You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2008/04/18 13:04:41 UTC

good stuff to read (and one possible issue)

http://www.usenix.org/event/leet08/tech/full_papers/nelson/nelson_html/

  Abstract: Using statistical machine learning for making security decisions
  introduces new vulnerabilities in large scale systems. This paper shows
  how an adversary can exploit statistical machine learning, as used in the
  SpamBayes spam filter, to render it useless--even if the adversary's
  access is limited to only 1% of the training messages. We further
  demonstrate a new class of focused attacks that successfully prevent
  victims from receiving specific email messages. Finally, we introduce two
  new types of defenses against these attacks.

as the paper notes, our BAYES_* rules are very similar to SpamBayes'
approach.  haven't read it yet.


http://www.usenix.org/event/leet08/tech/full_papers/zhuang/zhuang_html/

  Abstract:

  We develop new techniques to map botnet membership using traces of spam
  email. To group bots into botnets we look for multiple bots participating
  in the same spam email campaign. We have applied our technique against a
  trace of spam email from Hotmail Web mail services. In this trace, we have
  successfully identified hundreds of botnets. We present new findings about
  botnet sizes and behavior while also confirming other researcher's
  observations derived by different methods [1,15]. 


http://www.usenix.org/event/leet08/tech/full_papers/kreibich/kreibich_html/

  In this paper, we explore a new methodology--distribution
  infiltration--for measuring spam campaigns from the inside. This approach
  is motivated by the observation that as spammers have migrated from open
  relays and open proxies to more complex malware-based ``botnet'' email
  distribution, they have unavoidably opened their infrastructure to outside
  observation. By hooking into a botnet's command-and-control (C&C)
  protocol, one can infiltrate a spammer's distribution platform and measure
  spam campaigns as they occur.

  In particular, we present an initial analysis of spam campaigns conducted
  by the well-known Storm botnet, based on data we captured by infiltrating
  its distribution platform. We first look at the system components used to
  support spam campaigns. These include a work queue model for distributing
  load across the botnet, a modular campaign framework, a template language
  for introducing per-message polymorphism, delivery feedback for target
  list pruning, per-bot address harvesting for acquiring new targets, and
  special test campaigns and email accounts used to validate that new spam
  templates can bypass filters. We then also look at the dynamics of how
  such campaigns unfold. We analyze the address lists to characterize the
  targeting of different campaigns, delivery failure rates (a metric of
  address list ``quality''), and estimated total campaign sizes as
  extrapolated from a set of samples. From these estimates, one such
  campaign--focused on perpetuating the botnet itself--spewed email to
  around 400 million email addresses during a three-week period. 


--j.