Slashdot Mirror

← Back to Stories (view on slashdot.org)

Catching Spam by Looking at Traffic, Not Content

Posted by Zonk on from the content-sniffing-doesn't-work-anyway dept.

AngryDad writes "HexView has proposed a method to deal with spam without scanning actual message bodies. The method is based solely on traffic analysis. They call it STP (Source Trust Prediction). A server, like a Real-time Spam Black list, collects SMTP session source and destination addresses from participating Mail Transfer Agents (MTAs) and applies statistics to identify spam-like traffic patterns. A credibility score is returned to the MTA, so it can throttle down or drop possibly unwanted traffic. While I find it questionable, the method might be useful when combined with traditional keyword analysis." What do you think? Is this snake oil, or is there something to this?

2 of 265 comments (clear)

  1. this and other effective weapons by fifedrum · · Score: 5, Interesting

    yes, traffic shaping is effective in determining the nature of connections

    I work for a small email company we process millions of emails an hour inbound, but only a few million a day outbound.

    Our most effective filters are:

    connect/HELO restrictions: you can only get email into the environment if your IP address resolves to a FQDN.

    HELO restrictions: if you connect using X different HELO strings, you are blacklisted. Spambots often randomize the helos, this blocks those.

    Spamassassin at the client side, filtering email into various folders based on the score.

    antivirus server that filters the few viruses that make it in, and phishing is filtered too.

    The problem? All this doesn't catch enough of the spam. We still have loads of CPU dedicated to filtering spam, but something like this technique at the border will help, and I'll predict (based on experience watching the traffic and spam filtering graphs) that we could cut spam another 30% just by watching the curves and tightening the restrictions during those peaks.

  2. Has been done for a long time. by MadTinfoilHatter · · Score: 5, Interesting

    My (previous) ISP did this several years ago. I found out when I was making a computer for a friend. At the time (this was a few years ago) I didn't yet know just how quickly an unprotected windows-box is owned by viruses. I thought I'd be okay for the time it takes to download a firewall. 20 seconds later I got a popup that I recognized as an infection, so I shut down the machine, and tried to get the firewall / AV-software with my other machine instead - only to be greeted by a screen where my ISP informs me that "By the look of your outgoing traffic, it would seem that your machine has been turned into a spam-bot by a virus, and your account will be automatically unblocked 1 hour after the suspicious traffic stops." This was followed by some generic instructions for virus removal.