Stopping Spam Before It Hits the Mail Server

Al writes "A team of researchers at the Georgia Institute for Technology say they have developed a way to catch spam before it even arrives on the mail server. Instead of bothering to analyze the contents of a spam message, their software, called SNARE (Spatio-temporal Network-level Automatic Reputation Engine), examines key aspects of individual packets of data to determine whether it might be spam. The team, led by assistant professor Nick Feamster, analyzed 2.5 million emails collected by McAfee in order to determine the key packet characteristics of spam. These include the geodesic proximity of end mail servers and the number of ports open on the sending machine. The approach catches spam 70 percent of the time, with a 0.3 false positive rate. Of course, revealing these characteristics could also allow spammers to fake their packets to avoid filtering."

It'll work..except when it doesn't.

[MrCrassic]

I'll go first.

All spammers have to do is change the characteristics of the message. It's always going to be a cat and mouse game, just like antivirus and antispyware, so saying that they've found THE solution to blocking spam from hitting the server is slightly irresponsible.

Re:It'll work..except when it doesn't.

[ByOhTek]

Unless they use a truly novel approach of stopping spam before it hits the server.

I suggest an AK-47.

I don't get it...

[KC7GR]

Why do we need a crazily complex scheme like this when a simple entry in your router's 'Deny' list (for the source IP of the spam) has the same end effect?

Given the spew pouring out of the IP space of China, LACNIC, and Russia, blocking in such a manner appears to be near-lossless compression.

Re:I don't get it...

[Lennie]

Many have found, if your outside the US, blocking US is much more effective then blocking China and Russia.

Is that really a practical trade-off?

[damn_registrars]

It sounds like this approach would be fairly CPU intensive; analyzing the characteristics of packets, comparing them to other packets, looking for information on their originating systems, etc... It seems like they are throwing a non-trivial amount of computational time at the problem in order to spare the storage space that would be otherwise taken up by spam.

And of course as others have already pointed out, this just starts another round of whac-a-mole by pursuing this avenue.

Re:False positive rate?

[raju1kabir]

Help me here... Personally I would think that if 10 is 100% 0.3 is less than 1 mail. And not 3 out of 10.

.3 is 300 out of 1000.

.3% is 3 out of 1000.

It's similar to the confusion created when idiots write "It only costs me .25 cents to make a phone call" when they really mean ".25" or "25 cents".

Re:"IP addresses, he notes, are easy to fake."

[girlintraining]

oh ye of little knowledge.

If I compromise any layer 2 device on any network between you and the destination, not only can I fake the address, I can have it doing 480 spins in a pink tutu. Have you read any of the reports from the major network access points around the world? Bogus packets pass through them all the time. They even have a name for them -- martian packets.

Even Better

[nixdroid]

A few years ago the company I worked for came under an email DOS attack that bogged down our Exchange server to the point that it took about 10 hours for a legitimate email to get through. The Windows admins tried all 10 spam settings with no affect. I put a Linux box running SpamAssassin in front of the Exchange server and within a couple of hours the delivery time dropped to about 10 seconds. Products like SpamAssassin are essentially dynamic filters that can and do get fresh filter information as often as you like. This case was a dictionary attack and we got rid of the vast majority of the spam by the simple expedient of deleting anything that wasn't addressed to a legitimate account. As another poster noted, most spam filtering methods are just educated guessing. Rely on one that is educable.