Embed Size (px)
DESCRIPTION
Analysis of SMTP Connection Characteristics for Detecting Spam Relays. Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou( 邱淑芬 ). Outline. Introduction Spam relay detection Results Conclusion Comments. E-mail. Spam relay. - PowerPoint PPT Presentation
Citation preview
1
Analysis of SMTP Connection Characteristics for Detecting Spam Relays
Authors: P. J. Sandford, J. M. Sandford, and D. J. ParishSpeaker: Shu-Fen Chiou( 邱淑芬 )
2
Outline
Introduction Spam relay detection Results Conclusion Comments
3
Mail Server
Client
SMTP Server
MTA
POP 協定下載郵件
IMAP 協定讀取及
管理郵件
SMTP 協定發送郵件
SMTP 轉送郵件
SMTP 傳遞郵件
SMTP Server
MTA MTA
MUA
SMTP 其它 Mail Sever或
Outlook/fetchmail/mail
4
Spam relay
Sending mail to a destination via a third-party mail server or proxy server in order to hide the address of the source of the mail.
When e-mail servers (SMTP servers) are used, it is known as an "open relay" or "SMTP relay," and this method was commonly used by spammers in the past when SMTP servers were not locked down.
Today, most spam relay is provided by proxy servers and botnets.
5
Prevent spam
6
Specific problem
Spam relay
Compromised host Compromised hostCompromised host …
Mailserver
Mailserver
Mailserver
Spam mail
serverMail
serverMail
server
Spam mail
serverMail
server
Spam mail
…
7
Monitoring Architecture
8
Legitimate users V.S. spam relays
Number of connections Legitimate users < spam relays
Connect to a mail server Legitimate users: Fewer times an hour. Spam relays: Thousands of emails
every hour to hundreds of mail servers. Daily pattern
Legitimate users: Can exhibit. Spam relays: Do not exhibit.
9
Result(1/6)
All the example shows come from a single 24 hour period during Sep. 2005.
Total 89,748 hosts were observed. 48 hosts had established over 10,000
SMTP connections. 4 hosts had established over 50,000
SMTP connections.
10
Result(2/6)
Total: 58,000 SMTP connections
Home user
11
Result(3/6)
25,000connections
Mail bombs: occur where very large quantities of email are sent to the same address rendering the address unusable.
12
Result(4/6)
3,000connections
13
Result(5/6)
14
Result(6/6)
Total: over 1,600,000 connections
15
Conclusions
This paper has shown how spam relays installed on compromised hosts could be identified by the ISP networks on which they are hosted.
Given the large disparity between the SMTP connection profiles of legitimate mail clients and servers and spam relays, an automated process could easily be developed to detect spam relays.
16
Comments
提出了一個簡單的方法來預防 spam 。 偵測到 host 是 spam relay 的正確率,方
法的有效性 ? 如何定義連線數量的門檻值,來判定 host
為 spam relay?
