Catching Spam by Looking at Traffic, Not Content

AngryDad writes "HexView has proposed a method to deal with spam without scanning actual message bodies. The method is based solely on traffic analysis. They call it STP (Source Trust Prediction). A server, like a Real-time Spam Black list, collects SMTP session source and destination addresses from participating Mail Transfer Agents (MTAs) and applies statistics to identify spam-like traffic patterns. A credibility score is returned to the MTA, so it can throttle down or drop possibly unwanted traffic. While I find it questionable, the method might be useful when combined with traditional keyword analysis." What do you think? Is this snake oil, or is there something to this?

sounds good to me

[seanadams.com]

I realize most of us here would ordinarily prefer for our ISPs to just move bits around, but it seems like they are in a pretty good position to curb spam if they were to start look at traffic patterns like this. If some DSL customer suddenly starts opening hundreds of outgoing SMTP connections, that would be a pretty reliable sign that his machine is pwned. Just block or throttle port 25, and send the customer an email telling him to fix his computer, and keep it blocked until he does - or he contacts abuse@ with a legitimate explanation. Not filtering based on the contents of the data should let them maintain plausible deniability and common carrier status.

We can't do this on our personal or company internet connections because we only see individual messages coming from many different IPs, but on the other end of the connection, or even at the backbone level, this strikes me as a pretty solid solution. They could even just tag the packets with the evil bit [faqs.org] and let us decide if we want to filter them or not.

unlikely indicators

[Speare]

I think the question raises an interesting point: spams *behave* differently on the network than most legitimate emails. It may not be a perfect discriminator, but it sure might be a corroborative scoring aid. This reminded me of the controversy when Slashdot started using text compressibility as a metric for "lameness." I was a disbeliever, and still have my reservations about it, but as a part of the overall toolbox for filtering lameness, the technique seems to have value.

greylisting works

[grub]

OpenBSD's greylisting [openbsd.org] in spamd works wonders.

The problem with this

[wiredog]

Mailing lists. How does it not tag a server that sends out mail to a list as a spammer?

Re:This is painfully obvious and hopelessly naive

[stavrosg]

I am going to say it anyway. Why can't people stop responding to spam in the first place? Is it too much to ask?

People will stop buying from spam when they stop forwarding every hoax or urban legend they recieve through their company e-mail to everybody else on their address book.

When someone finds a way to do it, please ping me.

Re:This is painfully obvious and hopelessly naive

[the dark hero]

That's the problem. this world is full of stupid people. They might not make money off of most people the spam gets to, but if you cast a big enough net you're bound to catch something(including some dolphins). Millions of pennies still add up to thousands of dollars.

Yes and no - but a suggestion...

[Penguinisto]

I like the idea of gathering and using statistics on traffic patterns, but what they're looking for in many cases can be too easily defeated (e.g. "Junk messages are small"... now we get to watch MTA's spend more time trying to sort spam messages packed to the gills w/ random ASCII, necessitating a look through the message body all over again).

OTOH, As part of a larger array of spam-fighting tools, okay - there's bits in there I actually like and which can be used as part of other solutions, if not used in the way suggested. As someone who runs a couple of MTA's on top of everything else I do around here, I always like to find new and interesting ways of stopping spam.

N.B., all that I ask is this: Please make it useful w/o sucking down resources or requisitioning another server. I detest external RBL's - please don't suggest anything that may have an overly-subjective and/or an overly-dependant basis like that. If it isn't RFC-compliant (yes, Verizon, I'm talking to YOU when I say that!), I won't go near it.

Satisfy those, and yes, I'm interested, as would lots of other SMTP-monkeys out here.

/P

What about SenderBase?

[NtroP]

This isn't a new concept. Our mail gateways already participate in something like this with IronPort's [ironport.com] SenderBase [senderbase.org] reputation filtering. 90%+ of our incoming mail traffic is dropped based on poor reputations scores without looking at anything more than the sender's address. So far, we've never had a false-positive that we know of, and only once, after many customers were made a part of a bot-net and started spamming, did SenderBase throttle traffic to one of the local ISP's. A quick call to their mail admins pointing out the problem and they were able to block those customers from sending mail until they were cleaned up and the reputation score climbed back up again.

It has really taken the load off our mail servers by blocking millions of connections. The rest, we run through SpamAssassin and everything works great!

Re:This is painfully obvious and hopelessly naive

[KKlaus]

Complaining that people are frequently bad decision makers is usually not worthwhile. Much better to recognize the truth that they are, and then work to try and take the decisions out of their hands.

Its similar to a pretty interesting conceptual innovation in medicine, when people realized that even excellent doctors will at some point make grossly negligent mistakes simply due to the shear amount of work they do (i.e. operating on people with paralytics but not analgesics). So the innovation is to make them make fewer decisions - machines that check settings before running, labels that a four year old could understand, arrows and other reminders liberally applied.

So similarly here, yes it's annoying that people continue to "fund" spammers, but education is not the answer. Because, unfortunately, the spammer's target market of "everyone in the world" will always contain enough people to make their trade profitable if all we rely on is good decision making on the parts of spam recipients. So the solution has to be technical or legal. And in that regard, another small step for man here.

Re:sounds good to me

[webdragon]

I'm sure they could do that fairly easily but with how everyone is sue happy their going to have to change the terms of use contracts first to reflect that they can and will do it so they can cover their rear from being sued.

For those keeping track at home

[Anonymous Coward]

ISP traffic analysis blocking spam = good
ISP traffic analysis blocking torrents = bad

Re:And yet likely...

[Zocalo]

because any email that from the 'Democratic People's Republic of $Country' is likely to be as bogus as the countries name. If a country needs to add 'Democratic' or 'Republic' to its name, you know something's wrong

• Central African Republic
• Czech Republic
• Democratic Republic of the Congo
• Dominican Republic
• Former Yugoslav Republic of Macedonia

And that's just the common names and not the official ones like "Republic of Ireland". Given that this is precisely the kind of verbose terminology that you would find in a genuine official email from a government body in such a country, I don't think that's going be suitable for anything other than a minor nudge towards spamminess.

Even if no one ever responds, it won't stop

[MarkusQ]

Even if no one ever responds, it won't stop as long as the people paying to have it sent think it works. It's like burning candles to St. Balderdash for scam marketing morons. As long as there is a steady supply of rubes who think that sending spam is their road to riches, and are willing to pay some brighter but no more honest spam lord to send their dreck to a bazillion hapless victims for them, spam will contine to flow.

This is true even if no one ever responds to, falls for, or even opens a spam message ever again.

--MarkusQ

Places you don't want to be

[paladinwannabe2]

Democratic Republic of the Congo- Welcome to the land of warlords, genocide, and more genocide.
Central African Republic- Less than half the genocide of its neighbor in the congo.
Dominican and Czech Republics, and Macedonia- actual democracies.

So two of your five examples help prove my point- and when you start stacking adjectives together- like 'People's Democratic Republic of Korea' you know you've got one of the worst places to live on Earth.

Also, why on earth would you get an 'official government email' from someone in these countries? That's less likely than you being a Viagra dealer and have Viagra mentioned correctly in your email. That's also why different people will have different spam filters for their mail- if I worked with the Republic of Ireland or was a professor of Greek history I would probably see the word 'Republic' in legitimate email.

Re:sounds good to me

[kripkenstein]

Sounds good? Don't major email providers already do something like this? What else are Google doing when lots of people click on "This is Spam" for a particular email - surely they notice such things? The same should be true of email traffic patterns. Yet, perhaps some minor detail in TFA is the new bit. Obviously any improvement in this area is welcome.

While this will not stop spam, it will be reduced dramatically. The STP value of a spam source will grow proportionally to the number of junk messages sent. The first several thousands emails will get to unlucky recipients when spamming starts, but the rest hundreds of thousands will not.

Actually, webmail can do one better: if a message is marked as spam at some point in time, the system can retroactively remove it from the Inboxes of the 'first few thousand unlucky recipients' (or mark it 'this may be spam', gray it out, etc., at the least). I don't know of anyone doing this, but I wish they would.

Won't really work

[jerseyjim]

I use a popular, public email service. My emails have been identified as spam at times. The reality is the everyone from the service uses the same IP email address. All it takes is one person from that service to send spam and all those using the service get flag...so volume along isn't a good indicator.

Re:This is painfully obvious and hopelessly naive

[bcrowell]

Why can't people stop responding to spam in the first place? [...] If spammers made absolutely zero dollars for their efforts would they stop?
First off, if people stopped responding to spam, it wouldn't have any effect on phishing spam, since phishing is based on tricking the user into thinking it's legitimate mail rather than spam. Also, once you have control over an army of zombies, the incremental cost of sending one spam is zero. Even if the spammer thinks he's unlikely to make any money at all by sending out spam, he's already set up to do it, so why not? If even one person in ten million clicks on a spam accidentally because his cat walked across his desk, that makes it worth it to the spammer to have sent out the other 9,999,999 spams. Look at all the bayes-poisoning spams we get, with no link to click on; the spammers know they aren't going to profit from those, but they send them anyway, because it's free. And finally, there are a lot of other things you can do with a network of zombies. For instance, you can carry out extortion schemes by threatening DDOS attacks. The basic problems are (1) poor security of Windows, and (2) the fact that the e-mail protocols were designed before the internet existed, in an era when you knew everybody who was on your network.

Re:For those keeping track at home

[Miseph]

Makes sense, since:

spam = bad
torrents != bad

Anyway, you're comparing apples to socket wrenches... Torrent is a file transfer protocol which can be used legitimately. Spam is a specific abuse of the various e-mail protocols, and by definition cannot have any legitimate use. For your comparison to make sense, it would either have to be between using torrent to distribute virii and spam, or between torrent and SMTP/etc. traffic.

Re:Obligatory

[Anonymous Coward]

Frighteningly, this was the first thing I looked for in the comments. It's almost becoming the de facto "executive summary" for every article on a new spam fighting technique.

The best and worst places to be

[paladinwannabe2]

Looking at Wikipeida [wikipedia.org] we find that out of the 14 freest places to live, 'Republic' is part of the title on 4 of them. Looking at the 8 worst places to live, 'Republic', 'Democratic', and 'People's' are part of the title of 6 of them, and they appear a total of 10 times in the name of 8 countries. So it seems that my point has some factual backing, and there's a strong correlation between having 'Republic', 'Democratic', and 'People's' in a countries name and it being none of the above.

Re:This is painfully obvious and hopelessly naive

[CohibaVancouver]

>What would happen if we all started replying with the same auto generated mails?

Generally there's nothing to 'reply to' - To order the viagra you've got to go to a web site, or fax in an order - and all the latest 'pump and dump' stock-selling emails don't sell anything at all. They buy some stock, spam out their messages, then dump the stock when the price goes up. Often the company in question knows nothing about it.

Want to get rid of Spam?

[jstmehr4u3]

Get rid of HTML emails.. Spam isn't as cool when it doesn't have a bunch of fake links, pretty pictures, etc. You think the internet would cease to exist if we went back to text only?

Send a URL in your text-only email if you want to check the email out in HTML...

Just a thought

Re:sounds good to me

[jgc7]

I agree, but you would have to be careful, because every newsletter/promotion might get marked as spam by a couple of people. The algorithm would need to be pretty sophisticated.

Re:sounds good to me

[nuzak]

> Maybe the DSL customer just started a mailing list on his home server about... whatever.

Then he asks to get port 25 unblocked. Or he's serious enough about his hobby mailing list to drop 8 quid a month for a dreamhost account (which isn't itself spam-free, but you know at least DH's nets aren't full of zombies). Or he switches to a web feed. There are solutions, but giving random strangers the benefit of the doubt isn't one of them.

If SPF and Domainkeys ever got any traction, then Challenge-Response would be somewhat workable ... but I still refuse to jump through C-R hoops.

Re:Its not snake oil, but...

[raddan]

The nice thing about greylisting is that if spammers learn the "trick" of becoming RFC-compliant and thus retry their connections, the cost of their operation goes up. The cost may be small over several thousand messages per day, which is easily handled by a normal, behaving MTA, but for a spammer whose cost calculations depend on spewing out millions of emails per day, it may be a dealbreaker. Combine that with tarpitting and some way of feeding Bayes scores back to the tarpit/greylist (ala relaydb), and you have a really effective spam-prevention system. A spammer who lets himself get stuck in a tarpit is going to lose money. Spammers will have to work a little harder than simple RFC-compliance.

Re:This is painfully obvious and hopelessly naive

[totally bogus dude]

Chances are the people that actually send the spam messages (those who control the botnets) are not the people making money from stock scams, phishing, or sales of pirated software.

In the same way legitimate businesses will pay marketing companies to run advertising campaigns, design, send and manage email distribution lists, etc, less legitimate 'businesses' pay spammers to send out their message to as many people as possible.

So yes, they do get paid - just not by the victims of the spam.