Report

Transcript B@BEL: Leveraging Email Delivery for Spam Mitigation

B@BEL: Leveraging Email Delivery for
Spam Mitigation
Problems on Spam
Wealthy economy behind spam
 77% of emails are spam
 85% of spam are sent by botnets

Traditional Spam Detection
Content Analysis
 Origin Analysis

Approach in Article

Focusing on the way that client interact
with SMTP server
Overview
Techniques
 System design
 Evaluation
 Limitations

Techniques
SMTP dialects
 Feedback manipulation

SMTP dialects
Feedback Manipulation
Botnet also use feedback
Botmaster sends spam to bot
 Bot sends spam to SMTP server
 SMTP server sends spam to user or
replies bot no such user exists
 Bot replies bot master no such user
exists
 Bot master delete address of the user
from user list

Importance

SMTP dialects
 Spam detection
 Malware classification

Feedback manipulation
 Successful botnets are using bot feedback
 35% of the email addresses were
nonexistent
System design
Learning SMTP dialects
 Build a decision model
 Making a decision

SMTP dialects state

D =< Σ,S,s0,T, Fg,Fb >
 Σ: input alphabet
 S : set of states
 s0: initial state
 T : transitions
 Fg : good final states
 Fb : bad final states
Learning SMTP dialects
Collecting SMTP conversations

Passive observation
 Two dialects might look the same!

Active probing
 Intentionally sending incorrect replies, error
messages
Build a decision model
Making a decision

Passive matching
 Detect dialects by observing conversations

Active probing
 Send specific replies to “expose” differences
Evaluation
Experiment has 621,919 SMTP
conversations
 Results

 260,074 as spam
 218,675 as ham
 143,170 could not decide
Result in real life
Limitations

Evading dialects detection
 Implement a “faithful” SMTP engine
 Making spammers to look like a legitimate
client

Evading feedback manipulation
Conclusion

Focusing on the way that client interact
with SMTP server
 SMTP dialects
 Feedback manipulation

Valuable tool for spam mitigation