Inferring Spammers in the Network Core

  • Dominik Schatzmann
  • Martin Burkhart
  • Thrasyvoulos Spyropoulos
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5448)


Despite a large amount of effort devoted in the past years trying to limit unsolicited mail, spam is still a major global concern. Content-analysis techniques and blacklists, the most popular methods used to identify and block spam, are beginning to lose their edge in the battle. We argue here that one not only needs to look into the network-related characteristics of spam traffic, as has been recently suggested, but also to look deeper into the network core, to counter the increasing sophistication of spammers. At the same time, local knowledge available at a given server can often be irreplaceable in identifying specific spammers.

To this end, in this paper we show how the local intelligence of mail servers can be gathered and correlated passively, scalably, and with low-processing cost at the ISP-level providing valuable network-wide information. First, we use a large network flow trace from a major national ISP, to demonstrate that the pre-filtering decisions and thus spammer-related knowledge of individual mail servers can be easily and accurately tracked and combined at the flow level. Then, we argue that such aggregated knowledge not only allows ISPs to monitor remotely what their “own” servers are doing, but also to develop new methods for fighting spam.


Network Core Collaborative Filter Acceptance Ratio Internal Server Mail Server 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    IRONPORT: 2008 internet security trends,
  2. 2.
    Harris, E.: The next step in the spam control war: Greylisting (2003)Google Scholar
  3. 3.
    SpamCop: Spamcop blocking list,
  4. 4.
    Spamhaus: The spamhaus block list,
  5. 5.
    Wong, M., Schlitt, W.: Sender Policy Framework (SPF). RFC 4408Google Scholar
  6. 6.
    Ramachandran, A., Dagon, D., Feamster, N.: Can DNS-based blacklists keep up with bots. In: Conference on Email and Anti-Spam, CEAS 2006 (2006)Google Scholar
  7. 7.
    Duan, Z., Gopalan, K., Yuan, X.: Behavioral Characteristics of Spammers and Their Network Reachability Properties. In: IEEE International Conference on Communications, ICC 2007 (2007)Google Scholar
  8. 8.
    Ramachandran, A., Feamster, N., Vempala, S.: Filtering Spam with Behavioral Blacklisting. In: ACM conference on Computer and Communications Security, CCS 2007 (2007)Google Scholar
  9. 9.
    Beverly, R., Sollins, K.: Exploiting Transport-Level Characteristics of Spam. In: CEAS 2008 (2008)Google Scholar
  10. 10.
    Clayton, R.: Using Early Results from the spamHINTS. In: CEAS 2006 (2006)Google Scholar
  11. 11.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection. In: USENIX Security Symposium (July 2008)Google Scholar
  12. 12.
    Syed, N.A., Feamster, N., Gray, A., Krasser, S.: Snare: Spatio-temporal network-level automatic reputation engine. Technical Report GT-CSE-08-02, Georgia Tech. (2008)Google Scholar
  13. 13.
    Desikan, P., Srivastava, J.: Analyzing network traffic to detect e-mail spamming machines. In: ICDM Workshop on Privacy and Security Aspects of Data Mining (2004)Google Scholar
  14. 14.
    Gomes, L.H., Almeida, R.B., Bettencourt, L.M.A., Almeida, V., Almeida, J.M.: Comparative Graph Theoretical Characterization of Networks of Spam and Legitimate Email. Arxiv physics/0504025 (2005)Google Scholar
  15. 15.
    SWITCH: The swiss education and research network,
  16. 16.
    Gomes, L.H., Cazita, C., Almeida, J.M., Almeida, V., Meira, W.: Characterizing a spam traffic. In: ACM SIGCOMM conference on Internet measurement, IMC 2004 (2004)Google Scholar
  17. 17.
    Fawcett, T.: An introduction to roc analysis. Pattern Recognition Letters 27 (2006)Google Scholar
  18. 18.
    Schatzmann, D., Burkhart, M., Spyropoulos, T.: Flow-level characteristics of spam and ham. Technical Report 291, Computer Engineering and Networks Laboratory, ETH Zurich (2008)Google Scholar
  19. 19.
    Ramachandran, A., Seetharaman, S., Feamster, N., Vazirani, V.: Fast monitoring of traffic subpopulations. In: ACM SIGCOMM Conference on Internet Measurement, IMC 2008 (2008)Google Scholar
  20. 20.
    Klensin, J.: Simple mail transfer protocol. RFC 2821 (April 2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Dominik Schatzmann
    • 1
  • Martin Burkhart
    • 1
  • Thrasyvoulos Spyropoulos
    • 1
  1. 1.Computer Engineering and Networks LaboratoryETH ZurichSwitzerland

Personalised recommendations