Laundering email spam through open-proxies or compromised PCs is a widely-used trick to conceal real spam sources and reduce spamming cost in underground email spam industry. Spammers have been plaguing the Internet by exploiting a large number of spam proxies. The facility of breaking spam laundering and deterring spamming activities close to their sources, which would greatly benefit not only email users but also victim ISPs, is in great demand but still missing. In this paper, we reveal one salient characteristic of proxy-based spamming activities, namely packet symmetry, by analyzing protocol semantics and timing causality. Based on the packet symmetry exhibited in spam laundering, we propose a simple and effective technique, DBSpam, to on-line detect and break spam laundering activities inside a customer network. Monitoring the bi-directional traffic passing through a network gateway, DBSpam utilizes a simple statistical method, Sequential Probability Ratio Test, to detect the occurrence of spam laundering in a timely manner. To balance the goals of promptness and accuracy, we introduce a noise-reduction technique in DBSpam, after which the laundering path can be identified more accurately. Then, DBSpam activates its spam suppressing mechanism to break the spam laundering. We implement a prototype of DBSpam based on libpcap, and validate its efficacy through both theoretical analyses and trace-based experiments.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	http://www.messagelabs.com/Threat_Watch/.
	2	http://www.spamhaus.org/news.lasso?article=156.
	3	http://spamassassin.apache.org/.
	4	http://www.postini.com.
	5	http://www.senderscorecertified.com.
	6	http://www.toplayer.com.
	7	Composite blocking list. http://cbl.abuseat.org.
	8	Domainkeys: Proving and protecting email sender identity. http://antispam.yahoo.com/domainkeys.
	9	http://www.rfc-editor.org/rfc/rfc2476.txt.
	10	MTA Authorization Records in DNS. http://www.ietf.org/html.charters/OLD/marid-charter.html.
	11	The penny black project. http://www.research.microsoft.com/research/sv/PennyBlack/.
	12	SPF. http://www.openspf.org.
	13	M. Andreolini, A. Bulgarelli, M. Colajanni, and F. Mazzoni. Honeyspam: Honeypots fighting spam at the source. In Proc. USENIX SRUTI 2005, Cambridge, MA, July 2005.
	14	A. Back. Hashcash. http://www.hashcash.org/.
	15	Jeremy Blosser , David Josephsen, Awarded Best Paper! - Scalable Centralized Bayesian Spam Mitigation with Bogofilter, Proceedings of the 18th USENIX conference on System administration, November 14-19, 2004, Atlanta, GA
	16	A. Blum, D. X. Song, and S. Venkataraman. Detection of interactive stepping stones: Algorithms and confidence bounds. In Proc. RAID 2004, Sophia Antipolis, France, September 2004.
	17	L. Donnerhacke. Teergrubing faq. http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html.
	18	S. Garriss, M. Kaminsky, M. J. Freedman, B. Karp, D. Mazieres, and H. Yu. Re: Reliable email.
	19	P. Graham. A plan for spam. http://www.paulgraham.com/spam.html.
	20	Tim Hunter , Paul Terry , Alan Judge, Distributed Tarpitting: Impeding Spam Across Multiple Servers, Proceedings of the 17th USENIX conference on System administration, October 26-31, 2003, San Diego, CA
	21	J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In Proc. IEEE Symposium on Security and Privacy 2004, Oakland, CA, May 2004.
	22	Jaeyeon Jung , Emil Sit, An empirical study of spam traffic and the use of DNS black lists, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy  [doi>10.1145/1028788.1028838]
	23	B. Krishnamurthy and E. Blackmond. SHRED: Spam harassment reduction via economic disincentives. http://www.research.att.com/ bala/papers/shred-ext.pdf.
	24	Kang Li , Zhenyu Zhong, Fast statistical spam filter by approximate classifications, Proceedings of the joint international conference on Measurement and modeling of computer systems, June 26-30, 2006, Saint Malo, France
	25	N. Provos. A virtual honeypot framework. In Proc. USENIX Security 2004, San Diego, CA, August 2004.
	26	Svetlana Radosavac , John S. Baras , Iordanis Koutsopoulos, A framework for MAC protocol misbehavior detection in wireless networks, Proceedings of the 4th ACM workshop on Wireless security, September 02-02, 2005, Cologne, Germany  [doi>10.1145/1080793.1080801]
	27	A. Ramachandran, D. Dagon, and N. Feamster. Can DNS-based blacklists keep up with bots? In CEAS 2006, Mountain View, CA, July 2006.
	28	Anirudh Ramachandran , Nick Feamster, Understanding the network-level behavior of spammers, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
	29	Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
	30	R. D. Twining, M. M. Williamson, M. Mowbray, and M. Rahmouni. Email prioritization: Reducing delays on legitimate mail caused by junk mail. In Proc. USENIX Annual Technical Conference 2004, Boston, MA, June 2004.
	31	A. Wald. Sequential Analysis. Dover Publications, 2004.
	32	M. Walfish, J. Zamfirescu, H. Balakrishnan, D. Karger, and S. Shenker. Distributed quota enforcement for spam control. In Proc. USENIX NSDI 2006, San Jose, CA, May 2006.
	33	Matthew M. Williamson, Design, Implementation and Test of an Email Virus Throttle, Proceedings of the 19th Annual Computer Security Applications Conference, p.76, December 08-12, 2003
	34	D. Woolridge, J. Law, and M. Kawasaki. The qmail spam throttle mechanism. http://spamthrottle.qmail.ca/man/qmail-spamthrottle.5.html.
	35	B. Yerazunis. Crm114 - the controllable regex mutilator. http://crm114.sourceforge.net.
	36	Y. Zhang and V. Paxson. Detecting stepping stones. In Proc. USENIX Security 2000, Denver, CO, August 2000.