Team Excel

About This Presentation

Title:

Description:

Number of Views:26

Avg rating:3.0/5.0

Slides: 18

Provided by: hoad3

Learn more at: https://users.cs.northwestern.edu

Category:

Tags: excel | harvesters | team

Transcript and Presenter's Notes

Title: Team Excel

1
Team Excel

2
Spam Offense Team Excel

Image SourceAppscout.com
3
Emails Misdirected into Honeypot

Typos can happen!
Image Source Apple.com
4
Primary Country Data is Misleading

Number of SMAM messages is not normalized against
number of legitate messages
While China has a large number of SPAM messages,
it also has the 2nd largest number of online
Internet users
SPAM is a problem in China AND the U.S.

Table 1 Top Spam Networks
Example Internet Population
Source InternetWorldStats.com
5
Route Stability

Route stability to determine whether or not a
message is spam will be difficult and may result
in false positives.
The short lived IP subnets, could be due to
flapping of Internet links in which BGP is
flushing/adding/then flushing the route.

Global Internet Threat The Backhoe
Fiber Map Route Frequency
Source Wired.com and Benmautner.com
6
Black Lists

Blacklisting an entire AS runs the risk of
blocking legitimate traffic and/or legitimate
email
Blocking an IP address or group of IPs,
especially in the case when NAT is used, could
result in blocking legitimate mail

Image Source Bonq.org
7
Email ISP Selection

The trace file of "legitimate email" from an ISP
could be partial to particular ISPs, depending on
who the customers of the ISP communicate with
The demographics of the sample data may play a
part in why email is seen from certain ISPs
Comparing "legitimate email" from an ISP,
provides little value in comparison to the "SPAM
email" sample

8
Incomplete Data by Country

The data is not normalized. Saying Korea and
China produce the most SPAM, may be true, however
the total amount of email messages processed
(both good and SPAM) is not given
It is possible China produces 10 times more email
than other countries since the population is much
higher
When normalized it is possible the percent of
SPAM vs. non-SPAM is lower in China than other
countries

9
DNS registration Methodology

Using DNS name lookup only to collect spam limits
the scope and type of spam received, such as mail
received from Harvesters and mailing lists, thus
limiting spammer capability types.

10
BotNet

The generalization of Bobax data across all
botnets will generate misleading results
Behavior may be different

11
Spammers sending limited messages

The conclusion that hosts send finite messages to
the sinkhole may be a symptom of the behavior of
the sinkhole rather than the behavior of the
botnet

12
Route based spam detection

Route based spam detection is limited correlating
route behavior to spam
There are many reasons for short lived routes, so
detection of spam by detecting short lived routes
will need to be used in conjunction with other
methods to detect spam

13
Spam Filters

What is the likely-hood of network level filters
blocking legitimate e-mail?
What if a corporation makes a change to their MX
records will their technique cause issues?
Most corporate filters allow some spam through
vs. risk blocking legitimate e-mail

14
Destination Security

The results of the study could be flawed due to
security measures on the Internet
The researchers attempts to trace back to hosts,
may have been blocked by access-lists on routers,
and/or firewalls
It is also conceivable the "hijack" of the botnet
they performed may of caused other ISPs to
"blacklist" the researchers thinking they were
possible Spammers

15
Intelligent Spammers