Upload File

1 analysis of smtp connection characteristics for detecting spam relays authors: p. j. sandford, j....

  • Home
  • Documents
  • 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(
16
1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou( 邱邱邱 )

Upload: candace-walsh

Post on 23-Dec-2015

225 views

Category:

Documents


2 download

Report

TRANSCRIPT

Page 1: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

1

Analysis of SMTP Connection Characteristics for Detecting Spam Relays

Authors: P. J. Sandford, J. M. Sandford, and D. J. ParishSpeaker: Shu-Fen Chiou( 邱淑芬 )

Page 2: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

2

Outline

Introduction Spam relay detection Results Conclusion Comments

Page 3: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

3

E-mail

Mail Server

Client

SMTP Server

MTA

POP 協定下載郵件

IMAP 協定讀取及

管理郵件

SMTP 協定發送郵件

SMTP 轉送郵件

SMTP 傳遞郵件

SMTP Server

MTA MTA

MUA

SMTP 其它 Mail Sever或

Outlook/fetchmail/mail

Page 4: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

4

Spam relay

Sending mail to a destination via a third-party mail server or proxy server in order to hide the address of the source of the mail.

When e-mail servers (SMTP servers) are used, it is known as an "open relay" or "SMTP relay," and this method was commonly used by spammers in the past when SMTP servers were not locked down.

Today, most spam relay is provided by proxy servers and botnets.

Page 5: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

5

Prevent spam

Page 6: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

6

Specific problem

Spam relay

Compromised host Compromised hostCompromised host …

Mailserver

Mailserver

Mailserver

Spam mail

…Mail

serverMail

serverMail

server

Spam mail

…Mail

serverMail

server

Spam mail

Page 7: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

7

Monitoring Architecture

Page 8: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

8

Legitimate users V.S. spam relays

Number of connections Legitimate users < spam relays

Connect to a mail server Legitimate users: Fewer times an hour. Spam relays: Thousands of emails

every hour to hundreds of mail servers. Daily pattern

Legitimate users: Can exhibit. Spam relays: Do not exhibit.

Page 9: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

9

Result(1/6)

All the example shows come from a single 24 hour period during Sep. 2005.

Total 89,748 hosts were observed. 48 hosts had established over 10,000

SMTP connections. 4 hosts had established over 50,000

SMTP connections.

Page 10: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

10

Result(2/6)

Total: 58,000 SMTP connections

Home user

Page 11: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

11

Result(3/6)

25,000connections

Mail bombs: occur where very large quantities of email are sent to the same address rendering the address unusable.

Page 12: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

12

Result(4/6)

3,000connections

Page 13: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

13

Result(5/6)

Page 14: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

14

Result(6/6)

Total: over 1,600,000 connections

Page 15: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

15

Conclusions

This paper has shown how spam relays installed on compromised hosts could be identified by the ISP networks on which they are hosted.

Given the large disparity between the SMTP connection profiles of legitimate mail clients and servers and spam relays, an automated process could easily be developed to detect spam relays.

Page 16: 1 Analysis of SMTP Connection Characteristics for Detecting Spam Relays Authors: P. J. Sandford, J. M. Sandford, and D. J. Parish Speaker: Shu-Fen Chiou(

16

Comments

提出了一個簡單的方法來預防 spam 。 偵測到 host 是 spam relay 的正確率,方

法的有效性 ? 如何定義連線數量的門檻值,來判定 host

為 spam relay?


Dred Scott v. Sandford, 60 U.S. 393 (1857)

RAMP Common Interface Krste Asanovic Derek Chiou Joel Emer

Outrage by John Sandford and Michele Cook

Steve Sandford Brian Killough

App Inventor Challenge - Sandford St Martin's Primary School

CHIOU HO-SHUN TAIWAN

Chiou Chiou's

Sandford Fleming and The Inveraray Time Lord

THE GEOLOGY OF THE SOUTH ARM-SANDFORD AREA, …

Ojanen Chiou Architects LLP

Akvarij i Akvarijske Ribice-Mary Bailey&Gina Sandford

Robert Sandford and His Wife Ann Adams Sandford

6/15/06Derek Chiou, UT Austin, RAMP1 Confessions of a RAMP Heretic: Fast, Full-System, Cycle-Accurate x86/PowerPC/ARM/Sparc Simulators Derek Chiou University

Tankmaster Tropical Freshwater Aquarium by Gina Sandford

Transactions of the Worcester Diocesan Architectural ...worcestershirearchaeologicalsociety.org.uk/wp-content/uploads/2017/... · Inaugural Address Ven J Sandford AAS III pt I 1854

Date: 2012/4/23 Source: Michael J. Welch . al(WSDM’11) Advisor: Jia -ling, Koh Speaker: Jiun Jia , Chiou

Chiou 1 Transmission Electron Microscopy of Mineralogy_070806

chiou-hwa-ALaCarte - Gloria Hotel · Details. Title: chiou-hwa-ALaCarte Created Date: 7/14/2020 1:50:01 AM

Sandford cricket club

Crystal Chiou

Applied Catalysis B: Environmental · 212 Y.-D. Chiou, Y.-J. Hsu / Applied Catalysis B: Environmental 105 (2011) 211–219 attainedforSeNRsupontheceaseofirradiation,whichisaccount

Gina Sandford - Akvárium.pdf

Cristopher Sandford - Imran Khan, The Biography

Sir Sandford Fleming

STOP WORK ORDER 50 E. SANDFORD BLVD

By Mark Sandford Local audit in England

1. Blonde Female Brandon J. Sandford, who appears to have been …€¦ · Brandon J. Sandford, who appears to have been a member of the skinhead anti‐racist gang, the Baldies,

Sabine’(Brig) … · Sabine’(Brig) Purchased’by’Bristolians’Norris’and’Barnes 18461212 2 ... Sandford,’George Obituary’child’of’Henry 18450906 2 Sandford,’George

Mechatronics and Robotics Lab Development-Chiou

07 make sense-cosw- larry chiou

Dred Scott v. Sandford

Presented by: Eng. Sandford A. Mupanga

Michael Sandford

Packaging for microelectromechanical and ...schen.ucsd.edu/lab/papers/paper15.pdfNanoelectromechanical Systems Y. C. Lee, Member, IEEE, Babak Amir Parviz, Member, IEEE, J. Albert Chiou,

© Derek Chiou 1 Functional/Timing Split in UT FAST Derek Chiou, Dam Sunwoo, Joonsoo Kim, Nikhil Patil, William Reinhart, D. Eric Johnson, Jebediah Keefe,