UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering An Effective Defense Against Spam Laundering Mengjun Xie, Heng Yin, Haining Wang Presented by Dustin Christmann March 4, 2009

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Outline Introduction Spam Laundering Anti-Spam Techniques Proxy-Based Spam Behavior DBSpam DBSpam Evaluation Potential Evasions

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Introduction What is spam? Classic definition: a canned precooked meat product made by the Hormel Foods Corporation, introduced in “SPAM” stands for “SPiced hAM” Modern definition: the abuse of electronic messaging systems to send unsolicited bulk messages indiscriminately.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Introduction So how did we get from one definition to the other? A 1970 Monty Python sketch, entitled “Spam.”

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Spam Laundering MTA relay ProxyMTA

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Anti-Spam Techniques Three main categories: 1.Recipient-oriented techniques 2.Sender-oriented techniques 3.HoneySpam

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Recipient-oriented Techniques Two main categories: 1.Content-based techniques 2.Non-content-based techniques

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Content-Based Techniques address filters Heuristic filters Machine-learning based filters

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Non-content-based Techniques DNSBLs MARID Challenge-Response Tempfailing Delaying Sender Behavior Analysis

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Sender-oriented Techniques Usage regulation Cost-based approaches

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering HoneySpam Based on honeyd Set up –Fake web servers –Fake open proxies –Fake relays Log the users of these fake servers as spam sources

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Proxy-based Spam Behavior Normal transmission MTA Router Corporate / campus / home network

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Proxy-based Spam Behavior Proxy-based Spam MTA Router Corporate / campus / home network

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Connection Correlation One-to-one mapping between upstream and downstream connections In normal transmission, there’s only one. Problems –Upstream encryption –Overhead –Timing

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Packet Symmetry Message symmetry –SMTP message from downstream connection results in TCP message to upstream connection Packet symmetry –One packet from downstream connection results in one packet to upstream connection –Exceptions

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering TCP Correlation Example

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Goals: 1.Fast detection of spam laundering with high accuracy 2.Breaking spam laundering via throttling or blocking after detection 3.Support for spammer tracking and law enforcement 4.Support for spam message fingerprinting 5.Support for global forensic analysis

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Deployment of DBSpam At a network vantage point where it can monitor the bi-directional traffic Single-homed network:

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Deployment of DBSpam Multi-homed network

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Design of Spam Laundering Detection With proxy-based spam transmission, number of incoming SMTP reply packets = number of outgoing TCP packets Possible for this to occur with normal traffic, but very seldom Sequential Probability Ratio Test (SPRT) is used

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Can be viewed as a one-dimensional “random walk” starting between two boundaries –One boundary defines “spam connection” –Other boundary defines “not a spam connection”

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Each observation pushes the walk in one direction or the other –Observation of correlated SMTP-TCP packets pushes walk toward “spam connection” –Observation of no correlation pushes walk toward “no spam connection” When the walk hits either boundary, test ends

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Average number of required observations to reach a determination depends on four variables: 1.α* (the desired probability of false positives) 2.β* (the desired probability of false negatives) 3.θ 1 (the distribution of positive correlation) 4.θ 0 (the distribution of negative correlation)

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT E[N|H 1 ] vs. θ 0 and α* ( θ 1 = 0.99, β* = 0.01)

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering SPRT Detection Algorithm

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Noise Reduction Maintain a set of external IP addresses that appear for each time In the consecutive M time windows, single out the external IP addresses that appear at least K times Can further reduce the incidence of false positives dramatically, depending on the selection of M and K

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Noise reduction

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Evaluation at College of William & Mary Two off-campus PCs as spam sources Two PCs in different campus subnets running SOCKS and HTTP proxies Spam “sink” in dark net Traces run in two different months N-* includes no spam traffic S-*-C encrypted spam, S-*-A and S-*-B unencrypted spam

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation SPRT Detection Time TraceN = 6N = 11N ≥ 16 S-1-A970 (100%)00 S-1-B5019 (96.9%)139 (2.7%)21 (0.4%) S-1-C2245 (92.8%)169 (7.0%)6 (0.2%) S-2-A433 (99.1%)3 (0.7%)1 (0.2%) S-2-B4298 (94.7%)198 (4.4%)40 (0.9%) S-2-C1758 (98.9%)16 (1.0%)3 (0.1%)

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Distribution of N|H 0

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation CDF of Detection Time for SPRT

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Accuracy of SPRT AttributeS-1-AS-1-BS-1-CS-2-AS-2-BS-2-CN-1N-2 Detection True Positives False Positives True Negatives FP/(FP+TN) %0.0061%0.0085%0.0072%0.012%0.0051%0.0096%0.015% Spam Connections Missed Connections Missed Conn. Ratio 0.8%0.4%01.8%2.0%1.3%--

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Accuracy of SPRT after noise reduction Trace (M,K) (3,2)(4,3)(5,3)(5,4) S-1-A0/1880/1380/1240/110 S-1-B0/1620/1260/103 S-1-C0/1940/1500/1240/123 S-2-A0/650/360/520/27 S-2-B13/3353/2434/2160/186 S-2-C0/1930/1240/1350/94 N-10/0 N-27/71/12/20/0

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DBSpam Evaluation Resource Consumption TraceCPU UtilCPU TimePpsPeak Mem S-1-A36.3%9.0s MB S-1-B37.7%9.8s MB S-1-C24.0%9.3s MB S-2-A58.0%36.8s MB S-2-B84.3%109.2s MB S-2-C57.1%78.6s MB N-121.7%51.1s MB N-232.1%789.9s MB

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Potential Evasions Fragmenting SMTP replies at the proxy –Change the 1:1 packet symmetry into 1:2 or 1:3 Inserting random delays at the proxy –Randomly change the 1:1 packet symmetry into 1:0 or 1:2

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Strengths Simple to implement Moves spam detection closer to source, reducing network traffic Thwarts encryption Detects proxy-based spam quickly Few false positives

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Weaknesses Easy to evade by breaking packet symmetry Can be thwarted by short SMTP dialogs Must be installed at ISP edge Too resource intensive for imbedded systems