{"72715":{"#nid":"72715","#data":{"type":"news","title":"Spam Database Helps in Design of E-mail Defense","body":[{"value":"\u003Cp\u003EA database of more than 10 million spam e-mail messages collected at just one Internet \u0027spam sinkhole\u0027 suggests that Internet service providers could better fight unwanted junk e-mail by addressing it at the network level, rather than using currently available message content filters.\u003C\/p\u003E\n\u003Cp\u003EAlso, the research - conducted at the Georgia Institute of Technology\u0027s College of Computing -- identified two additional techniques for combating spam:  improving the security of the Internet\u0027s routing infrastructure and developing algorithms to identify computers\u0027 membership in \u0027botnets,\u0027 which are groups of computers that are compromised and controlled remotely to send large volumes of spam. The findings are now directing the researchers\u0027 design of new systems to stem spam. \n\u003C\/p\u003E\n\u003Cp\u003E\u0022Content filters are fighting a losing battle because it\u0027s easier for spammers to simply change their content than for us to build spam filters,\u0022 said Nick Feamster, a Georgia Tech assistant professor of computing. \u0022We need another set of properties, not based on content. So what about network-level properties? It\u0027s harder for spammers to change network-level properties.\u0022\n\u003C\/p\u003E\n\u003Cp\u003EFeamster and his Ph.D. student Anirudh Ramachandran presented their findings on Sept. 14, 2006 in Pisa, Italy, at the Association for Computing Machinery\u0027s annual flagship conference of its Special Interest Group on Data Communication (SIGCOMM).\n\u003C\/p\u003E\n\u003Cp\u003EFrom 18 months of Internet routing and spam data the researchers collected in one domain, they have learned which network-level properties are most promising for consideration in spam filter design. Specifically, they learned that:  \n\u003C\/p\u003E\n\u003Cp\u003E* Internet routes are being hijacked by spammers; \n\u003C\/p\u003E\n\u003Cp\u003E* They can identify many narrow ranges within Internet protocol (IP) address space that are generating only spam; \n\u003C\/p\u003E\n\u003Cp\u003E* and they can identify the Internet service providers (ISP) from which spam is coming.\n\u003C\/p\u003E\n\u003Cp\u003E\u0022We know route hijacking is occurring,\u0022 Feamster said. \u0022It\u0027s being done by a small, but fairly persistent and sophisticated group of spammers, who cannot be traced using conventional methods.\u0022\n\u003C\/p\u003E\n\u003Cp\u003ERoute hijacking works like this:  By exploiting weaknesses in Internet routing protocols, spammers can steal Internet address space by briefly advertising a route for that space to the rest of the Internet\u0027s routers. The spammers can then assign any IP address within that address space to their machines. They send their spam from those machines and then withdraw the route by which they sent the spam. By the time a recipient files a complaint related to this IP address, the route is gone and the IP address space is no longer reachable.\n\u003C\/p\u003E\n\u003Cp\u003E\u0022Even if you\u0027re watching the hijack take place, it\u0027s difficult to tell where it\u0027s coming from,\u0022 Feamster explained. \u0022We can make some good guesses. But Internet routing protocols are insecure, so it\u0027s relatively easy for spammers to steal them and hard for us to identify the perpetrators.\u0022 \n\u003C\/p\u003E\n\u003Cp\u003EFeamster and researchers elsewhere are actively working to improve the security of Internet routing protocols, he added.\n\u003C\/p\u003E\n\u003Cp\u003EBetter spam filtering will also result from a system, which Feamster hopes to design, based on collaborative, network-level filtering among ISP operators. \n\u003C\/p\u003E\n\u003Cp\u003E\u0022Within the single domain that we are studying, it\u0027s interesting that you don\u0027t see the same IP addresses repeatedly being used to send spam to that domain,\u0022 Feamster said. \u0022So ISP operators need to be able to securely share information about IP addresses associated with spam.\u0022\n\u003C\/p\u003E\n\u003Cp\u003EIn addition to studying network-level properties of spam, Ramachandran and Feamster compared their lists of IP addresses used to send spam against eight frequently used \u0027blacklists\u0027 compiled by network operators to help filter spam. \n\u003C\/p\u003E\n\u003Cp\u003E\u0022We found that these blacklists listed IP addresses for only about half of the spam being sent using route hijacking,\u0022 Feamster said. \u0022The best case scenario is that these blacklists are still missing IP addresses from which at least 20 percent of spam is sent. This 20 percent rate of false negatives is likely to cause a high percentage of false positives, and so this approach may also cause a lot of legitimate email to be mistakenly tagged as spam.\u0022\n\u003C\/p\u003E\n\u003Cp\u003EThe researchers also plan to use this finding in the spam filter development efforts, Feamster added. Meanwhile, the researchers are continuing to collect Internet routing and spam data. \n\u003C\/p\u003E\n\u003Cp\u003E\u0022It\u0027s always nice to have long-term data to help us see trends,\u0022 Feamster noted. \u0022These are valuable studies that help us see if people\u0027s behavior changes over time.\u0022\n\u003C\/p\u003E\n\u003Cp\u003EIndeed, it has in this case. The rate of spam has nearly doubled in the past two years in the one domain where the researchers collected their routing data for this study.\n\u003C\/p\u003E\n\u003Cp\u003E\u003Cstrong\u003EResearch News \u0026amp; Publications Office\u003Cbr \/\u003E\nGeorgia Institute of Technology\u003Cbr \/\u003E\n75 Fifth Street, N.W., Suite 100\u003Cbr \/\u003E\nAtlanta, Georgia 30308 USA \u003C\/strong\u003E\n\u003C\/p\u003E\n\u003Cp\u003E\u003Cstrong\u003EMedia Relations Contacts\u003C\/strong\u003E: Jane Sanders (404-894-2214); E-mail: (\u003Ca href=\u0022mailto:jsanders@gatech.edu\u0022\u003Ejsanders@gatech.edu\u003C\/a\u003E) or John Toon (404-894-6986); E-mail: (\u003Ca href=\u0022mailto:jtoon@gatech.edu\u0022\u003Ejtoon@gatech.edu\u003C\/a\u003E).\n\u003C\/p\u003E\n\u003Cp\u003E\u003Cstrong\u003ETechnical Contact\u003C\/strong\u003E: Nick Feamster (617-388-7479); E-mail:  (\u003Ca href=\u0022mailto:feamster@cc.gatech.edu\u0022\u003Efeamster@cc.gatech.edu\u003C\/a\u003E) \n\u003C\/p\u003E\n\u003Cp\u003E\u003Cstrong\u003EWriter\u003C\/strong\u003E: Jane Sanders\n\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":[{"value":"Study of more than 10 million spam messages suggests new options in battling unwanted e-mail"}],"field_summary":[{"value":"A study of more than 10 million spam e-mail messages suggests that Internet service providers could better fight unwanted junk e-mail at the network level -- rather than using currently available message content filters.","format":"limited_html"}],"field_summary_sentence":[{"value":"A new study suggests new strategies in spam battle"}],"uid":"27303","created_gmt":"2006-09-20 00:00:00","changed_gmt":"2016-10-08 03:03:29","author":"John Toon","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2006-09-14T00:00:00-04:00","iso_date":"2006-09-14T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"72716":{"id":"72716","type":"image","title":"Spam keyboard graphic","body":null,"created":"1449177954","gmt_created":"2015-12-03 21:25:54","changed":"1475894663","gmt_changed":"2016-10-08 02:44:23"},"72717":{"id":"72717","type":"image","title":"Nick Feamster","body":null,"created":"1449177954","gmt_created":"2015-12-03 21:25:54","changed":"1475894663","gmt_changed":"2016-10-08 02:44:23"}},"media_ids":["72716","72717"],"related_links":[{"url":"http:\/\/www.cc.gatech.edu\/","title":"College of Computing"},{"url":"http:\/\/www.cc.gatech.edu\/component\/option,com_peopledb\/task,view\/contact_id,285832788\/Itemid,238\/","title":"Nick Feamster"}],"groups":[{"id":"1188","name":"Research Horizons"}],"categories":[],"keywords":[],"core_research_areas":[],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cstrong\u003EJohn Toon\u003C\/strong\u003E\u003Cbr \/\u003EResearch News \u0026amp; Publications Office\u003Cbr \/\u003E\u003Ca href=\u0022http:\/\/www.gatech.edu\/contact\/index.html?id=jt7\u0022\u003EContact John Toon\u003C\/a\u003E\u003Cbr \/\u003E\u003Cstrong\u003E404-894-6986\u003C\/strong\u003E","format":"limited_html"}],"email":["jtoon@gatech.edu"],"slides":[],"orientation":[],"userdata":""}}}