Toronto Networking Seminar

Recent estimates suggest that spam constitutes about 95% of all email traffic. Beyond simply being a nuisance, spam exhausts network resources and can also serve as a vector for other types of attacks, including phishing attacks and online scams. Conventional approaches to stopping these types of attacks typically rely on a combination of the reputation of a sender's IP address and the contents of the message. Unfortunately, these features are brittle: Spammers can easily change the IP addresses from which they send spam and the content that they use as the "cover medium" for the email message itself. In this talk, I will describe a new, complementary approach to stopping unwanted email traffic on the Internet: Rather than classifying spam based on either the content of the message or the identity of the sender, we classify email messages based on how the spam is being sent and the properties of the spamming infrastructure. I will first summarize the highlights of a 13-month study of the network-level behavior of spammers using data from a large spam trap. I will then describe a new approach to spammer classification called "behavioral blacklisting" and present a detailed study of network-level features that can be used to identify spammers. Often these features can classify a spammer on the first packet received from that sender, without even receiving the message. I will also describe a preliminary implementation of a real-time, dynamic sender reputation system, SpamSpotter, that incorporates our behavioral blacklisting algorithms, as well as how this system handles challenges of both the dynamism of sender behavior and the scale of email volumes.

This talk includes joint work with Anirudh Ramachandran, Shuang Hao, Nadeem Syed, Santosh Vempala, Sven Krasser, and Alex Gray.