Team ExcelSpam Offense Team ExcelEmails Misdirected into HoneypotPrimary Country Data is MisleadingRoute StabilityBlack ListsEmail ISP SelectionIncomplete Data by CountryDNS registration MethodologyBotNetSpammers sending limited messagesRoute based spam detectionSpam FiltersDestination SecurityIntelligent SpammersThe SPAM Offensive TeamThank youTeam ExcelWhat is SPAM ?Spam Offense Team Excel'‘a distinctive chopped pork shoulder and ham mixture'' Image Source:Appscout.comEmails Misdirected into HoneypotThe domain name used in the study honeypot is not givenOpportunity for legitimate mail due to “typos” Examples:[email protected][email protected][email protected][email protected] Source: Apple.comTypos can happen!Primary Country Data is MisleadingNumber of SMAM messages is not normalized against number of legitate messagesWhile China has a large number of SPAM messages, it also has the 2nd largest number of online Internet usersSPAM is a problem in China AND the U.S.Example: Internet PopulationTable 1: Top Spam NetworksSource: InternetWorldStats.comRoute StabilityRoute stability to determine whether or not a message is spam will be difficult and may result in false positives. The short lived IP subnets, could be due to flapping of Internet links in which BGP is flushing/adding/then flushing the route.Global Internet Threat The BackhoeFiber Map Route FrequencySource: Wired.com and Benmautner.comBlack ListsBlacklisting an entire AS runs the risk of blocking legitimate traffic and/or legitimate emailBlocking an IP address or group of IPs, especially in the case when NAT is used, could result in blocking legitimate mailImage Source: Bonq.orgEmail ISP SelectionThe trace file of "legitimate email" from an ISP could be partial to particular ISPs, depending on who the customers of the ISP communicate with The demographics of the sample data may play a part in why email is seen from certain ISPs Comparing "legitimate email" from an ISP, provides little value in comparison to the "SPAM email" sampleIncomplete Data by CountryThe data is not normalized. Saying Korea and China produce the most SPAM, may be true, however the total amount of email messages processed (both good and SPAM) is not given It is possible China produces 10 times more email than other countries since the population is much higherWhen normalized it is possible the percent of SPAM vs. non-SPAM is lower in China than other countriesDNS registration MethodologyUsing DNS name lookup only to collect spam limits the scope and type of spam received, such as mail received from Harvesters and mailing lists, thus limiting spammer capability types.BotNetThe generalization of Bobax data across all botnets will generate misleading resultsBehavior may be differentSpammers sending limited messagesThe conclusion that hosts send finite messages to the sinkhole may be a symptom of the behavior of the sinkhole rather than the behavior of the botnetRoute based spam detectionRoute based spam detection is limited correlating route behavior to spamThere are many reasons for short lived routes, so detection of spam by detecting short lived routes will need to be used in conjunction with other methods to detect spamSpam FiltersWhat is the likely-hood of network level filters blocking legitimate e-mail? What if a corporation makes a change to their MX records – will their technique cause issues? Most corporate filters allow some spam through vs. risk blocking legitimate e-mailDestination SecurityThe results of the study could be flawed due to security measures on the InternetThe researchers attempts to trace back to hosts, may have been blocked by access-lists on routers, and/or firewallsIt is also conceivable the "hijack" of the botnet they performed may of caused other ISPs to "blacklist" the researchers thinking they were possible SpammersIntelligent SpammersStudy assumes that spamming technology is staticSpammers continually adjust tactics to minimize the effectiveness of new efforts of screeningThe SPAM Offensive TeamGlenn AllisonBryan “BDT” TabiadonJoe MathewDan Hoadley Raj VarmaMichael EhrenhoferThank
View Full Document
Unlocking...