Network-Level Spam Filtering

Nick Feamster
Georgia Institute of Technology

Recent estimates suggest that spam constitutes about 95% of all email traffic. Beyond simply being a nuisance, spam exhausts network resources and can also serve as a vector for other types of attacks, including phishing attacks and online scams. Conventional approaches to stopping these types of attacks typically rely on a combination of the reputation of a sender's IP address and the contents of the message. Unfortunately, these features are brittle: Spammers can easily change the IP addresses from which they send spam and the content that they use as the "cover medium"
for the email message itself. In this talk, I will describe a new, complementary approach to stopping unwanted email traffic on the Internet:
Rather than classifying spam based on either the content of the message or the identity of the sender, we classify email messages based on how the spam is being sent and the properties of the spamming infrastructure. I will first summarize the highlights of a 13-month study of the network-level behavior of spammers using data from a large spam trap. I will then describe a new approach to spammer classification called "behavioral blacklisting" and present a detailed study of network-level features that can be used to identify spammers. Often these features can classify a spammer on the first packet received from that sender, without even receiving the message. I will also describe a preliminary implementation of a real-time, dynamic sender reputation system, SpamSpotter, that incorporates our behavioral blacklisting algorithms, as well as how this system handles challenges of both the dynamism of sender behavior and the scale of email volumes.

Nick Feamster is an assistant professor in the College of Computing at Georgia Tech. He received his Ph.D. in Computer science from MIT in 2005, and his S.B. and M.Eng. degrees in Electrical Engineering and Computer Science from MIT in 2000 and 2001, respectively. His research focuses on many aspects of computer networking and networked systems, including the design, measurement, and analysis of network routing protocols, network operations and security, and anonymous communication systems. His honors include a Sloan Research Fellowship, the NSF CAREER award, the IBM Faculty Fellowship, and award papers at SIGCOMM 2006 (network-level behavior of spammers), the NSDI 2005 conference (fault detection in router configuration), Usenix Security 2002 (circumventing web censorship using Infranet), and Usenix Security 2001 (web cookie analysis).

This talk includes joint work with Anirudh Ramachandran, Shuang Hao, Nadeem Syed, Santosh Vempala, Sven Krasser, and Alex Gray.

Back to Workshop II: Applications of Internet MRA to Cyber-Security