Mitigating spam using network-level features
Ramachandran, Anirudh Vadakkedath
MetadataShow full item record
Spam is an increasing menace in email: 90% of email is spam, and over 90% of spam is sent by botnets---networks of compromised computers under the control of miscreants. In this dissertation, we introduce email spam filtering using network-level features of spammers. Network-level features are based on lightweight measurements that can be made in the network, often without processing or storing a message. These features stay relevant for longer periods, are harder for criminals to alter at will (e.g., a bot cannot act independently of other bots in the botnet), and afford the unique opportunity to observe the coordinated behavior of spammers. We find that widely-used IP address-based reputation systems (e.g., IP blacklists) cannot keep up with the threats of spam from previously unseen IP addresses, and from new and stealthy attacks---to thwart IP-based reputation systems, spammers are reconnoitering IP Blacklists and sending spam from hijacked IP address space. Finally, spammers are "gaming" collaborative filtering by users in Web-based email by casting fraudulent "Not Spam" votes on spam email. We present three systems that detect each attack that uses spammer behavior rather than their IP address. First, we present IP blacklist counter-intelligence, a system that can passively enumerate spammers performing IP blacklist reconnaissance. Second, we present SpamTracker, a system that distinguishes spammers from legitimate senders by applying clustering on the set of domains to which email is sent. Third, we analyze vote-gaming attacks in large Web-based email systems that pollutes user feedback on spam emails, and present an efficient clustering-based method to mitigate such attacks.