Article

Free access

Catching spam before it arrives: domain specific dynamic blacklists

Authors:

Jacky Hartnett,

Kevin Manderson, and

Joel ScanlanAuthors Info & Claims

ACSW Frontiers '06: Proceedings of the 2006 Australasian workshops on Grid computing and e-research - Volume 54

January 2006

Pages 193 - 202

Published: 01 January 2006 Publication History

Abstract

The arrival of any piece of unsolicited and unwanted email (spam) into a user's email inbox is a problem. It results in real costs to organisations and possibly an increasing reluctance to use email by some users. Currently most spam prevention techniques rely on methods that examine the whole email message at the mail server. This paper describes research that aims to deny spam entry into the internal network in the first place.Examination of live amalgamated audit logs from a Linux kernel firewall, the PortSentry intrusion detection system and the Sendmail mail transfer agents has shown that it is possible that automated mailing programs send characteristic probes to the network gateway just before launching an avalanche of mail. Similarly it seems possible to detect precursor activity from some potential zombie machines. A real time system that could detect such activity needs to be certain that a particular IP address is about to send spam before blocking all of its packets at the network gateway. The architecture for a system that establishes certainty that a particular IP address is about to or has started sending spam is described in this paper. The eventual aim is to recognise precursor activity from spammers in real time, establish certainty that this IP address is about to send or is currently sending spam packets and to then deny packets from this IP address at a range of communicating gateways

References

[1]

Allman, E 2003, 'Spam, Spam, Spam, Spam, Spam, the FTC, and Spam', Queue, vol. 1, no. 6, pp. 62-9.

Digital Library

[2]

Amoroso, EG 1999,Intrusion detection : an introduction to Internet surveillance, correlation, traps, trace back, and response, 1st edn, Intrusion.Net Books, Sparta, N.J.

Digital Library

[3]

The Apache SpamAssassin Project, 2005, viewed July 19 2005, 〈http://spamassassin.apache.org/index.html〉.

[4]

Barracuda Networks (Date Unknown), An Overview of Spam Blocking Techniques, Barracuda Networks, viewed Aug 22 2005, 〈http://www.barracudanetworks.com/ns/downloads/bar racuda_spam_blocking_techniques.pdf〉.

[5]

Bekker, S 2003, Spam to Cost U.S. Companies $10 Billion in 2003, ENT News, viewed May 11 2005, 〈http://www.entmag.com/news/article.asp?EditorialsID =5651〉.

[6]

Cranor, LF & LaMacchia, BA 1998, 'Spam!' Commun. ACM, vol. 41, no. 8, pp. 74-83.

Digital Library

[7]

Damiani, E, Vimercati, SDCd, Paraboschi, S & Samarati, P 2004, 'An Open Digest-based Technique for Spam Detection', paper presented to The 2004 International Workshop on Security in Parallel and Distributed Systems, San Francisco, CA USA.

[8]

Delany, M 2005, Work in Progress, Internet-Draft: Domain-based Email Authentication Using Public-Keys Advertised in the DNS (DomainKeys), Internet Engineering Task Force, viewed May 6 2005, 〈http://www.ietf.org/internet-drafts/draft-delany-domainkeys-base-02.txt〉.

[9]

Dougherty, C & Householder, A 2002, CERT®® Incident Note IN-2002-04, CERT Coordination Center, viewed Aug 22 2005, 〈http://www.cert.org/incident_notes/IN- 2002-04.html〉.

[10]

Dougherty, C, Havrilla, J, Hernan, S & Lindner, M 2003, CERT®® Advisory CA-2003-20 W32/Blaster worm, CERT Coordination Center, viewed Aug 22 2005, 〈http://www.cert.org/advisories/CA-2003-20.html〉.

[11]

Drewes, R 2002, An artificial neural network spam classifier, Rich Drewes, viewed May 8 2005, 〈http://www.interstice.com/drewes/cs676/spam-nn/spam-nn.html〉.

[12]

Fallows, D 2003, Spam. How it is Hurting Email and Degrading Life on the Internet, Pew Internet & American Life Project.

[13]

Garcia, FD, Hoepman, J-H & van Nieuwenhuizen, J 2004, 'Spam Filter Analysis', paper presented to 19th IFIP International Information Security Conference, Toulouse, France.

[14]

Gauthronet, S & Drouard, ÉÉ 2001, Unsolicited Commercial Communications and Data Protection, Commission of the European Communities.

[15]

Golbeck, J & Hendler, J 2004, 'Reputation Network Analysis for Email Filtering', paper presented to Conference on Email and Anti-Spam (CEAS), Mountain View, CA, USA, July 2004.

[16]

Grabnar, M 2004, File :: Tail - Perl extension for reading from continously updated files, viewed Aug 24 2005, 〈http://search.cpan.org/-mgrabnar/File-Tail- 0.99.1/Tail.pm〉.

[17]

Graham, P 2003, 'Better Bayesian Filtering', paper presented to 2003 Spam Conference.

[18]

Hulten, G, Goodman, J & Rounthwaite, R 2004, 'Filtering spam e-mail on a global scale', in Proceedings of the 13th international World Wide Web conference on Alternate track papers & posters, ACM Press, New York, NY, USA, pp. 366-7.

Digital Library

[19]

Jones, S 2003, Port 0 OS Fingerprinting, Network Penetration, viewed Aug 22 2005, 〈http://www.networkpenetration.com/port0.html〉.

[20]

Jung, J & Sit, E 2004, 'An empirical study of spam traffic and the use of DNS black lists', in Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, ACM Press, Taormina, Sicily, Italy, pp. 370-5.

Digital Library

[21]

Jung, J, Paxson, V, Berger, AW & Balakrishnan, H 2004, 'Fast Portscan Detection Using Sequential Hypothesis Testing', paper presented to IEEE Symposium on Security and Privacy, Oakland, California, USA, 9-12 May.

[22]

Kemmerer, RA & Vigna, G 2002, 'Intrusion detection: a brief history and overview', Computer, vol. 35, no. 4, pp. 27-30.

Digital Library

[23]

LeMay, R 2005, Spam sees Westnet blocked by BigPond, ZDNet Australia, viewed Aug 15 2005, 〈http://www.zdnet.com.au/news/communications/soa/S pam_sees_Westnet_blocked_by_BigPond/0,200006179 1,39204739,00.htm〉.

[24]

Levy, E 2003, 'The making of a spam zombie army. Dissecting the Sobig worms', Security & Privacy Magazine, IEEE, vol. 1, no. 4, pp. 58-9.

Digital Library

[25]

Lonvick, C 2001, RFC 3164: The BSD Syslog Protocol, Network Working Group, May 9, 〈http://www.faqs.org/rfcs/rfc3164.html〉.

Digital Library

[26]

Lyon, J & Wong, M 2004, Work in Progress, Internet-Draft: Sender ID: Authenticating E-Mail, Internet Engineering Task Force, viewed May 6 2005, 〈http://download.microsoft.com/download/6/c/5/6c530 77f-013e-480c-a19d- 787850d84861/senderid_spec1.pdf〉.

[27]

MessageLabs 2005, MessageLabs Email Threats - Overview, MessageLabs, viewed Aug 15 2005, 〈http://www.messagelabs.co.uk/publishedcontent/publi sh/threat_watch_dotcom_en/threat_statistics/spam_inte rcepts/DA_114633.chp.html〉.

[28]

O'Brien, C & Vogel, C 2003, 'Spam filters: bayes vs. chi-squared; letters vs. words', in Proceedings of the 1st international symposium on Information and communication technologies, Trinity College Dublin, Dublin, Ireland, pp. 291-6.

Digital Library

[29]

Pantel, P & Lin, D 1998, 'SpamCop: A Spam Classication & Organization Program', paper presented to AAAI-98 Workshop on Learning for Text Categorization.

[30]

Paulson, LD 2004, 'Spam hits instant messaging', Computer, vol. 37, no. 4, p. 18.

Digital Library

[31]

Pfleeger, CP & Pfleeger, SL 2003, Security in Computing, 3rd Int edn, Prentice Hall PTR, Upper Saddle River, N.J.

Digital Library

[32]

Pfleeger, SL & Bloom, G 2005, 'Canning Spam: Proposed Solutions to Unwanted Email', Security & Privacy Magazine, IEEE, vol. 3, no. 2, pp. 40-7.

Digital Library

[33]

Sahami, M, Dumais, S, Heckerman, D & Horvitz, E 1998, 'A Bayesian Approach to Filtering Junk E-Mail', paper presented to AAAI-98 Workshop on Learning for Text Categorization.

[34]

Scanlan, J, Lorimer, S, Hartnett, J & Manderson, K 2004, 'Intrusion Detection by Intelligent Analysis of Data Across Multiple Gateways in Real-Time', paper presented to Australian Telecommunication Networks and Applications Conference, Bondi Beach, New South Wales, Australia.

[35]

Scanlan, J, Lorimer, S, Hartnett, J & Manderson, K 2005, A Context Aware Attack Detection System Across Multiple Gateways, Unpublished, 〈〈http://eprints.comp.utas.edu.au:81/archive/00000085/ 〉.

[36]

Seifried, K 2003, Information security / TCP Ports list, UDP ports list, viewed Aug 24 2005, 〈http://www.seifried.org/security/ports/〉.

[37]

Spam Prevention Early Warning System, 2005, SPEWS.org, viewed 17 Aug 2005, 〈http://www.spews.org/〉.

[38]

The Spamhaus Project, 2005, The Spamhaus Project Ltd, viewed Aug 17 2005, 〈http://www.spamhaus.org/〉.

[39]

Stoll, C 1991, The cuckoo's egg : tracking a spy through the maze of computer espionage, Pan Books, London.

Digital Library

[40]

Trend Micro RBL+ Service, 2005, Trend Micro Incorporated, viewed Aug 17 2005, 〈http://www.trendmicro.com/en/products/nrs/rbl/evalu ate/overview.htm〉.

[41]

Wald, A 1947, Sequential Analysis, John Wiley and Sons, New York.

[42]

Weiss, A 2003, 'Ending spam's free ride', netWorker, vol. 7, no. 2, pp. 18-24.

Digital Library

[43]

Whitworth, B & Whitworth, E 2004, 'Spam and the social-technical gap', Computer, vol. 37, no. 10, pp. 38-45.

Digital Library

[44]

Yoshida, K, Adachi, F, Washio, T, Motoda, H, Homma, T, Nakashima, A, Fujikawa, H & Yamazaki, K 2004, 'Density-based spam detector', in Proceedings of the 2004 ACM SIGKDD international conference on Knowledge discovery and data mining, ACM Press, Seattle, WA, USA, pp. 486-93.

Digital Library

Cited By

Amir-Mohammadian SChong SSkalka C(2016)Correct Audit LoggingProceedings of the 5th International Conference on Principles of Security and Trust - Volume 963510.5555/3089491.3089501(139-162)Online publication date: 2-Apr-2016
https://dl.acm.org/doi/10.5555/3089491.3089501
Sheu JChen YChu KTang JYang W(2016)An intelligent three-phase spam filtering method based on decision tree data miningSecurity and Communication Networks10.1002/sec.15849:17(4013-4026)Online publication date: 25-Nov-2016
https://dl.acm.org/doi/10.1002/sec.1584
Salcedo-Campos FDíaz-Verdejo JGarcía-Teodoro P(2012)Segmental parameterisation and statistical modelling of e-mail headers for spam detectionInformation Sciences: an International Journal10.1016/j.ins.2012.01.022195(45-61)Online publication date: 1-Jul-2012
https://dl.acm.org/doi/10.1016/j.ins.2012.01.022
Show More Cited By

Index Terms

Catching spam before it arrives: domain specific dynamic blacklists
1. Information systems
  1. World Wide Web
    1. Web applications
      1. Internet communications tools
        Email
    2. Web services
2. Networks
  1. Network services
    1. Network monitoring

Recommendations

Spam, spam, spam, spam: how can we stop it
CHI EA '03: CHI '03 Extended Abstracts on Human Factors in Computing Systems

How do we keep our channels of electronic communication, both individual and group, open, while keeping out inappropriate and unrelated materials, such as spam? Does someone other than the intended recipient have the right to control what electronic ...
Read More
Filtering spam with behavioral blacklisting
CCS '07: Proceedings of the 14th ACM conference on Computer and communications security

Spam filters often use the reputation of an IP address (or IP address range) to classify email senders. This approach worked well when most spam originated from senders with fixed IP addresses, but spam today is also sent from IP addresses for which ...
Read More
Spam or ham?: characterizing and detecting fraudulent "not spam" reports in web mail systems
CEAS '11: Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference

Web mail providers rely on users to "vote" to quickly and col-laboratively identify spam messages. Unfortunately, spammers have begun to use bots to control large collections of compromised Web mail accounts not just to send spam, but also to vote "not ...
Read More

Comments

Information & Contributors

Information

Published In

cover image DL Hosted proceedings

ACSW Frontiers '06: Proceedings of the 2006 Australasian workshops on Grid computing and e-research - Volume 54

January 2006

230 pages

ISBN:1920682368

Publisher

Australian Computer Society, Inc.

Australia

Publication History

Published: 01 January 2006

Qualifiers

Article

Conference

ACSW Frontiers '06

ACSW Frontiers '06: Grid computing and e-research

January 16 - 19, 2006

Tasmania, Hobart, Australia

Acceptance Rates

Overall Acceptance Rate 204 of 424 submissions, 48%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
1,483
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)6

Other Metrics

View Author Metrics

Citations

Cited By

Amir-Mohammadian SChong SSkalka C(2016)Correct Audit LoggingProceedings of the 5th International Conference on Principles of Security and Trust - Volume 963510.5555/3089491.3089501(139-162)Online publication date: 2-Apr-2016
https://dl.acm.org/doi/10.5555/3089491.3089501
Sheu JChen YChu KTang JYang W(2016)An intelligent three-phase spam filtering method based on decision tree data miningSecurity and Communication Networks10.1002/sec.15849:17(4013-4026)Online publication date: 25-Nov-2016
https://dl.acm.org/doi/10.1002/sec.1584
Salcedo-Campos FDíaz-Verdejo JGarcía-Teodoro P(2012)Segmental parameterisation and statistical modelling of e-mail headers for spam detectionInformation Sciences: an International Journal10.1016/j.ins.2012.01.022195(45-61)Online publication date: 1-Jul-2012
https://dl.acm.org/doi/10.1016/j.ins.2012.01.022
Varalakshmi PThamaraiSelvi S(2010)Secured and trusted three-tier grid architectureInternational Journal of Ad Hoc and Ubiquitous Computing10.1504/IJAHUC.2010.0329995:4(244-251)Online publication date: 1-May-2010
https://dl.acm.org/doi/10.1504/IJAHUC.2010.032999
Liu JXiao YGhaboosi KDeng HZhang J(2009)BotnetEURASIP Journal on Wireless Communications and Networking10.1155/2009/6926542009(1-11)Online publication date: 1-Feb-2009
https://dl.acm.org/doi/10.1155/2009/692654
Caruana GLi M(2008)A survey of emerging approaches to spam filteringACM Computing Surveys10.1145/2089125.208912944:2(1-27)Online publication date: 5-Mar-2008
https://dl.acm.org/doi/10.1145/2089125.2089129
Liu CStamm SCranor L(2007)Fighting unicode-obfuscated spamProceedings of the anti-phishing working groups 2nd annual eCrime researchers summit10.1145/1299015.1299020(45-59)Online publication date: 4-Oct-2007
https://dl.acm.org/doi/10.1145/1299015.1299020
Collins MShimeall TFaber SJanies JWeaver RDe Shon MKadane JDovrolis CRoughan M(2007)Using uncleanliness to predict future botnet addressesProceedings of the 7th ACM SIGCOMM conference on Internet measurement10.1145/1298306.1298319(93-104)Online publication date: 24-Oct-2007
https://dl.acm.org/doi/10.1145/1298306.1298319

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents