Spam - recognition by methods independent from text content
Ralf Iffert Internet Security Systems
download slides (PDF)
Today's spam detection methods are based upon common content analysis methods like Bayesian filters and keyword analysis. These methods can be easily circumvented by spammers by simple text variations.
This presentation describes two other approaches that work completely independently from any textual analysis:
- Structure analysis: this method is based upon an analysis of the HTML structure of the email. This structure is recorded using a type of meta language. The meta structure is added to a spam database and all incoming emails can be compared with this structure rather than the exact email text itself.
- Flow analysis: this method is based upon an analysis of the flow of incoming emails. If there are emails with identical content but different senders and different recipients within a short time-frame, then a system could conclude that the emails are spam, because there is no other kind of (mass) email fulfilling this criterion. This method is highly effective when large quantities of potential spam messages are analysed, such as in a Mail Service Provider environment. Furthermore, the comparison of the content can be made resistant against the common spammers' tricks by incorporating other techniques like the first method described in this talk, structure analysis.