understanding the network level behavior of spammers
DESCRIPTION
Understanding the network level behavior of spammers. Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat Soundararajan. OUTLINE. Spam - Basics of spam - Spam statistics - Spamming methods - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/1.jpg)
Understanding the network level behavior of spammers
Published by :Anirudh Ramachandran, Nick Feamster
Published in :ACMSIGCOMM 2006
Presented by: Bharat Soundararajan
![Page 2: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/2.jpg)
OUTLINE
Spam - Basics of spam - Spam statistics - Spamming methods - Spam filtering
Network level behavior of spam - Network level spam filtering - Data Collection Method - Tools used for data collection - Evaluations - Drawbacks
2
![Page 3: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/3.jpg)
3
SPAM
![Page 4: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/4.jpg)
What is Spam?
E-mail spam, also known as "bulk e-mail" or "junk e-mail," is a subset of spam that involves nearly identical messages sent to numerous recipients by e-mail.
Spammers use unsecured mail servers to send out millions of illegitimate emails
2007 - (February) 90 billion per day
4
![Page 5: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/5.jpg)
Spam statistics
5
![Page 6: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/6.jpg)
Spamming Methods
Direct spamming– By purchasing upstream connectivity from “spam-
friendly ISPs” Open relays and proxies
– Mail servers that allow unauthenticated Internet hosts to connect and relay mail through them
Botnets Using the worm to infect mail servers and sending mail through them e.g.bobax BGP Spectrum Agility
Short lived BGP route announcements
6
![Page 7: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/7.jpg)
Botnet command and control
7
Already captured Command and control center information is used for the sinkhole to act like command and control center
All bots now try to contact the command and control sinkhole and they collected a packet trace to determine the members of botnet
They observed a significantly higher percentage of infected hosts is windows using Pof passive fingerprinting tool
Information collected is not accurate
![Page 8: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/8.jpg)
Sink hole
8
![Page 9: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/9.jpg)
Dns blacklisting
9
A list of open-relay mail servers or open proxies—or of IP addresses known to send spam
Data collected from Spam-trap addresses or honeypots
80% of all spam received from mail relays appear in at least one of eight blacklists
> 50% of spam was listed in two or more blacklists
![Page 10: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/10.jpg)
Spam filtering
10
Spammers are able to easily alter the contents of the email
SpamAssasin : a spam filter used for filtering is mainly source Ip and other variables which is easily changed by spammers
They have less flexibility when comes to altering the network level details of email
![Page 11: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/11.jpg)
Spam filtering by this paper
- Comparing data with the logs from a large ISP - Analyzing the network level behavior using those logs in the sinkhole
- Update the filter content using those comparison
11
![Page 12: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/12.jpg)
Network-level Spam Filtering
• Network-level properties are harder to change than content
• Network-level properties– IP addresses and IP address ranges– Change of addresses over time– Distribution according to operating system, country
and AS – Characteristics of botnets and short-lived route
announcements
• Help develop better spam filters
12
![Page 13: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/13.jpg)
Data collected when the spam is received
• IP address of the mail relay
• Trace route to that IP address, to help us estimate the network location of the mail relay
• Passive “p0f” TCP fingerprint, to determine the OS of the mail relay
• Result of DNS blacklist (DNSBL) lookups for that mail relay at eight different DNSBLs
13
![Page 14: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/14.jpg)
Mail avenger
14
few of the environment variables Mail Avenger sets
CLIENT_NETPATH the network route to the client
SENDER the sender address of the message
CLIENT_SYNOS a guess of the client's operating system type
![Page 15: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/15.jpg)
Distribution across ASes
15
Still about 40% of spam coming from the U.S.
![Page 16: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/16.jpg)
Pof fingerprinting
16
Passive Fingerprinting is a method to learn more about the enemy, without them knowing it
Specifically, you can determine the operating system and other characteristics of the remote host
TTL – what TTL is used for the operating system Window Size – what window size the operating system uses DF – whether the operating system set the don’t fragment bit TOS – Did the operating system specify what type of service
![Page 17: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/17.jpg)
OS guess from ttl values
17
OPERATING SYSTEM
VERSION TTL VALUES
LINUX Red Hat 9 64
FREE BSD 5.0 64
Solaris 2.5.1,2.6,2.7,2.8 255
Windows 98 32
windows XP 128
![Page 18: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/18.jpg)
Distribution Among Operating Systems
18
About 4% of known hosts are non-Windows.
These hosts are responsible for about 8% of received spam.
![Page 19: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/19.jpg)
Spam Distribution
19 IP Space
![Page 20: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/20.jpg)
Advantages
• A key to better and efficient filtering
• Reporting of information about spam helps in updating the blacklist
20
![Page 21: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/21.jpg)
Weaknesses
• They cannot distinguish between spam obtained from different techniques
• They didn’t precisely measure using bobax botnet
21
![Page 22: Understanding the network level behavior of spammers](https://reader035.vdocuments.site/reader035/viewer/2022062314/56812a67550346895d8de70f/html5/thumbnails/22.jpg)
22
THANK YOU