Inferring Spammers in the Network Core

Authors:
Dominik Schatzmann;Martin Burkhart;Thrasyvoulos Spyropoulos
Affiliations:
Computer Engineering and Networks Laboratory, ETH Zurich, Switzerland;Computer Engineering and Networks Laboratory, ETH Zurich, Switzerland;Computer Engineering and Networks Laboratory, ETH Zurich, Switzerland
Venue:
PAM '09 Proceedings of the 10th International Conference on Passive and Active Network Measurement
Year:
2009

Citing 5
Cited 10

Characterizing a spam traffic

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
An introduction to ROC analysis

Pattern Recognition Letters - Special issue: ROC analysis in pattern recognition
Filtering spam with behavioral blacklisting

Proceedings of the 14th ACM conference on Computer and communications security
Fast monitoring of traffic subpopulations

Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection

SS'08 Proceedings of the 17th conference on Security symposium

Detecting Spam at the Network Level

EUNICE '09 Proceedings of the 15th Open European Summer School and IFIP TC6.6 Workshop on The Internet of the Future
Digging into HTTPS: flow-based classification of webmail traffic

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Filtering spam from bad neighborhoods

International Journal of Network Management
On collection of large-scale multi-purpose datasets on internet backbone links

Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
Empirical comparison of IP reputation databases

Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
Auto-learning of SMTP TCP transport-layer features for spam and abusive message detection

LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
Assisting server for secure multi-party computation

WISTP'12 Proceedings of the 6th IFIP WG 11.2 international conference on Information Security Theory and Practice: security, privacy and trust in computing systems and ambient intelligent ecosystems
SpaDeS: Detecting spammers at the source network

Computer Networks: The International Journal of Computer and Telecommunications Networking
A large-scale empirical analysis of email spam detection through network characteristics in a stand-alone enterprise

Computer Networks: The International Journal of Computer and Telecommunications Networking
Preventing spam in opportunistic networks

Computer Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Despite a large amount of effort devoted in the past years trying to limit unsolicited mail, spam is still a major global concern. Content-analysis techniques and blacklists, the most popular methods used to identify and block spam, are beginning to lose their edge in the battle. We argue here that one not only needs to look into the network-related characteristics of spam traffic, as has been recently suggested, but also to look deeper into the network core, to counter the increasing sophistication of spammers. At the same time, local knowledge available at a given server can often be irreplaceable in identifying specific spammers. To this end, in this paper we show how the local intelligence of mail servers can be gathered and correlated passively , scalably, and with low-processing cost at the ISP-level providing valuable network-wide information. First, we use a large network flow trace from a major national ISP, to demonstrate that the pre-filtering decisions and thus spammer-related knowledge of individual mail servers can be easily and accurately tracked and combined at the flow level. Then, we argue that such aggregated knowledge not only allows ISPs to monitor remotely what their "own" servers are doing, but also to develop new methods for fighting spam.