exploiting transport level characteristics of spam
play

Exploiting Transport-Level Characteristics of Spam Robert Beverly 1 - PowerPoint PPT Presentation

Dec 22, 2022 •280 likes •772 views

Exploiting Transport-Level Characteristics of Spam Robert Beverly 1 Karen Sollins MIT Computer Science and Artificial Intelligence Laboratory 1 now at BBN Technologies {rbeverly,sollins}@csail.mit.edu August 21, 2008 Conference on Email and

  1. Exploiting Transport-Level Characteristics of Spam Robert Beverly 1 Karen Sollins MIT Computer Science and Artificial Intelligence Laboratory 1 now at BBN Technologies {rbeverly,sollins}@csail.mit.edu August 21, 2008 Conference on Email and Anti-Spam 2008 R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 1 / 46

  2. Background The Character of Spam Outline Background 1 Experimental Methodology 2 Learning and Prediction 3 Open Questions 4 R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 2 / 46

  3. Background The Character of Spam The Spam Arms Race Attackers, scammers and thieves quickly adapt to defenses. Most effective solutions exploit fundamental weaknesses of attackers Current Best Practices: Content Filtering ... response: modify word tokens Reputation Analysis ... response: dynamic, fresh addresses Collaborative Filtering ... response: mail uniqueness And the cycle continues: Authentication Schemes, computational puzzles, etc. R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 3 / 46

  4. Background The Character of Spam The Spam Arms Race Attackers, scammers and thieves quickly adapt to defenses. Most effective solutions exploit fundamental weaknesses of attackers Current Best Practices: Content Filtering ... response: modify word tokens Reputation Analysis ... response: dynamic, fresh addresses Collaborative Filtering ... response: mail uniqueness And the cycle continues: Authentication Schemes, computational puzzles, etc. R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 3 / 46

  5. Background The Character of Spam The Spam Arms Race We propose a different approach: No panacea; existing solutions all have weaknesses Our solution, “SpamFlow,” is distinct from current practice Question: Are traffic characteristics a fundamental weakness of spam? R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 4 / 46

  6. Background The Character of Spam Hypothetical Question Specifically: What is the transport (TCP/IP packet stream) character of spam? Are there differences between spam and ham flows? How to exploit differences in a way which spammers cannot easily evade? Why ask this question? R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 5 / 46

  7. Background The Character of Spam Hypothetical Question Specifically: What is the transport (TCP/IP packet stream) character of spam? Are there differences between spam and ham flows? How to exploit differences in a way which spammers cannot easily evade? Why ask this question? R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 5 / 46

  8. Background The Character of Spam Transport-Level Characteristics of Spam Two Observations Low Penetration: 1 due to existing filters, user ambivalence → huge volumes of spam Sending Methods: 2 Open mail relays, email trojans, botnets, dialup → Low asymmetric bandwidth, widely distributed R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 6 / 46

  9. Background The Character of Spam Transport-Level Characteristics of Spam Combining Observations: Low Penetration + Sending Methods Volume + Methods + Economics → link/host resource contention MX MX MX aDSL BOT MX MX Congestion/Loss/Reordering MX MX Contention: Contention manifests as TCP/IP loss, retransmission, reordering, etc. R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 7 / 46

  10. Background The Character of Spam Understanding SpamFlow } SMTP Content data Filtering Not looking at IP header Not looking at data SpamFlow: TCP stream, incl } timing TCP SpamFlow (look at combining methods later) } Reputation IP Analysis R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 8 / 46

  11. Background TCP and SMTP Transport Outline Background 1 Experimental Methodology 2 Learning and Prediction 3 Open Questions 4 R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 9 / 46

  12. Background TCP and SMTP Transport A Brief Diversion on TCP/IP Transmission Control Protocol (TCP): Reliable, bi-directional, in-order byte transmission abstraction Acknowledgments State Machine Flow and congestion control Reacts to loss, persistent congestion Multi-flow fairness and efficient resource utilization (AIMD) Round trip time (RTT) estimation Bandwidth probing R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 10 / 46

  13. Background TCP and SMTP Transport SMTP and TCP Transmission Control Protocol: mx.alice.com mx.bob.com EHLO mx.alice.com 200 Hellow Alice MAIL FROM: alice@alice.com 200 OK DATA: Simple Mail Transport Protocol (SMTP) uses TCP for transport Sequence of SMTP handshaking between Mail Transport Agents (MTAs) Mail contents are packetized How do Spam Connections Behave? R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 11 / 46

  14. Background Building intuition Outline Background 1 Experimental Methodology 2 Learning and Prediction 3 Open Questions 4 R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 12 / 46

  15. Background Building intuition How do Spam Connections Behave? ...or, a quick look at netstat RcvQ SndQ Local Foreign Addr State 0 0 srv:25 92.47.129.89:49014 SYN_RECV 0 0 srv:25 ppp83-237-106-114.:29081 SYN_RECV 0 0 srv:25 88.200.227.123:25068 SYN_RECV 0 0 srv:25 92.47.129.89:49014 SYN_RECV 0 0 srv:25 ppp83-237-106-114.:29084 SYN_RECV 0 0 srv:25 88.200.227.123:25068 SYN_RECV 0 0 srv:25 88.200.227.123:25069 SYN_RECV 0 0 srv:25 88.200.227.123:25070 SYN_RECV 0 0 srv:25 88.200.227.123:25074 SYN_RECV 0 0 srv:25 84.255.150.15:4232 SYN_RECV 0 25 srv:25 222.123.147.41:50282 LAST_ACK 0 28 srv:25 adsl-pool-222.123.:1720 LAST_ACK 0 31 srv:25 222.123.147.41:50152 LAST_ACK 0 15 srv:25 222.123.147.41:50889 LAST_ACK 0 9 srv:25 88.245.3.19:venus LAST_ACK 0 25 srv:25 78.184.155.70:1854 FIN_WAIT1 0 23 srv:25 190-48-30-225.spe:50920 FIN_WAIT1 0 23 srv:25 dsl.dynamic812132:48154 FIN_WAIT1 0 23 srv:25 ip-85-160-91-16.e:48093 FIN_WAIT1 0 23 srv:25 88.234.141.158:48389 FIN_WAIT1 0 23 srv:25 p5B0FBB5D.dip.t-d:11965 FIN_WAIT1 ... R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 13 / 46

  16. Background Building intuition How do Spam Connections Behave? ...or, a quick look at netstat RcvQ SndQ Local Foreign Addr State 0 0 srv:25 92.47.129.89:49014 SYN_RECV 0 0 srv:25 ppp83-237-106-114.:29081 SYN_RECV 0 0 srv:25 88.200.227.123:25068 SYN_RECV TCP Stuck in States 0 0 srv:25 92.47.129.89:49014 SYN_RECV 0 0 srv:25 ppp83-237-106-114.:29084 SYN_RECV Stays in these states for 0 0 srv:25 88.200.227.123:25068 SYN_RECV 0 0 srv:25 88.200.227.123:25069 SYN_RECV minutes 0 0 srv:25 88.200.227.123:25070 SYN_RECV 0 0 srv:25 88.200.227.123:25074 SYN_RECV Half-open connections 0 0 srv:25 84.255.150.15:4232 SYN_RECV 0 25 srv:25 222.123.147.41:50282 LAST_ACK 0 28 srv:25 adsl-pool-222.123.:1720 LAST_ACK Remote MTAs that 0 31 srv:25 222.123.147.41:50152 LAST_ACK 0 15 srv:25 222.123.147.41:50889 “disappear” mid-connection LAST_ACK 0 9 srv:25 88.245.3.19:venus LAST_ACK 0 25 srv:25 78.184.155.70:1854 FIN_WAIT1 Remote MTAs that send 0 23 srv:25 190-48-30-225.spe:50920 FIN_WAIT1 0 23 srv:25 dsl.dynamic812132:48154 FIN and disappear FIN_WAIT1 0 23 srv:25 ip-85-160-91-16.e:48093 FIN_WAIT1 0 23 srv:25 88.234.141.158:48389 FIN_WAIT1 0 23 srv:25 p5B0FBB5D.dip.t-d:11965 FIN_WAIT1 ... R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 13 / 46

  17. Background Building intuition What about RTT? ...building more intuition Received: from vms044pub.verizon.net Received: from unknown (59.9.86.75) From: "Dr. Beverly, MD" < b@ex.com > From: Erich Shoemaker < ried@ex.com > Subject: thoughts Subject: Repl1ca for you Dear Robert, A T4g Heuer w4tch is a luxury statement I hope you have had a great week! on its own. In Prest1ge Repl1cas, any T4g Heuer... rtt (ms) rtt (ms) Ham Flow (rtt samples) Spam Flow (rtt samples) . 1400 . 54 . . 1200 . 1000 52 . . . . . . . . . . . . . . . 800 . . . rtt . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 rtt . . . 600 . . . . . . . . . . 48.9000 09:51:49 49.1000 49.2000 49.3000 23:15:00 23:15:20 23:15:40 23:16:00 23:16:20 23:16:40 time time Ham Spam R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 14 / 46

  18. Experimental Methodology Data Collection Instrument a Mail Transport Agent (MTA) server Collect SMTP packet trace Match labeled emails to packet flows Server Mail Mail MTA TCP/IP Mail Match Spam/Ham? SMTP Packet Flows Labels Capture Dataset (X,Y) R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 15 / 46

  19. Experimental Methodology Using a flow property Outline Background 1 Experimental Methodology 2 Learning and Prediction 3 Open Questions 4 R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 16 / 46

  20. Experimental Methodology Using a flow property Round Trip Time 1 Spam Ham 0.8 Cumulative Probability 0.6 P(ham rtt<100ms) ∼ 1; P(spam rtt<100ms) ∼ 0.2! 0.4 0.2 0 0.0001 0.001 0.01 0.1 1 10 RTT (sec) R. Beverly, K. Sollins (MIT) Transport Character of Spam CEAS 2008 17 / 46

Recommend

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a

Spam, Spam, Spam Why is spam interesting? Everyone can observe spam. Spam / Anti-spam is a highly evolved form of information warfare. Fascinating socioeconomic study with many players - users, ISPs, spammers, technologists, legal

322 views • 17 slides
Exploiting Network Structure for Proactive Spam Mitigation Shobha Venkataraman, Subhabrata Sen,

Exploiting Network Structure for Proactive Spam Mitigation Shobha Venkataraman, Subhabrata Sen,

Exploiting Network Structure for Proactive Spam Mitigation Shobha Venkataraman, Subhabrata Sen, Oliver Spatscheck, Patrick Haffner, Dawn Song Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Bryan Parno, Dan Wendlandt,

774 views • 40 slides
Exploiting Level- Exploiting Level -of of- -Detail Perception Detail Perception Multiple

Exploiting Level- Exploiting Level -of of- -Detail Perception Detail Perception Multiple

Special Course on Networked Virtual February 26, 2004 Environments Exploiting Level- Exploiting Level -of of- -Detail Perception Detail Perception Multiple Multiple- -Channel Architecture Channel Architecture Nearby viewers Nearby

165 views • 5 slides
Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam

Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam

Spam Fighting at CERN 28 April 2004 Emmanuel Ormancey 1 What is Spam ? What is Spam ? Spam is the friendly name given to unsolicited mail everyone receives in the mailbox. Comes from a Monty Python sketch, where in a caf everything

505 views • 13 slides
Opinion Spam and Analysis NITIN JINDAL &amp; BING LIU, WSDM 08 UIUC Opinion/Review Spam All

Opinion Spam and Analysis NITIN JINDAL &amp; BING LIU, WSDM 08 UIUC Opinion/Review Spam All

Opinion Spam and Analysis NITIN JINDAL &amp; BING LIU, WSDM 08 UIUC Opinion/Review Spam All spam is spam but some spam is more spam than others Opinion spam similar to web spam or email spam in intent, but different in form / content Web

912 views • 38 slides
Characteristics of Large Scale Travelling Ionospheric Disturbances Exploiting Ground-Based

Characteristics of Large Scale Travelling Ionospheric Disturbances Exploiting Ground-Based

Characteristics of Large Scale Travelling Ionospheric Disturbances Exploiting Ground-Based Ionograms, GPS-TEC and 3D Electron Density Distribution Maps Anna Belehaki, Ioanna Tsagouri (NOA, Greece) Ivan Kutiev, Pencho Marinov (BAS, Bulgaria)

561 views • 27 slides
Microwave-induced transport Transport characteristics of the microwave driven 2D negative

Microwave-induced transport Transport characteristics of the microwave driven 2D negative

QT2DS-Luchon 5/28/2015 Microwave-induced transport Transport characteristics of the microwave driven 2D negative magneto-conductivity state R. G. Mani Georgia State University, Atlanta, GA USA Radiation-induced zero-resistance-states in the

778 views • 34 slides
Auto-learning of SMTP TCP Transport-Layer Features for Spam and Abusive Message Detection

Auto-learning of SMTP TCP Transport-Layer Features for Spam and Abusive Message Detection

Auto-learning of SMTP TCP Transport-Layer Features for Spam and Abusive Message Detection Georgios Kakavelakis, Robert Beverly, Joel Young Center for Measurement and Analysis of Network Data Naval Postgraduate School, Dept. Computer Science

597 views • 40 slides
Introduction Characteristics of local meteorological dynamics; Seasonal moisture transport;

Introduction Characteristics of local meteorological dynamics; Seasonal moisture transport;

Introduction Characteristics of local meteorological dynamics; Seasonal moisture transport; Jet Stream ZCAS EL Nio 500hPa Moisture Transport Goals - To evaluate the average climatological transport (DJF) of the Amazon

463 views • 14 slides
The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation

The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation

The CAN-SPAM Act of 2003 D E C E M B E R 2 0 0 3 THE CAN-SPAM ACT OF 2003 Status of Legislation When Congress returns from recess on December 8, 2003, it will finish its work on the CAN-SPAM Act of 2003 (Controlling the Assault of

323 views • 4 slides
Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to

Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to

Link Spam Alliances Zoltn Gyngyi Hector Garcia-Molina Class List Spam 101 Intro to web spam Spam 221 Spamming PageRank Spam farm model Optimal farm structure Alliances of two farms Larger alliances Spam

876 views • 30 slides
Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and

Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and

Web Dynamics Web Spam Web Spam Dr. Marc Spaniol Dr. Marc Spaniol Saarbrcken, June 24, 2010 Databases and Information Systems Prof. Dr. G. Weikum MPII-Sp-0710-1/49 Agenda Web spam - Why and what? Web Spam - Spam taxonomy

669 views • 49 slides
Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information

Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information

Web Dynamics Web Spam Web Spam Marc Spaniol Marc Spaniol Saarbrcken, July 23, 2009 Databases and Information Systems Prof. Dr. G. Weikum MPII-Sp-0709-1/49 Agenda Web spam - Why and what? Web Spam - Spam taxonomy Overview

806 views • 49 slides
Exploiting Gnther Bayler, Christopher Kruegel, Redundancy in &amp; Engin Kirda Natural

Exploiting Gnther Bayler, Christopher Kruegel, Redundancy in &amp; Engin Kirda Natural

Christoph Karlberger, Exploiting Gnther Bayler, Christopher Kruegel, Redundancy in &amp; Engin Kirda Natural Language to Penetrate WOOT '07: Proceedings of the first Bayesian Spam USENIX workshop on Chris Li, Filters Offensive Amy

446 views • 30 slides
Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang

Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray, Sven Krasser Motivation Spam: More than Just a Nuisance Spam: Ham: unsolicited bulk

523 views • 28 slides
Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why

Detecting Product Review Spammers using Rating Behaviors Itay Dressler What is Spam? Why should you care? How to detect Spam? 2 What is Spam? What is Spam? All forms of malicious manipulation of user generated data so as to

943 views • 56 slides
Draft Transport Strategy Contents 1. TfSE Background 2. Our Region : characteristics and

Draft Transport Strategy Contents 1. TfSE Background 2. Our Region : characteristics and

Draft Transport Strategy Contents 1. TfSE Background 2. Our Region : characteristics and challenges 3. Our Approach : how the Transport Strategy was developed 4.Our Vision : Vision, Goals, Priorities and Principles 5. Our Strategy : presented as

734 views • 46 slides
Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood

Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood

Seminar: Future Of Web Search University of Saarland Web Spam Know Your Neighbors: Web Spam Detection using the Web Topology Presenter: Sadia Masood Tutor : Klaus Berberich Date : 17-Jan-2008 The Agenda Focus of the First Paper

1.22k views • 53 slides
Renewable Energy Exploiting Energy Resources at the District Level Presented by : Daniel

Renewable Energy Exploiting Energy Resources at the District Level Presented by : Daniel

Renewable Energy Exploiting Energy Resources at the District Level Presented by : Daniel Osei-Bonsu Venue: AICC Date: 9-11 October, 2018 (Vice President BAG) Contact Us: 0202144675; Executive Secretary 10/22/2018 Job Creation

299 views • 14 slides
spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian

spam, ham and other food or how to distribute spam to 100k email addresses Who am I? Debian Developer since 2003 Listmaster Alioth Admin Maintainer of packages like iproute, icinga, nagios and a lot of other useless stu ff

219 views • 20 slides
Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee

Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee

Machine Learning in Spam Filtering A Crash Course in ML Konstantin Tretyakov kt@ut.ee Institute of Computer Science, University of Tartu Overview Spam is Evil ML for Spam Filtering: General Idea, Problems. Some Algorithms Nave Bayesian

391 views • 35 slides
Outline Malloc and fragmentation 1 2 Exploiting program behavior 3 Allocator designs 4 User-level

Outline Malloc and fragmentation 1 2 Exploiting program behavior 3 Allocator designs 4 User-level

Outline Malloc and fragmentation 1 2 Exploiting program behavior 3 Allocator designs 4 User-level MMU tricks 5 Garbage collection 1 / 40 Dynamic memory allocation Almost every useful program uses it - Gives wonderful functionality benefits

1.19k views • 43 slides
x 2 &gt; b w T x &gt; 0 SPAM!! x ( x , 1) w 3 x 3 w T x + b ( w , b ) T ( x , 1)

x 2 &gt; b w T x &gt; 0 SPAM!! x ( x , 1) w 3 x 3 w T x + b ( w , b ) T ( x , 1)

A neuron (or how our brains work) Linear models Subhransu Maji CMPSCI 670: Computer Vision November 3, 2016 Neuroscience 101 CMPSCI 670 Subhransu Maji (UMASS) 2 Perceptron Example: Spam Input are feature values Imagine 3 features (spam

682 views • 8 slides
Edge Electrostatic Fluctuation and Anomalous Transport Characteristics in the Sino-United

Edge Electrostatic Fluctuation and Anomalous Transport Characteristics in the Sino-United

Edge Electrostatic Fluctuation and Anomalous Transport Characteristics in the Sino-United Spherical Tokamak (SUNIST) W H Wang In collaboration with Y X He, Z Gao, L Zeng, G P Zhang, L F Xie, X Z Yang * , C H Feng * , L Wang * Department of

619 views • 17 slides

More recommend