B@bel:Leveraging Email Delivery for Spam Mitigation Usenix Security 2012 Gianluca Stringhini, Manuel Egele, Apostolis Zarras, Thorsten Holz, Christopher Kruegel, and Giovanni Vigna University of California, Santa Barbara Ruhr-University Bochum 李李李 [email protected]
28
Embed
B@bel:Leveraging Email Delivery for Spam Mitigation Usenix Security 2012 Gianluca Stringhini, Manuel Egele, Apostolis Zarras, Thorsten Holz, Christopher.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
B@bel:Leveraging Email Delivery for Spam Mitigation
Usenix Security 2012
Gianluca Stringhini, Manuel Egele, Apostolis Zarras, Thorsten Holz,
Christopher Kruegel, and Giovanni Vigna
University of California, Santa Barbara Ruhr-University Bochum
Evaluating dialects for Classification Run BabelTraining set (13 legitimate , 91malware)
Legitimate MUAs and MTAs are distinct from Bots Legitimate MUAs and MTAs are all speak distinct dialects (except for Outlook Express and Windows Live Mail)
91malware: 48 dialects Same dialects belong to the same family
Evaluating Dialects for Spam Detection
Run Babel
SMTP converastions for 621919 email messages(40days)
7114 bot samples[4] >> bad dialects
MUA+MTA+webmail >> good dialects
Passive spam detection
Decision machine do not recognize the conversaction >> mark as spam
Evaluating Dialects for Spam Detection
621919 email (ALL)
260074 spam , 218675 ham ,143170 ??
Verify
true positive
IP blacklist (30) + resolve domain
99.32% true positive
False negative
21% False negative
(misused web mail account,dedicated MTA)
(half is legitimate MTAs)
Limitations and Evasion
Evading dialects detection:
Use an existing open source smtp engine (CDO)
But spambots are built for performance
Bagle(a spam bot) : 20ms / a letter
CDO(windows) : 200ms / a letter
collaboration data objects library
Conclusion
Introduced a novel way to detect and mitigate spam emails
We study how the feedback mechanism used by botnets can be poisoned
Empirical result confirm that our approach can be used to detect and mitigate spam emails.