Naval researchers pioneer TCP-based spam detection

A group of researchers from the U.S. Naval Academy has developed a technique for analyzing email traffic in real-time to identify spam messages as they come across the wire, simply using information from the TCP (Transmission Control Protocol) packets that carry the messages.


So this begs the query of what do you do about spam?

Spam has been with us so long that it literally became the main message passed in email. Microsoft teamed with several other security outfits to assassinate several botnets and remove their domains and command and control centers in the last several years.

My answer to spam has been to drop email. I answer no spam messages as I no longer receive them. To say it’s been a time saver over the years has to be an understatement. I realize the answer I have may not work for you.

Bill Gates thought the solution to stopping spam was to charge a small fee, much like stamps are used for the postal service for income. The idea is that spam works only as long as it is a cheap delivery service. Flooding the email servers with spam in hopes of getting a few hits in response per hundred messages was cost effective. Remove the free out of email and suddenly what is a minor cost for an email become prohibitively expensive for the spammer.

Over time, black list filters are becoming unwieldy in size. After the hijacking through bot nets its effective use has dropped somewhat. Now blocking IPs for those spewing spam is sure to block what is also a legitimate user who doesn’t know his machine is hijacked.

Traffic being moved over the net by spammers has been on the rise too until the last few years. In efforts to avoid detection, spammers have went from using the standard message to image formats (which are considerably larger in message size with the cost of moving data transferred to the host) to ever yet harder means to block.

Many forums have went through changes too. First it was people coming in to spam, hoping to be paid for the dubious service of posting. Then it went to bots to harvest emails from forums, given that the usual forum format was to require a sign up with activation code in an email to verify a real person. Bots would pick up the email and the next thing you knew you were on a spammers list. Often there were two types of lists a spammer could buy. One was general email addresses, like those harvested from a forum and another was emails that had responded, guaranteeing that to be a valid known good email address. Back in the early 2000s a valid email list was selling for something like $300 to $500. So there were lots of pressure for income generation to harvest email addresses.

The typical bounce back spam is another change the spammer evolved to. When you send an email to an invalid address, you get a bounce back that the email was undeliverable. At first the bounce backs were not subject to spam filtering. So all the spammer had to do is guess your email address and it was delivered.

It’s been an ongoing war of escalation on spamming. The surest way to end it would be if no one would answer. Getting a consensus in the population not to do an action is like herding cats. Good luck on that.

Heuristic filtering by looking at the traffic patterns on TCP is certainly a step forward but only temporary, as all actions taken before now have all resulted in responses by the spammers to neutralize the action. This one will be no different as they will merely write in a delay to break the pattern and the spam will continue.

Posted in Thoughts.

Leave a Reply

Your email address will not be published. Required fields are marked *