TUM Logo

B@bel: Leveraging Email Delivery for Spam Mitigation

Traditional spam detection systems either rely on content analysis to detect spam emails, or attempt to detect spammers before they send a message, (i.e., they rely on the origin of the message). In this paper, we introduce a third approach: we present a system for filtering spam that takes into account how messages are sent by spammers. More precisely, we focus on the email delivery mechanism, and analyze the communication at the SMTP protocol level. We introduce two complementary techniques as concrete instances of our new approach. First, we leverage the insight that different mail clients (and bots) implement the SMTP protocol in slightly different ways. We automatically learn these SMTP dialects and use them to detect bots during an SMTP transaction. Empirical results demonstrate that this technique is successful in identifying (and rejecting) bots that attempt to send emails. Second, we observe that spammers also take into account server feedback (for example to detect and remove non-existent recipients from email address lists). We can take advantage of this observation by returning fake information, thereby poisoning the server feedback on which the spammers rely. The results of our experiments show that by sending misleading information to a spammer, it is possible to prevent recipients from receiving subsequent spam emails from that same spammer.

B@bel: Leveraging Email Delivery for Spam Mitigation

21st USENIX Security Symposium

Authors: Gianluca Stringhini, Manuel Egele, Apostolis Zarras, Thorsten Holz, Christopher Kruegel, and Giovanni Vigna
Year/month: 2012/8
Booktitle: 21st USENIX Security Symposium
Fulltext: babel.pdf

Abstract

Traditional spam detection systems either rely on content analysis to detect spam emails, or attempt to detect spammers before they send a message, (i.e., they rely on the origin of the message). In this paper, we introduce a third approach: we present a system for filtering spam that takes into account how messages are sent by spammers. More precisely, we focus on the email delivery mechanism, and analyze the communication at the SMTP protocol level. We introduce two complementary techniques as concrete instances of our new approach. First, we leverage the insight that different mail clients (and bots) implement the SMTP protocol in slightly different ways. We automatically learn these SMTP dialects and use them to detect bots during an SMTP transaction. Empirical results demonstrate that this technique is successful in identifying (and rejecting) bots that attempt to send emails. Second, we observe that spammers also take into account server feedback (for example to detect and remove non-existent recipients from email address lists). We can take advantage of this observation by returning fake information, thereby poisoning the server feedback on which the spammers rely. The results of our experiments show that by sending misleading information to a spammer, it is possible to prevent recipients from receiving subsequent spam emails from that same spammer.

Bibtex:

@inproceedings { stringhini2012babel,
author = { Gianluca Stringhini and Manuel Egele and Apostolis Zarras and Thorsten Holz and Christopher Kruegel and Giovanni Vigna},
title = { B@bel: Leveraging Email Delivery for Spam Mitigation },
year = { 2012 },
month = { August },
booktitle = { 21st USENIX Security Symposium },
url = {https://www.sec.in.tum.de/i20/publications/b-bel-leveraging-email-delivery-for-spam-mitigation/@@download/file/babel.pdf}
}