{"51677":{"#nid":"51677","#data":{"type":"news","title":"Feamster Finds New Ways To Stem SPAM","body":[{"value":"\u003Ch2\u003EInternet Routing and SPAM Data Reveal Trends to Help Researchers Build Better Email Filters\u003C\/h2\u003E\n\u003Cp\u003E\u003Cstrong\u003E\u003Cbr \/\u003E(September 12, 2006)--\u003C\/strong\u003EA database of more than 10 million spam email messages collected at just one Internet \u201cspam sinkhole\u201d suggests that Internet service providers could better fight unwanted junk email by addressing it at the network level, rather than using currently available message content filters.\u003C\/p\u003E\n\u003Cp\u003EAlso, the research \u2013 conducted at the Georgia Institute of Technology\u2019s College of Computing -- identified two additional techniques for combating spam:  improving the security of the Internet\u2019s routing infrastructure and developing algorithms to identify computers\u2019 membership in \u201cbotnets,\u201d which are groups of computers that are compromised and controlled remotely to send large volumes of spam. The findings are now directing the researchers\u2019 design of new systems to stem spam. \u003C\/p\u003E\n\u003Cp\u003E\u201cContent filters are fighting a losing battle because it\u2019s easier for spammers to simply change their content than for us to build spam filters.,\u201d said Nick Feamster, a Georgia Tech assistant professor of computing. \u201cWe need another set of properties, not based on content. So what about network-level properties? It\u2019s harder for spammers to change network-level properties.\u201d\u003C\/p\u003E\n\u003Cp\u003EFeamster and his Ph.D. student Anirudh Ramachandran presented their findings on Sept. 14, 2006 in Pisa, Italy, at the Association for Computing Machinery\u2019s annual flagship conference of its Special Interest Group on Data Communication (SIGCOMM). In fact, Ramachandran won the SIGCOMM \u0022best student paper\u0022 award for the work.\u003C\/p\u003E\n\u003Cp\u003EFrom 18 months of Internet routing and spam data the researchers collected in one domain, they have learned which network-level properties are most promising for consideration in spam filter design. Specifically, they learned that:\u003C\/p\u003E\n\u003Cul\u003E\n\u003Cli\u003EInternet routes are being hijacked by spammers; \u003C\/li\u003E\n\u003Cli\u003Ethey can identify many narrow ranges within Internet protocol (IP) address space that are generating only spam; \u003C\/li\u003E\n\u003Cli\u003Eand they can identify the Internet service providers (ISP) from which spam is coming.\u003C\/li\u003E\n\u003C\/ul\u003E\n\u003Cp\u003E\u201cWe know route hijacking is occurring,\u201d Feamster said. \u201cIt\u2019s being done by a small, but fairly persistent and sophisticated group of spammers, who cannot be traced using conventional methods.\u201d\u003C\/p\u003E\n\u003Cp\u003ERoute hijacking works like this:  By exploiting weaknesses in Internet routing protocols, spammers can steal Internet address space by briefly advertising a route for that space to the rest of the Internet\u2019s routers. The spammers can then assign any IP address within that address space to their machines. They send their spam from those machines and then withdraw the route by which they sent the spam. By the time a recipient files a complaint related to this IP address, the route is gone and the IP address space is no longer reachable.\u003C\/p\u003E\n\u003Cp\u003E\u201cEven if you\u2019re watching the hijack take place, it\u2019s difficult to tell where it\u2019s coming from,\u201d Feamster explained. \u201cWe can make some good guesses. But Internet routing protocols are insecure, so it\u2019s relatively easy for spammers to steal them and hard for us to identify the perpetrators.\u201d\u003C\/p\u003E\n\u003Cp\u003EFeamster and researchers elsewhere are actively working to improve the security of Internet routing protocols, he added. Better spam filtering will also result from a system, which Feamster hopes to design, based on collaborative, network-level filtering among ISP operators.\u003C\/p\u003E\n\u003Cp\u003E\u201cWithin the single domain that we are studying, it\u2019s interesting that you don\u2019t see the same IP addresses repeatedly being used to send spam to that domain,\u201d Feamster said. \u201cSo ISP operators need to be able to securely share information about IP addresses associated with spam.\u201d\u003C\/p\u003E\n\u003Cp\u003EIn addition to studying network-level properties of spam, Ramachandran and Feamster compared their lists of IP addresses used to send spam against eight frequently used \u201cblacklists\u201d compiled by network operators to help filter spam.\u003C\/p\u003E\n\u003Cp\u003E\u201cWe found that these blacklists listed IP addresses for only about half of the spam being sent using route hijacking,\u201d Feamster said. \u201cThe best case scenario is that these blacklists are still missing IP addresses from which at least 20 percent of spam is sent\u2026. This 20 percent rate of false negatives is likely to cause a high percentage of false positives, and so this approach may also cause a lot of legitimate email to be mistakenly tagged as spam.\u201d\u003C\/p\u003E\n\u003Cp\u003EThe researchers also plan to use this finding in the spam filter development efforts, Feamster added. Meanwhile, the researchers are continuing to collect Internet routing and spam data.\u003C\/p\u003E\n\u003Cp\u003E\u201cIt\u2019s always nice to have long-term data to help us see trends,\u201d Feamster noted. \u201cThese are valuable studies that help us see if people\u2019s behavior changes over time.\u201d\u003C\/p\u003E\n\u003Cp\u003EIndeed, it has in this case. The rate of spam has nearly doubled in the past two years in the one domain where the researchers collected their routing data for this study.\u003C\/p\u003E\n\u003Cp align=\u0022center\u0022\u003E###\u003C\/p\u003E\n\u003Cp align=\u0022left\u0022\u003ETo view the paper Nick Feamster and Anirudh Ramachandran will present at SIGCOMM 2006, \u003Ca href=\u0022http:\/\/sigcomm06.stanford.edu\/discussion-beta\/index.php\u0022 target=\u0022_blank\u0022\u003Eclick here\u003C\/a\u003E.\u003C\/p\u003E\n\u003Cp\u003ETECHNICAL CONTACT: \u003Ca href=\u0022feamster@cc.gatech.edu\u0022 target=\u0022_blank\u0022\u003ENick Feamster\u003C\/a\u003E (617-388-7479)\u003C\/p\u003E\n\u003Cp\u003EWRITER: \u003Ca href=\u0022jane.sanders@edi.gatech.edu\u0022 target=\u0022_blank\u0022\u003EJane Sanders\u003C\/a\u003E (404-894-2214); FAX(404-894-4545)\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003ECollege of Computing Assistant Professor Nick Feamster and\u00a0Ph.D. student Anirudh Ramachandran identify additional techniques for combating unwanted junk email.\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":"","uid":"27154","created_gmt":"2010-02-09 21:46:49","changed_gmt":"2016-10-08 03:05:08","author":"Louise Russo","boilerplate_text":"","field_publication":"","field_article_url":"","dateline":{"date":"2006-09-12T00:00:00-04:00","iso_date":"2006-09-12T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"groups":[{"id":"47223","name":"College of Computing"}],"categories":[],"keywords":[],"core_research_areas":[],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[],"email":[],"slides":[],"orientation":[],"userdata":""}}}