analysis of smtp connection characteristics for detecting spam relays

1

Analysis of SMTP Connection Characteristics for Detecting Spam Relays

Authors: P. J. Sandford, J. M. Sandford, and D. J. ParishSpeaker: Shu-Fen Chiou( 邱淑芬 )

2

Outline

Introduction Spam relay detection Results Conclusion Comments

3

E-mail

Mail Server

Client

SMTP Server

MTA

POP 協定下載郵件

IMAP 協定讀取及

管理郵件

SMTP 協定發送郵件

SMTP 轉送郵件

SMTP 傳遞郵件

SMTP Server

MTA MTA

MUA

SMTP 其它 Mail Sever或

Outlook/fetchmail/mail

4

Spam relay

Sending mail to a destination via a third-party mail server or proxy server in order to hide the address of the source of the mail.

When e-mail servers (SMTP servers) are used, it is known as an "open relay" or "SMTP relay," and this method was commonly used by spammers in the past when SMTP servers were not locked down.

Today, most spam relay is provided by proxy servers and botnets.

5

Prevent spam

6

Specific problem

Spam relay

Compromised host Compromised hostCompromised host …

Mailserver

Mailserver

Mailserver

Spam mail

…Mail

serverMail

serverMail

server

Spam mail

…Mail

serverMail

server

Spam mail

…

7

Monitoring Architecture

8

Legitimate users V.S. spam relays

Number of connections Legitimate users < spam relays

Connect to a mail server Legitimate users: Fewer times an hour. Spam relays: Thousands of emails

every hour to hundreds of mail servers. Daily pattern

Legitimate users: Can exhibit. Spam relays: Do not exhibit.

9

Result(1/6)

All the example shows come from a single 24 hour period during Sep. 2005.

Total 89,748 hosts were observed. 48 hosts had established over 10,000

SMTP connections. 4 hosts had established over 50,000

SMTP connections.

10

Result(2/6)

Total: 58,000 SMTP connections

Home user

11

Result(3/6)

25,000connections

Mail bombs: occur where very large quantities of email are sent to the same address rendering the address unusable.

12

Result(4/6)

3,000connections

13

Result(5/6)

14

Result(6/6)

Total: over 1,600,000 connections

15

Conclusions

This paper has shown how spam relays installed on compromised hosts could be identified by the ISP networks on which they are hosted.

Given the large disparity between the SMTP connection profiles of legitimate mail clients and servers and spam relays, an automated process could easily be developed to detect spam relays.

16

Comments

提出了一個簡單的方法來預防 spam 。 偵測到 host 是 spam relay 的正確率，方

法的有效性 ? 如何定義連線數量的門檻值，來判定 host

為 spam relay?