You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2008/04/18 13:04:41 UTC
good stuff to read (and one possible issue)
http://www.usenix.org/event/leet08/tech/full_papers/nelson/nelson_html/
Abstract: Using statistical machine learning for making security decisions
introduces new vulnerabilities in large scale systems. This paper shows
how an adversary can exploit statistical machine learning, as used in the
SpamBayes spam filter, to render it useless--even if the adversary's
access is limited to only 1% of the training messages. We further
demonstrate a new class of focused attacks that successfully prevent
victims from receiving specific email messages. Finally, we introduce two
new types of defenses against these attacks.
as the paper notes, our BAYES_* rules are very similar to SpamBayes'
approach. haven't read it yet.
http://www.usenix.org/event/leet08/tech/full_papers/zhuang/zhuang_html/
Abstract:
We develop new techniques to map botnet membership using traces of spam
email. To group bots into botnets we look for multiple bots participating
in the same spam email campaign. We have applied our technique against a
trace of spam email from Hotmail Web mail services. In this trace, we have
successfully identified hundreds of botnets. We present new findings about
botnet sizes and behavior while also confirming other researcher's
observations derived by different methods [1,15].
http://www.usenix.org/event/leet08/tech/full_papers/kreibich/kreibich_html/
In this paper, we explore a new methodology--distribution
infiltration--for measuring spam campaigns from the inside. This approach
is motivated by the observation that as spammers have migrated from open
relays and open proxies to more complex malware-based ``botnet'' email
distribution, they have unavoidably opened their infrastructure to outside
observation. By hooking into a botnet's command-and-control (C&C)
protocol, one can infiltrate a spammer's distribution platform and measure
spam campaigns as they occur.
In particular, we present an initial analysis of spam campaigns conducted
by the well-known Storm botnet, based on data we captured by infiltrating
its distribution platform. We first look at the system components used to
support spam campaigns. These include a work queue model for distributing
load across the botnet, a modular campaign framework, a template language
for introducing per-message polymorphism, delivery feedback for target
list pruning, per-bot address harvesting for acquiring new targets, and
special test campaigns and email accounts used to validate that new spam
templates can bypass filters. We then also look at the dynamics of how
such campaigns unfold. We analyze the address lists to characterize the
targeting of different campaigns, delivery failure rates (a metric of
address list ``quality''), and estimated total campaign sizes as
extrapolated from a set of samples. From these estimates, one such
campaign--focused on perpetuating the botnet itself--spewed email to
around 400 million email addresses during a three-week period.
--j.