Detecting Spammers with SNARE:Spatio-temporal Network-level Automatic Reputation EngineShuang Hao, Nadeem Ahmed Syed, Nick

Feamster, Alexander G. Gray, Sven Krasser

Klevis Luli

SNARE Overview• Sender reputation system that automatically classifies email

senders based on various network-level features.o No content checking, lightweighto Not blacklisting

• Features that help distinguish spammers from legitimate senders

• Automated Reputation Engine• Implementation• Evasion and Limitations• Evaluation• Future Work

Single-packet features• No previous history from the IP address, only a single packet

from the IP address in question• Receiver does not need to accept connection request

o geographic distance: spam tends to travel longer geographic distances between sender and receiver

o sender neighborhood density: a cluster of senders in a small address space could be a botnet

o probability ratio of spam to ham (genuine email) at the time of day the IP packet arrives: legitimate email follows a certain trend

o AS number of sender: more reliable than the IP address, a large amount of spam comes from a small amount of ASes

o open ports on sender: legitimate mail senders usually provide certain services so they listen on more than one port.

Single-packet features

Single-header and single-message features• Collected after looking at SMTP headers or messages• Receiver accepts connection• Provide increased confidence

o Number of recipients in To field: Spam usually has more recipients than hamo Length of message: Spam tends to be short and less random

• Constructed if some history from an IP is available• By summarizing behavior over multiple messages and over time,

these aggregate features may yield a more reliable prediction. o geodesic distance between the sender and recipient, o number of recipients in the “To” field of the SMTP headero message body length in bytes

• Comes at the cost of increased latency because messages need to be collected first

Aggregate features

Automated reputation engine• RuleFit supervised learning algorithm

• x for input variables, f(x) for “base learner” functions• Rules in a decision tree used as “base learners”• Automatically classifies email after being trained• Can evaluate relative importance of features• Input variables that frequently appear in important rules or

basic functions are deemed more relevant.

Implementation

Other scenarios:o A standalone DNS-based Blacklisto A first-pass filter before existing mechanisms

Evasion and Limitations• AS numbers: Robust to indicate malicious hosts, not easy for spammers to

move mail servers or the bot armies to a different AS• Message length: Knowing that SNARE checks the length of message, a

spammer might start to randomize the lengths of his emails. • Nearest neighbor: Hard to modify. However, the botnet controller could

direct bots on the same subnet to target different sets of destinations.• Open ports: Legitimate hosts could be blocking port scans. • Geodesic distance: Spammer could modify bots to send to closer recipients. • Number of recipient: Spammer could send to individual hosts one by one• Time of day: Botnets could send email during legitimate peak hours to look

legitimate.

• Authors main argument: Above changes are difficult or would limit flexibility and efficency of botnet.

• Other Limitations: Scaling, Web-based email accounts

Evaluation• 14 days of data, October 22, 2007 to November 4, 2007• Data trace is divided into two parts:

o The first half is used for measurement studyo The other half is used to evaluate SNARE’s performance

• RuleFit trained with 1 million randomly sampled messages from each day with (5% to 95% spam to ham ratio)

Evaluation

Future Work• Incorporating temporal features into the classification engine• Making SNARE more evasion-resistant• Refining the whitelist

Thank you!