Catching Spam by Looking at Traffic, Not Content

AngryDad writes "HexView has proposed a method to deal with spam without scanning actual message bodies. The method is based solely on traffic analysis. They call it STP (Source Trust Prediction). A server, like a Real-time Spam Black list, collects SMTP session source and destination addresses from participating Mail Transfer Agents (MTAs) and applies statistics to identify spam-like traffic patterns. A credibility score is returned to the MTA, so it can throttle down or drop possibly unwanted traffic. While I find it questionable, the method might be useful when combined with traditional keyword analysis." What do you think? Is this snake oil, or is there something to this?

This is painfully obvious and hopelessly naive but

[Recovering Hater]

I am going to say it anyway. Why can't people stop responding to spam in the first place? Is it too much to ask? If spammers made absolutely zero dollars for their efforts would they stop? Will underdog be able to escape from the burning rubble in time? Tune in next week to find out in our next exciting adventure!

Re:Greylisting

[Anonymous Coward]

No it's not similar. Greylisting works by exploiting that most spam-MTAs aren't RFC-compliant and don't retry after temporary errors. Greylisting will certainly be worked around. Legitimate MTAs can get around it. The fact that many spam-MTAs currently can't is a fixable bug.

The proposed method looks at traffic patterns to find and block spammy MTAs. It does not rely on bugs in the MTAs.

Re:This is painfully obvious and hopelessly naive

[Pontus_Pih]

I was going to say... What would happen if we all started replying with the same auto generated mails? How would the spammers tell the difference from legit spam replies?

Re:sounds good to me

[GreggBz]

The new bread of zombies have wised up to port 25 blocking / throttling and like to funnel everything through the MTA for the domain to which they are connected.

A combination of policyd, postfix, spamassain and ids/bandwidth accounting software has turned it into something manageable, at least where I work. Customers are allowed say, 100 e-mails in a 30 minute time span. If they complain and have a real reason, we can adjust. This also makes finding users with pwned machines a lot easier.

Some of them now (the spam zombies) seem to be moderating their outgoing connections so that it's not so obvious but their volume is still substantial. It just never ends...

Its not snake oil, but...

[popo]

... and its not disimilar from greylisting from what I can tell, but I don't think its going to be
effective in the long term. Getting around this type of filter (or delay) seems relatively simple
compared to the task of defeating the bayesian filters over the past couple years.

The lynchpin of greylisting is that legitimate mail will "try again" after being returned by the
server, while spam will not. The conclusion (which we hope is true) is that any mail that is
not re-sent was in fact spam. Never mind the danger that the assumption could be false and
legitimate mail gets lost -- how long will it be before spammers simply "re try" their spam --
or worse -- just send everything twice?

As with any attempt to modify behavior electronically -- behavior usually wins.
 

I am curious...

[localman]

Are any of you people still living with spam? Do we really need another solution? I've found that a personally managed baysean filter is plenty good enough. I'm down from 700+ per day to 2-3 per day. I still dislike the fact that spam is out there, but I haven't actually had to deal with it in years. Has this not worked for other people? I mean, I do have to continue to feed the filter, but it's very little work. Nothing wrong with new ideas in the battle, but I thought that for anyone who cared it was already won.

Cheers.

this and other effective weapons

[fifedrum]

yes, traffic shaping is effective in determining the nature of connections

I work for a small email company we process millions of emails an hour inbound, but only a few million a day outbound.

Our most effective filters are:

connect/HELO restrictions: you can only get email into the environment if your IP address resolves to a FQDN.

HELO restrictions: if you connect using X different HELO strings, you are blacklisted. Spambots often randomize the helos, this blocks those.

Spamassassin at the client side, filtering email into various folders based on the score.

antivirus server that filters the few viruses that make it in, and phishing is filtered too.

The problem? All this doesn't catch enough of the spam. We still have loads of CPU dedicated to filtering spam, but something like this technique at the border will help, and I'll predict (based on experience watching the traffic and spam filtering graphs) that we could cut spam another 30% just by watching the curves and tightening the restrictions during those peaks.

Has been done for a long time.

[MadTinfoilHatter]

My (previous) ISP did this several years ago. I found out when I was making a computer for a friend. At the time (this was a few years ago) I didn't yet know just how quickly an unprotected windows-box is owned by viruses. I thought I'd be okay for the time it takes to download a firewall. 20 seconds later I got a popup that I recognized as an infection, so I shut down the machine, and tried to get the firewall / AV-software with my other machine instead - only to be greeted by a screen where my ISP informs me that "By the look of your outgoing traffic, it would seem that your machine has been turned into a spam-bot by a virus, and your account will be automatically unblocked 1 hour after the suspicious traffic stops." This was followed by some generic instructions for virus removal.

Re:This is painfully obvious and hopelessly naive

[cdrguru]

The money in spam isn't from people buying stuff - it is from the silly advertiser thinking they can send their ads to millions of people for $1000. They do this and get a report back that says only 0.8% of the people opened the email.

The spam-sending organization then shows them that they need to revise their message with a better subject line so more people opened the email. Another $1000 and more spam is sent, this time 0.7% of the people open the email.

Continue this until the advertiser runs out of money. If you have enough contracts for sending spam it matters not a whit if anyone buys the stuff at all. It is only important that people pay for it to be sent.

The only real solution to spam.

[arthurpaliden]

Is to have the ISP charge for email usage in the same way as you get charged for your cell phone usage.

Follow the money and stop the source

[spectro]

1. Company offering product or service hires spammer 2. Spammer creates botnet by installing spyware in unsecured computers 3. Botnet sends spam Pretty much any solution so far involves stopping step 3, the delivery when the real problem relies in step 1, we need to find ways to stop step 1 from happening. Lets make hiring spammers a criminal offence, the same way "murder for hire" is. You can catch them by just having undercover officers order the product/service. I say let's make hiring spammer to advertise a product or service a Criminal Offense punishable by jail. It will stop U.S. companies from hiring spammers. Then we put pressure in foreign governments to pass similar laws.

Won't work.

[Animats]

Won't work. It just means the owners of zombie PCs get big bills.

Re:Problem

[Animats]

The company I work for contracts with advertisers to send out bulk mailings to our opted-in users.

And did they opt in by specifically requesting your mail, or implicitly as part of some other transaction? If it's the latter, you're a spammer. Die.

If people really want your content, offer an RSS feed. If nobody subscribes to your feed, they didn't want your content.

Re:Obligatory

[Peter La Casse]

This form is for ideas that have been thought of before and have been discredited, but I'm not convinced yet that this idea wouldn't work. Here are the biggest objections you raised:

(x) Mailing lists and other legitimate email uses would be affected

How? The method specifically mentions whitelisting, and only mailing lists or other "legitimate uses" (can't think of any myself) that involve thousands of recipients would be noticed by the proposed algorithm.

(x) It is defenseless against brute force attacks

All the usual anti-DOS strategies would work perfectly well here. The same statistics used to identify patterns can identify junk data sent by spammers to confuse the system. The closest thing to a "brute force attack" that would work would be for a spammer to use a bigger botnet and have each node send messages at a rate low enough to not be noticed. That's a significant victory for the rest of us.

(x) It will stop spam for two weeks and then we'll be stuck with it

What other methods counter this approach, and what stops people from dropping it if/when it stops working? (Note that the article discusses four attacks, two of which count as a win for the good guys and two of which have viable counterattacks.)

(x) Why should we have to trust you and your servers?

You don't have to trust them any more than you trust any other anti-spam service that provides data to your filtering algorithm.

I don't claim that this method is good, but that the objections raised so far have not been very convincing.

Re:sounds good to me

[Anpheus]

Qwest does this in a decidedly stupid fashion. Recently they detected a lot of SMTP traffic being spoofed as my email address (we don't even use their mailserver!) going through one of their servers and decided to drop our DSL. My father runs a few commercial websites for people and provides services through the DSL. We don't need much upload speed, so it works. Long story short, Qwest disconnected us after hours, and then refused repeatedly to connect us to anyone who could actually change our connection status. No port 25 blocking or throttling, just a full disconnect become somebody spoofed my email address and must have sent a good portion of spam with it. The mailserver that I use records a whopping twelve emails sent from me in the last five days. Connection was finally restored today, over thirteen hours later. Unacceptable.

Re:Won't work.

[metamatic]

It just means the owners of zombie PCs get big bills.

That's not a bug, it's a feature.

Right now, the costs caused by Windows insecurity are passed on to me even though I don't run Windows. Passing those costs on to the people causing them would be much fairer.

Re:this and other effective weapons

[TheRaven64]

connect/HELO restrictions: you can only get email into the environment if your IP address resolves to a FQDN.

Does this actually do anything? I just checked and my (residential) cable modem IP resolves forwards and backwards. Since most spam is sent by zombies on similar connections, won't they all resolve?

The problem is that it is still filtering

[cyberscan]

One can come up with all kinds of trick to filter spam, however, the problem still remains. Spam will continue as long as it is profitable. There are too many "Puppies in a barrel" for a spammer to choose. After many, many years of prodding, many people have finally gotten antivirus program, yet they neglect to download or purchase virus database updates. Many people spend time and effort to ensure that their computers are malware
free, yet their router retains the default username and admin password. Spammers have programs that allow people to try to log in to these routers and use their embedded telnet commands to send spam without the knowledge of the computer owner or any program residing on their computer. The point is that the Internet can be compared more to "swiss cheese" rather than the "series of tubes" that the politicians use. There are many, many points of attack for spammers to use.

Filtering spam is much akin to a person who holds hands in front of his or her face while a bully is pummeling him or her. The person is likely to fend off blows from the bully, but some of the blows will get through. Once a spam is sent, even if properly filtered, the damage has already been done. Until very recently, all I had in my area was dialup. My program successfully filtered about 99% of the spam received, however I still had to wait about 30 minutes before I was able to view my legitimate mail. I lost 30 minutes of time that I could have been working on a client's problem, while the spammer lost nothing. I also lost a client because a program that I previous used labeled his email he sent me as spam. Again the spammer who spammed me lost nothing. Spammers are like bullies, they will not stop until people HIT BACK!

It is only when spammers have to deal with the large amount of bandwith used, the processing power to handle complaints, and the loss of sales that result from efforts to filter complaints will spam be much less profitable. The idea is to punch back and deter the bully. Sending complaints to the spammers' websites get them at their weak point - the place where they make contact with potential buyers. Several program have attempted to hit back, and 2 of them were very successful in doing so. However, like spammers, these programs had a weak point, and that point was the fact that they needed a central server in order to instruct each individual program. Now things are different. There are several projects currently underway to trade complaint instruction files via peer to peer networks. What this means is that there is no central server which spammers can attack in order to silence complaints to their websites. One such project is called SpammerSkewer, and it is an open source GPL program that is in alpha. The program can be found at http://spammerskewer.sourceforge.net/ [sourceforge.net] .

It is also important to note that these new programs are not distributed denial of service programs. As for SpammerSkewer, it only receives instructions on how to complain. It does not initiate complaints. Only a user can initiate a complaint by either bringing up the complaint interface or by dragging an email into SpammerSkewer's spam directory. It is the Spammer who determines how many complaints are submitted to their websites. SpammerSkewer's author even provides a way for spammers to "opt out" from receiving complaints if they insert a header clearly labeling their email as spam. Another way they can opt out is by not sending spam in the first place. In a distributed denial of service attack, a person other than the one who controls a victim's website is the one that controls how many visits a site receives. With SpammerSkewer, it is the Spammer who sends out the spam that determines how many visits a site advertised via spam gets. The only sites that are put in SPammerSkewer's instruction files are those well known to be advertised via spam. Instruction files are also cryptographically signed in order to prevent tampering. I