VB2014 paper: Labelling spam through the analysis of protocol patterns

Posted by   Virus Bulletin on   Nov 26, 2014

What do your IP packet sizes say about whether you're a spammer?

Over the next few months, we will be sharing VB2014 conference papers as well as video recordings of the presentations. Today, we have added 'Labelling spam through the analysis of protocol patterns' by Bitdefender researchers Andrei Husanu and Alexandru Trifan.

Machines sending spam tend to behave differently in a number of ways from those sending legitimate emails. One of the ways people have long been fighting spam is to detect this difference, for instance by fingerprinting the TCP/IP connection to determine the operating system, or to check whether the sender starts 'talking SMTP' before the spam filter has sent the SMTP banner.

In their VB2014 paper, Andrei Husanu and Alexandru Trifan suggest a different way to distinguish spammers from legitimate emailers: they looked at the IP packet sizes of SMTP connections and found some behaviour that was typical of spammers trying to send a variation of the same message to as many recipients as possible, or of spam sent from a (likely compromised) mobile device.

  Fluctuating packet sizes are typical of email sent over a mobile connection.

You can read the paper here in HTML-format, or download it here as a PDF (no registration or subscription required). You can download the presentation slides here. We have also uploaded the presentation to our YouTube channel.

We apologise for the poor quality of the screen capture in the video. We will try to upload a better version at a later stage.

Posted on 26 November 2014 by Martijn Grooten



Latest posts:

VB2018 call for papers now open!

Have you analysed a new online threat? Do you know a new way to defend against such threats? Are you tasked with securing systems and fending off attacks? The call for papers for VB2018 is now open and we want to hear from you!

Book review: Serious Cryptography

VB Editor Martijn Grooten recommends Jean-Philippe Aumasson's 'Serious Cryptography' as a very solid but practically focused introduction to cryptography.

Necurs pump-and-dump spam campaign pushes obscure cryptocurrency

A Necurs pump-and-dump spam campaign pushing the lesser known Swisscoin botnet is mostly background noise for the Internet.

Alleged author of creepy FruitFly macOS malware arrested

A 28-year old man from Ohio has been arrested on suspicion of having created the mysterious FruitFly malware that targeted macOS and used it to spy on its victims.

The threat and security product landscape in 2017

At the start of the new year, Virus Bulletin looks back at the threats seen in the 2017 and at the security products that are available to help mitigate them.