Router-level spam filtering using TCP fingerprints: Architecture and measurement-based evaluation

Holly Esquivel, Tatsuya Mori, Aditya Akella

Research output: Chapter in Book/Report/Conference proceedingConference contribution

11 Citations (Scopus)

Abstract

Email spam has become costly and difficult to manage in recent years. Many of the mechanisms used for controlling spam are located at local SMTP servers and end-host machines. These mechanisms can place a significant burden on mail servers and end-host machines as the number spam messages received continues to increase. We propose a preliminary architecture that applies spam detection filtering at the router-level using light-weight signatures for spam senders. We argue for using TCP headers to develop fingerprint signatures that can be used to identify spamming hosts based on the specific operating system and version from which the email is sent. These signatures are easy to compute in a light-weight, stateless fashion. More importantly, only a small amount of fast router memory is needed to store the signatures that contribute a significant portion of spam. We present simple heuristics and architectural enhancements for selecting signatures which result in a negligible false positive rate. We evaluate the effectiveness of our approach on data sets collected at two different vantage points simultaneously, the University of Wisconsin-Madison and a corporation in Tokyo, Japan over a one month period. We find that by targeting 100 fingerprint signatures, we can reduce the amount of received spam by 28-59% with false positive ratio less than 0.05%. Thus, our router-level approach works effectively to decrease the workload of subsequent anti-spam filtering mechanisms, such as, DNSBL look up, and content filtering. Our study also leverages the AS numbers of spam senders to discover the origin of the majority of spam seen in our data sets. This information allows us to pin-point effective network locations to place our router-level spam filters to stop spam close to the source. As a byproduct of our study, the extracted TCP fingerprints reveal signatures which originate all over the world but only send spam indicating the potential existence of global-scale spamming infrastructures.

Original languageEnglish
Title of host publication6th Conference on Email and Anti-Spam, CEAS 2009
PublisherConference on Email and Anti-Spam, CEAS
Publication statusPublished - 2009
Externally publishedYes
Event6th Conference on Email and Anti-Spam, CEAS 2009 - Mountain View, CA
Duration: 2009 Jul 162009 Jul 17

Other

Other6th Conference on Email and Anti-Spam, CEAS 2009
CityMountain View, CA
Period09/7/1609/7/17

Fingerprint

Routers
Spamming
Electronic mail
Servers
Byproducts
Data storage equipment
Industry

ASJC Scopus subject areas

  • Software

Cite this

Esquivel, H., Mori, T., & Akella, A. (2009). Router-level spam filtering using TCP fingerprints: Architecture and measurement-based evaluation. In 6th Conference on Email and Anti-Spam, CEAS 2009 Conference on Email and Anti-Spam, CEAS.

Router-level spam filtering using TCP fingerprints : Architecture and measurement-based evaluation. / Esquivel, Holly; Mori, Tatsuya; Akella, Aditya.

6th Conference on Email and Anti-Spam, CEAS 2009. Conference on Email and Anti-Spam, CEAS, 2009.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Esquivel, H, Mori, T & Akella, A 2009, Router-level spam filtering using TCP fingerprints: Architecture and measurement-based evaluation. in 6th Conference on Email and Anti-Spam, CEAS 2009. Conference on Email and Anti-Spam, CEAS, 6th Conference on Email and Anti-Spam, CEAS 2009, Mountain View, CA, 09/7/16.
Esquivel H, Mori T, Akella A. Router-level spam filtering using TCP fingerprints: Architecture and measurement-based evaluation. In 6th Conference on Email and Anti-Spam, CEAS 2009. Conference on Email and Anti-Spam, CEAS. 2009
Esquivel, Holly ; Mori, Tatsuya ; Akella, Aditya. / Router-level spam filtering using TCP fingerprints : Architecture and measurement-based evaluation. 6th Conference on Email and Anti-Spam, CEAS 2009. Conference on Email and Anti-Spam, CEAS, 2009.
@inproceedings{c8e1564907ce4ed582fe8afad12c640b,
title = "Router-level spam filtering using TCP fingerprints: Architecture and measurement-based evaluation",
abstract = "Email spam has become costly and difficult to manage in recent years. Many of the mechanisms used for controlling spam are located at local SMTP servers and end-host machines. These mechanisms can place a significant burden on mail servers and end-host machines as the number spam messages received continues to increase. We propose a preliminary architecture that applies spam detection filtering at the router-level using light-weight signatures for spam senders. We argue for using TCP headers to develop fingerprint signatures that can be used to identify spamming hosts based on the specific operating system and version from which the email is sent. These signatures are easy to compute in a light-weight, stateless fashion. More importantly, only a small amount of fast router memory is needed to store the signatures that contribute a significant portion of spam. We present simple heuristics and architectural enhancements for selecting signatures which result in a negligible false positive rate. We evaluate the effectiveness of our approach on data sets collected at two different vantage points simultaneously, the University of Wisconsin-Madison and a corporation in Tokyo, Japan over a one month period. We find that by targeting 100 fingerprint signatures, we can reduce the amount of received spam by 28-59{\%} with false positive ratio less than 0.05{\%}. Thus, our router-level approach works effectively to decrease the workload of subsequent anti-spam filtering mechanisms, such as, DNSBL look up, and content filtering. Our study also leverages the AS numbers of spam senders to discover the origin of the majority of spam seen in our data sets. This information allows us to pin-point effective network locations to place our router-level spam filters to stop spam close to the source. As a byproduct of our study, the extracted TCP fingerprints reveal signatures which originate all over the world but only send spam indicating the potential existence of global-scale spamming infrastructures.",
author = "Holly Esquivel and Tatsuya Mori and Aditya Akella",
year = "2009",
language = "English",
booktitle = "6th Conference on Email and Anti-Spam, CEAS 2009",
publisher = "Conference on Email and Anti-Spam, CEAS",

}

TY - GEN

T1 - Router-level spam filtering using TCP fingerprints

T2 - Architecture and measurement-based evaluation

AU - Esquivel, Holly

AU - Mori, Tatsuya

AU - Akella, Aditya

PY - 2009

Y1 - 2009

N2 - Email spam has become costly and difficult to manage in recent years. Many of the mechanisms used for controlling spam are located at local SMTP servers and end-host machines. These mechanisms can place a significant burden on mail servers and end-host machines as the number spam messages received continues to increase. We propose a preliminary architecture that applies spam detection filtering at the router-level using light-weight signatures for spam senders. We argue for using TCP headers to develop fingerprint signatures that can be used to identify spamming hosts based on the specific operating system and version from which the email is sent. These signatures are easy to compute in a light-weight, stateless fashion. More importantly, only a small amount of fast router memory is needed to store the signatures that contribute a significant portion of spam. We present simple heuristics and architectural enhancements for selecting signatures which result in a negligible false positive rate. We evaluate the effectiveness of our approach on data sets collected at two different vantage points simultaneously, the University of Wisconsin-Madison and a corporation in Tokyo, Japan over a one month period. We find that by targeting 100 fingerprint signatures, we can reduce the amount of received spam by 28-59% with false positive ratio less than 0.05%. Thus, our router-level approach works effectively to decrease the workload of subsequent anti-spam filtering mechanisms, such as, DNSBL look up, and content filtering. Our study also leverages the AS numbers of spam senders to discover the origin of the majority of spam seen in our data sets. This information allows us to pin-point effective network locations to place our router-level spam filters to stop spam close to the source. As a byproduct of our study, the extracted TCP fingerprints reveal signatures which originate all over the world but only send spam indicating the potential existence of global-scale spamming infrastructures.

AB - Email spam has become costly and difficult to manage in recent years. Many of the mechanisms used for controlling spam are located at local SMTP servers and end-host machines. These mechanisms can place a significant burden on mail servers and end-host machines as the number spam messages received continues to increase. We propose a preliminary architecture that applies spam detection filtering at the router-level using light-weight signatures for spam senders. We argue for using TCP headers to develop fingerprint signatures that can be used to identify spamming hosts based on the specific operating system and version from which the email is sent. These signatures are easy to compute in a light-weight, stateless fashion. More importantly, only a small amount of fast router memory is needed to store the signatures that contribute a significant portion of spam. We present simple heuristics and architectural enhancements for selecting signatures which result in a negligible false positive rate. We evaluate the effectiveness of our approach on data sets collected at two different vantage points simultaneously, the University of Wisconsin-Madison and a corporation in Tokyo, Japan over a one month period. We find that by targeting 100 fingerprint signatures, we can reduce the amount of received spam by 28-59% with false positive ratio less than 0.05%. Thus, our router-level approach works effectively to decrease the workload of subsequent anti-spam filtering mechanisms, such as, DNSBL look up, and content filtering. Our study also leverages the AS numbers of spam senders to discover the origin of the majority of spam seen in our data sets. This information allows us to pin-point effective network locations to place our router-level spam filters to stop spam close to the source. As a byproduct of our study, the extracted TCP fingerprints reveal signatures which originate all over the world but only send spam indicating the potential existence of global-scale spamming infrastructures.

UR - http://www.scopus.com/inward/record.url?scp=84904823170&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84904823170&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84904823170

BT - 6th Conference on Email and Anti-Spam, CEAS 2009

PB - Conference on Email and Anti-Spam, CEAS

ER -