Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Information Security Applications

WISA 2012: Information Security Applications pp 254–269Cite as

Lightweight Client-Side Methods for Detecting Email Forgery

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7690))

Abstract

We examine a related, but distinct, problem to spam detection. Instead of trying to decide if email is spam or ham, we try to determine if email purporting to be from a known correspondent actually comes from that person – this may be seen as a way to address a class of targeted email attacks. We propose two methods, geolocation and stylometry analysis. The efficacy of geolocation was evaluated using over 73,000 emails collected from real users; stylometry, for comparison with related work from the area of computer forensics, was evaluated using selections from the Enron corpus. Both methods show promise for addressing the problem, and are complementary to existing anti-spam techniques. Neither requires global changes to email infrastructure, and both are done on the email client side, a practical means to empower end users with respect to security. Furthermore, both methods are lightweight in the sense that they leverage existing information and software in new ways, instead of needing massive deployments of untried applications.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J., Thomas, M.: DomainKeys Identified Mail (DKIM) Signatures. RFC 4871 (Proposed Standard), Updated by RFC 5672 (May 2007)

    Google Scholar 

  2. Argamon, S., Šarić, M., Stein, S.S.: Style mining of electronic messages for multiple authorship discrimination: first results. In: 9th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 475–480 (2003)

    Google Scholar 

  3. Aycock, J., Friess, N.: Spam zombies from outer space. In: 15th Annual EICAR Conference, pp. 164–179 (2006)

    Google Scholar 

  4. Balakrishnan, M., Mohomed, I., Ramasubramanian, V.: Where’s that phone?: geolocating IP addresses on 3G networks. In: 9th ACM SIGCOMM Conference on Internet Measurement, pp. 294–300 (2009)

    Google Scholar 

  5. Brennan, M., Greenstadt, R.: Practical attacks against authorship recognition techniques. In: 21st Innovative Applications of Artificial Intelligence Conference, pp. 60–65 (2009)

    Google Scholar 

  6. BusinessWeek. The new e-spionage threat. Cover story (April 10, 2008), http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm

  7. Calix, K., Connors, M., Levy, D., Manzar, H., McCabe, G., Westcott, S.: Stylometry for e-mail author identification and authentication. In: Proceedings of CSIS Research Day. Pace University (2008)

    Google Scholar 

  8. CBC News. Ottawa man victim of Facebook, email scam. News article (March 2, 2011), http://www.cbc.ca/news/canada/ottawa/story/2011/03/02/ottawa-facebook-scam.html

  9. Cisco.com. Email attacks: This time its personal. Online resource (June 2011), http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10128/ps10339/ps10354/targeted_attacks.pdf

  10. Cook, D., Hartnett, J., Manderson, K., Scanlan, J.: Catching spam before it arrives: domain specific dynamic blacklists. In: 2006 Australasian Workshops on Grid Computing and e-Research, pp. 193–202 (2006)

    Google Scholar 

  11. Corney, M.: Analysing e-mail text authorship for forensic purposes. Master of Information Technology thesis, Queensland University of Technology (2003)

    Google Scholar 

  12. Dingledine, R., Mathewson, N., Syverson, P.: Tor: The second-generation onion router. In: 13th USENIX Security Symposium, pp. 303–320 (2004)

    Google Scholar 

  13. Frantzeskou, G., Stamatatos, E., Gritzalis, S., Katsikas, S.: Source code author identification based on n-gram author profiles. In: IFIP International Federation for Information Processing, pp. 508–515 (2006)

    Google Scholar 

  14. Gallagher, D.F.: E-mail scammers ask your friends for money. New York Times. Blog article (November 9, 2007). http://bits.blogs.nytimes.com/2007/11/09/e-mail-scammers-ask-your-friends-for-money/

  15. Gomes, L.H., Cazita, C., Almeida, J.M., Almeida, V., Meira Jr., W.: Characterizing a spam traffic. In: 4th ACM SIGCOMM Conference on Internet Measurement, pp. 356–369 (2004)

    Google Scholar 

  16. Hemmingsen, R., Aycock, J., Jacobson Jr., M.: Spam, phishing, and the looming challenge of big botnets. In: EU Spam Symposium (2007)

    Google Scholar 

  17. Iqbal, F., Hadjidj, R., Fung, B.C., Debbabi, M.: A novel approach of mining write-prints for authorship attribution in e-mail forensics. Digital Investigation 5(suppl. 1), S42–S51 (2008)

    Article  Google Scholar 

  18. Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)

    Article  Google Scholar 

  19. Kaelbling, L.: Enron email dataset. CALO Project (August 21, 2009), http://www.cs.cmu.edu/~enron/

  20. Kanaris, I., Kanaris, K., Houvardas, J., Stamatatos, E.: Words vs. character n-grams for anti-spam filtering. Int. Journal on Artificial Intelligence Tools (2007)

    Google Scholar 

  21. Lin, E.: Detecting email forgery. Master’s thesis, University of Calgary (2011)

    Google Scholar 

  22. Luyckx, K., Daelemans, W.: Authorship attribution and verification with many authors and limited data. In: 22nd International Conference on Computational Linguistics, pp. 513–520 (2008)

    Google Scholar 

  23. MessageLabs. MessageLabs intelligence: 2010 annual security report, http://www.messagelabs.com/mlireport/MessageLabsIntelligence_2010_Annual_Report_FINAL.pdf

  24. Meyer, T.A., Whateley, B.: SpamBayes: Effective open-source, Bayesian based, email classification system. In: 1st Conference on Email and Anti-Spam (2004)

    Google Scholar 

  25. Muir, J.A., Van Oorschot, P.C.: Internet geolocation: Evasion and counterevasion. ACM Comput. Surv. 42(1), 1–23 (2009)

    Article  Google Scholar 

  26. Ramachandran, A., Feamster, N.: Understanding the network-level behavior of spammers. SIGCOMM Comput. Commun. Rev. 36(4), 291–302 (2006)

    Article  Google Scholar 

  27. Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G.J., Lear, E.: Address Allocation for Private Internets. RFC 1918 (Best Current Practice) (February 1996)

    Google Scholar 

  28. Robinson, G.: A statistical approach to the spam problem. Linux Journal 107 (March 2003)

    Google Scholar 

  29. Sanchez, F., Duan, Z., Dong, Y.: Understanding forgery properties of spam delivery paths. In: Proc. 7th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference (CEAS), pp. 13–14 (July 2010)

    Google Scholar 

  30. ThreatPost.com. RSA: SecurID attack was phishing via an Excel spreadsheet. Blog article (April 1, 2011), http://threatpost.com/en_us/blogs/rsa-securid-attack-was-phishing-excel-spreadsheet-040111

  31. Vogel, C., Lynch, G.: Computational stylometry: Who’s in a play? In: Verbal and Nonverbal Features of Human-Human and Human-Machine Interaction: COST Action 2102 International Conference, Revised Papers, pp. 169–186 (2008)

    Google Scholar 

  32. Wong, M., Schlitt, W.: Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1. RFC 4408 (Experimental) (April 2006)

    Google Scholar 

  33. Xie, Y., Yu, F., Achan, K., Gillum, E., Goldszmidt, M., Wobber, T.: How dynamic are IP addresses? In: 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 301–312 (2007)

    Google Scholar 

  34. Zheng, R., Qin, Y., Huang, Z., Chen, H.: Authorship Analysis in Cybercrime Investigation. In: Chen, H., Miranda, R., Zeng, D.D., Demchak, C.C., Schroeder, J., Madhusudan, T. (eds.) ISI 2003. LNCS, vol. 2665, pp. 59–73. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Calgary, 2500 University Drive NW, Calgary, Alberta, Canada, T2N 1N4

    Eric Lin & John Aycock

  2. Concordia Institute for Information Systems Engineering, Faculty of Engineering and Computer Science, Concordia University, 1515 Ste-Catherine Street West, EV7 640, Montreal, Quebec, Canada, H3G 2W1

    Mohammad Mannan

Authors
  1. Eric Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John Aycock
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohammad Mannan
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Center for Information Security Technologies, Korea University, Anam-dong 5(o)-ga, 136-713, Seoul, Korea

    Dong Hoon Lee

  2. Computer Science Department, Columbia University, Amsterdam Avenue 1214, 10027, New York, NY, USA

    Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lin, E., Aycock, J., Mannan, M. (2012). Lightweight Client-Side Methods for Detecting Email Forgery. In: Lee, D.H., Yung, M. (eds) Information Security Applications. WISA 2012. Lecture Notes in Computer Science, vol 7690. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35416-8_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-35416-8_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-35415-1

  • Online ISBN: 978-3-642-35416-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation