Slashdot Mirror

← Back to Stories (view on slashdot.org)

Catching Spam by Looking at Traffic, Not Content

Posted by Zonk on from the content-sniffing-doesn't-work-anyway dept.

AngryDad writes "HexView has proposed a method to deal with spam without scanning actual message bodies. The method is based solely on traffic analysis. They call it STP (Source Trust Prediction). A server, like a Real-time Spam Black list, collects SMTP session source and destination addresses from participating Mail Transfer Agents (MTAs) and applies statistics to identify spam-like traffic patterns. A credibility score is returned to the MTA, so it can throttle down or drop possibly unwanted traffic. While I find it questionable, the method might be useful when combined with traditional keyword analysis." What do you think? Is this snake oil, or is there something to this?

8 of 265 comments (clear)

  1. sounds good to me by seanadams.com · · Score: 5, Insightful

    I realize most of us here would ordinarily prefer for our ISPs to just move bits around, but it seems like they are in a pretty good position to curb spam if they were to start look at traffic patterns like this. If some DSL customer suddenly starts opening hundreds of outgoing SMTP connections, that would be a pretty reliable sign that his machine is pwned. Just block or throttle port 25, and send the customer an email telling him to fix his computer, and keep it blocked until he does - or he contacts abuse@ with a legitimate explanation. Not filtering based on the contents of the data should let them maintain plausible deniability and common carrier status.

    We can't do this on our personal or company internet connections because we only see individual messages coming from many different IPs, but on the other end of the connection, or even at the backbone level, this strikes me as a pretty solid solution. They could even just tag the packets with the evil bit and let us decide if we want to filter them or not.

  2. Re:This is painfully obvious and hopelessly naive by jimicus · · Score: 5, Funny

    As soon as you've found a way to get that message through effectively to 100% of the population, do let us know.

  3. I'll never stop by diskofish · · Score: 5, Funny

    Where else would I get my Viagra from?

  4. The problem with this by wiredog · · Score: 5, Insightful

    Mailing lists. How does it not tag a server that sends out mail to a list as a spammer?

    --

    Best Slashdot Co
  5. Re:This is painfully obvious and hopelessly naive by Grey+Ninja · · Score: 5, Funny

    We could try mass mailing them. I've had some success with that in the past. =)

  6. OPPOTUNITY. == DISCRETION REQUIRED == by Anonymous Coward · · Score: 5, Funny

    SIR,

    OUR TECHNOLOGY DEPARTMENT HAS COME UP WITH A GREAT OPPUTUNITY TO STOP ALL YOUR SPAM. THIS TECHNOLOGY IS CALLED source Trust Prediction (STP). IT WORKS BASED ON identifying patterns and trends in real time AND IN THIS WAY PREVENT SPAM. HOWEVER TO MAKE PROFIT FROM THIS NEW TECHNOLOGYY WE NEED TO DO A PATENT APPLICATION. YOUR NAME CAME FORWARD AS AN EXCELLENT INVESTOR FOR THIS. WITH THE CURRENT RISE OF SPAM THIS TECH WILL BE REQUIRED QUICKLY BY A LOT OF PEOPLE.

    I am only contacting you as a foreigner, I will use my influence to
    effect legal approvals and onward transfer into your account At the
    conclusion of this business, you will be given 50% of the total
    PROFITS, 50% will be for me and my family AFTER DEDUCTION OF THE PATENT COSTS
    . I await to hear from you.

    Yours truly,

    Mr.Barry Leoard.

    FNB OF SOUTH AFRICA
    THIS
    IS MY PRIVATE EMAIL ADDRESS, YOU CAN SEND YOUR REPLY HERE:-
    barryleonard@walla.com

  7. this and other effective weapons by fifedrum · · Score: 5, Interesting

    yes, traffic shaping is effective in determining the nature of connections

    I work for a small email company we process millions of emails an hour inbound, but only a few million a day outbound.

    Our most effective filters are:

    connect/HELO restrictions: you can only get email into the environment if your IP address resolves to a FQDN.

    HELO restrictions: if you connect using X different HELO strings, you are blacklisted. Spambots often randomize the helos, this blocks those.

    Spamassassin at the client side, filtering email into various folders based on the score.

    antivirus server that filters the few viruses that make it in, and phishing is filtered too.

    The problem? All this doesn't catch enough of the spam. We still have loads of CPU dedicated to filtering spam, but something like this technique at the border will help, and I'll predict (based on experience watching the traffic and spam filtering graphs) that we could cut spam another 30% just by watching the curves and tightening the restrictions during those peaks.

  8. Has been done for a long time. by MadTinfoilHatter · · Score: 5, Interesting

    My (previous) ISP did this several years ago. I found out when I was making a computer for a friend. At the time (this was a few years ago) I didn't yet know just how quickly an unprotected windows-box is owned by viruses. I thought I'd be okay for the time it takes to download a firewall. 20 seconds later I got a popup that I recognized as an infection, so I shut down the machine, and tried to get the firewall / AV-software with my other machine instead - only to be greeted by a screen where my ISP informs me that "By the look of your outgoing traffic, it would seem that your machine has been turned into a spam-bot by a virus, and your account will be automatically unblocked 1 hour after the suspicious traffic stops." This was followed by some generic instructions for virus removal.