Towards Proactive SPAM Filtering

Similar documents

How To Filter From A Spam Filter

Search Engine Marketing(SEM)

Protecting the Infrastructure: Symantec Web Gateway

Reputation Marketing Proposal. Overview Summary

ISB13 Web security deployment options - which is really best for you? Duncan Mills, Piero DePaoli, Stuart Jones

Whose IP Is It Anyways: Tales of IP Reputation Failures

DST . Product FAQs. Thank you for using our products. DST UK

McAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version and earlier

SPAMMING BOTNETS: SIGNATURES AND CHARACTERISTICS

Project specification for suncoastreoholdings.com. Version 1.0

The Latest Internet Threats to Affect Your Organisation. Tom Gillis SVP Worldwide Marketing IronPort Systems, Inc.

Adjust Webmail Spam Settings

Stop DDoS Attacks in Minutes

LASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains

A quick guide to... Permission: Single or Double Opt-in?

Websense Data Security Solutions

1 Introductory Comments. 2 Bayesian Probability

聚碩科技主題 : 如何幫企業行動商務建立安全機制職稱 : 技術顧問

Sophos Cloud Help Document date: January 2016

Hong Kong Information Security Outlook 2015 香港資訊保安展望

Streamlining Web and Security

REMOTE BACKUP-WHY SO VITAL?

MY DIGITAL PLAN MY DIGITAL PLAN BROCHURE

SPAM FILTER Service Data Sheet

1.M4: Marketing

Data Center security trends

Operation Liberpy : Keyloggers and information theft in Latin America

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

Analysis of Spam Filter Methods on SMTP Servers Category: Trends in Anti-Spam Development

Payius. Guide to SSL certicates in ecommerce

ParlaMI, Enterprise Instant Messaging

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

SpamTitan Outlook Addin v1.1 Installation Instructions

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

Private Networks

Security Incidents And Trends In Croatia. Domagoj Klasić

mdata from Mobile Commons enables organizations to make any data accessible to the public via text message, no programming required.

SEO: HOW TO DRIVE MORE TRAFFIC TO YOUR WEBSITE

TEAL: Transparent Archiving Library

ThreatSTOP Technology Overview

Online and Scalable Data Validation in Advanced Metering Infrastructures

WEBSENSE SECURITY SOLUTIONS OVERVIEW

2. Bulk SMS Software: Custom Desktop Software application using our API.

Superior protection from Internet threats and control over unsafe web usage

A General-purpose Laboratory for Large-scale Botnet Experiments

C I S C O E M A I L S E C U R I T Y A P P L I A N C E

ANNEXURE TO TENDER NO. MRPU/IGCAR/COMP/5239

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Inside the Storm: Protocols and Encryption of the Storm Botnet

RTCU Gateway 2 Monitor Tool User's Manual

Quarantined Messages 5 What are quarantined messages? 5 What username and password do I use to access my quarantined messages? 5

Introducing IBM s Advanced Threat Protection Platform

Technology Blueprint. Essential Protection for PCs. Match your endpoint protection with today s risks

Search Engine Optimisation (SEO) Factsheet

Bing Ads for Realtors: Get $100 FREE

Gateways Using MDaemon 6.0

isheriff CLOUD SECURITY

Detecting Spam in VoIP networks

Removing Web Spam Links from Search Engine Results

Commtouch RPD Technology. Network Based Protection Against -Borne Threats

SafeNet Content Security Product Overview. Protecting the Network Edge

Testing Document - DDOS Traffic Shaping Simulator

MESSAGING SECURITY GATEWAY. Detect attacks before they enter your network

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Domain Name Abuse Detection. Liming Wang

the delivery of standout services and information to customers via the internet

A Critical Investigation of Botnet

F-Secure Internet Gatekeeper

FortiMail Filtering Course 221-v2.2 Course Overview

Quick Reference Guide. Online Courier: FTP. Signing On. Using FTP Pickup. To Access Online Courier.

Innovations in Network Security

STPIC/Admin/002/ / Date: Sub: Quotation for purchase/renewal of Anti Virus Software Reg.

Storm Worm & Botnet Analysis

Access Control Rules: URL Filtering

SEO Services Sample Proposal

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The Hillstone and Trend Micro Joint Solution

Ciphermail Gateway PDF Encryption Setup Guide

Grow your Business with our advanced Call Tracking services

Transcription:

Towards Proactive SPAM Filtering DIMVA 2009 Laboratory for Dependable Distributed Systems

Survey Motivation Sandnet Setup Template Creation Preliminary Results Summary & Future Work

Motivation SPAM is unwanted Why templates for filtering: Templates more precise than current methods? (Bayes Filter, Reputation based,...) Templates send to Bots are encrypted Retrieve template from memory of running bot - too complex?

Example Template 1 In this example the body is fixed

Example Template 2 Example: Command {file "body.html", quoted printable} tells the bot to substitute the body.html file Xarvester Botnet Quelle: www.marshal8e6.com

Sandnet Setup Running Spam Bots

Sandnet 1

Sandnet 2 Spam Email are collected at the gateway (mbox) Filtering of malicious traffic + rate limit How to handle test emails send by bots? Currently blocked Our current setup runs the bots only for a limited time

Generating Templates The Algorithm

Template Creation 1 The Template Creation Algorithm: Take first email as starting template Sort emails according to their length Take next email as comparing template Common Substring Extraction Add emails to the template as long as threshold is not exceeded

Template Creation 2

Example Template 1 Only X-Mailer Changes Generated from 1175 emails

Example Template 2 Only Subject and X-Mail change Generated from 4741 emails

Example Template 3 Generated from 172 emails More complex due to word mutations in the emails

Preliminary Results Euro Dice Casino Case Study

Euro Dice Casino 1 We generated a Template from 71 emails all collected during a single day in October 2008

Euro Dice Casino 2 We collected SPAM emails advertising the casino during June 2008 till April 2009 A total of 493 emails advertising the Euro Dice Casino were collected at our spamtraps (some free email accounts) Checking against our previously generated template revealed a detection rate of only 5.3% All matches are emails received at the spamtraps during October 2008

Euro Dice Casino 3 We added a randomly chosen email from the spamtrap emails to our template generation process

Euro Dice Casino 4 Adding a single slightly different email resulted in a detection rate of 26% (previously 5.3%) We now match emails of this campaign ranging from September to November 2008 All that changed is the URL eurocasinokg.com eurocasino([a-za-z]){2,2}.com

Euro Dice Casino 5 Adding another email:

Euro Dice Casino 6 Adding another email raises the detection rate to 99% Again only the URL changes: eurocasino([a-za-z]){2,2}.com ([\.A-Za-z]){0,16} The number of distinct emails of a campaign determines the quality of a template In this case a total of 3 emails suffices for a 99% detection rate of the email campaign

Summary...and future work

Summary Sandnet (run bots periodically) Offline template generation Common Substring Algorithm First results are promising

Future Work Rebuild the Sandnet to run bots endlessly Construct templates while collecting the SPAM from the running bots (realtime) Build a Mail-Client Plugin for template filtering Evaluate the approach

Jan Göbel http://pi1.informatik.uni-mannheim.de/ goebel@informatik.uni-mannheim.de Questions? Pi1 - Laboratory for Dependable Distributed Systems