Labelling spam through the analysis of protocol patterns

Thursday 25 September 14:30 - 15:00, Red room.

Andrei Husanu Bitdefender
Alexandru Trifan Bitdefender

   This paper is available online (HTML, PDF).

  download slides (PDF)

The increasing volume of unsolicited commercial email has driven the anti-spam industry towards taking advantage of every aspect which can trim down unwanted messages from early stages to help reduce processing time and hence, system load.

This research paper aims to provide answers to the question 'in how many ways can you send an email?' Of course, in theory, all SMTP servers behave according to the relevant RFC, but this is not necessarily the case in practice. Moreover, specific implementations behave differently, even if purportedly implementing the same set of rules.

We propose ways of fingerprinting the behaviour of various email-sending software. The actual contents of the messages are ignored. Instead, sending behaviour is analysed at the SMTP and TCP/IP protocol levels to find distinguishing patterns. Identification is based on several strategies including heuristics over packet sequence and length.

This is done with the purpose of identifying email messages that originate from botnets and isolating them from those that originate from various kinds of legitimate email servers. This is possible due to the way in which spam bots work and due to the limitations to which they are constrained.

Click here for more details about the conference.

Andrei Husanu

Andrei Husanu

Andrei Husanu was born in Ungheni, Moldova in 1985. Passionate about computer science from an early age, he was a regular presence at computer science camps and contests. To further pursue this path, he moved to Bucharest, Romania in 2004 and joined the Department of Cybernetics, Statistics and Informatics at the Academy of Economic Studies. He joined the Bitdefender Antispam Labs in 2007, and since then he has always raised the bar for the performance and accuracy of the technologies he has worked on. Andrei has contributed decisively to shifting the technological paradigm of spam fighting towards cloud computing, a change that would set the foundation for the ascension of Bitdefender Antispam among the top performing technologies of its kind. Constantly researching the latest trends in the spam and security world, even outside working hours, Andrei is always on the lookout for new things that can help widen the view on these phenomena.

Alexandru Trifan

Alexandru Trifan

Alexandru Trifan was born in the town of Buzau, Romania in 1983. Even though his early interest was in theoretical physics, he eventually turned to computer science upon joining the Department of Computer Science at the 'Politehnica' University of Bucharest. In 2004, even before obtaining his BS degree in the field of Artificial Intelligence Programming Systems and Base Programming Systems, he started working in the Bitdefender Antispam Labs and was part of the team that created the second generation of the company's anti-spam engines from scratch. His key contributions would later include the creation a new filtering rule description and execution system, the base of today's signature-based spam detection system. Since 2009, Alexandru has been the head of Bitdefender's Antispam Development, continuously pushing towards new approaches of understanding and fighting spam. Alexandru is married and enjoys mountain hiking, photography and billiards in his free time.