1 / 16

Analysis of SMTP Connection Characteristics for Detecting Spam Relays

Analysis of SMTP Connection Characteristics for Detecting Spam Relays. Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou( 邱淑芬 ). Outline. Introduction Spam relay detection Results Conclusion Comments. E-mail. Spam relay.

mircea
Download Presentation

Analysis of SMTP Connection Characteristics for Detecting Spam Relays

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(邱淑芬)

  2. Outline • Introduction • Spam relay detection • Results • Conclusion • Comments

  3. E-mail

  4. Spam relay • Sending mail to a destination via a third-party mail server or proxy server in order to hide the address of the source of the mail. • When e-mail servers (SMTP servers) are used, it is known as an "open relay" or "SMTP relay," and this method was commonly used by spammers in the past when SMTP servers were not locked down. • Today, most spam relay is provided by proxy servers and botnets.

  5. Prevent spam

  6. Specific problem Spam relay Compromised host Compromised host Compromised host … Spam mail Spam mail Spam mail Mail server Mail server Mail server Mail server Mail server Mail server Mail server Mail server … … …

  7. Monitoring Architecture

  8. Legitimate users V.S. spam relays • Number of connections • Legitimate users < spam relays • Connect to a mail server • Legitimate users: Fewer times an hour. • Spam relays: Thousands of emails every hour to hundreds of mail servers. • Daily pattern • Legitimate users: Can exhibit. • Spam relays: Do not exhibit.

  9. Result(1/6) • All the example shows come from a single 24 hour period during Sep. 2005. • Total 89,748 hosts were observed. • 48 hosts had established over 10,000 SMTP connections. • 4 hosts had established over 50,000 SMTP connections.

  10. Result(2/6) Home user Total: 58,000 SMTP connections

  11. Result(3/6) 25,000 connections Mail bombs: occur where very large quantities of email are sent to the same address rendering the address unusable.

  12. Result(4/6) 3,000 connections

  13. Result(5/6)

  14. Result(6/6) Total: over 1,600,000 connections

  15. Conclusions • This paper has shown how spam relays installed on compromised hosts could be identified by the ISP networks on which they are hosted. • Given the large disparity between the SMTP connection profiles of legitimate mail clients and servers and spam relays, an automated process could easily be developed to detect spam relays.

  16. Comments • 提出了一個簡單的方法來預防spam。 • 偵測到host是spam relay的正確率,方法的有效性? • 如何定義連線數量的門檻值,來判定host為spam relay?

More Related