Exploiting Transport-Level Characteristics of Spam

10 years 8 months ago
Exploiting Transport-Level Characteristics of Spam
We present a novel spam detection technique that relies on neither content nor reputation analysis. This work investigates the discriminatory power of email transport-layer characteristics, i.e. the TCP packet stream. From a corpus of messages and corresponding packets, we extract per-email TCP features. While legitimate mail flows are wellbehaved, we observe small congestion windows, frequent retransmissions, loss and large latencies in spam traffic. To learn and exploit these differences, we build "SpamFlow." Using machine learning feature selection, SpamFlow identifies the most selective flow properties, thereby adapting to different networks and users. In addition to greater than 90% classification accuracy, SpamFlow correctly identifies 78% of the false negatives from a popular content filter. By exploiting the need to source large quantities of spam on resource constrained hosts and networks, SpamFlow is not easily subvertible.
Robert Beverly, Karen R. Sollins
Added 12 Oct 2010
Updated 12 Oct 2010
Type Conference
Year 2008
Where CEAS
Authors Robert Beverly, Karen R. Sollins
Comments (0)