Laundering e-mail spam through open-proxies or compromised PCs is a widely-used trick to conceal real spam sources and reduce spamming cost in the underground e-mail spam industry. Spammers have plagued the Internet by exploiting a large number of spam proxies. The facility of breaking spam laundering and deterring spamming activities close to their sources, which would greatly benefit not only e-mail users but also victim ISPs, is in great demand but still missing. In this article, we reveal one salient characteristic of proxy-based spamming activities, namely packet symmetry, by analyzing protocol semantics and timing causality. Based on the packet symmetry exhibited in spam laundering, we propose a simple and effective technique, DBSpam, to online detect and break spam laundering activities inside a customer network. Monitoring the bidirectional traffic passing through a network gateway, DBSpam utilizes a simple statistical method, Sequential Probability Ratio Test, to detect the occurrence of spam laundering in a timely manner. To balance the goals of promptness and accuracy, we introduce a noise-reduction technique in DBSpam, after which the laundering path can be identified more accurately. Then DBSpam activates its spam suppressing mechanism to break the spam laundering. We implement a prototype of DBSpam based on libpcap, and validate its efficacy on spam detection and suppression through both theoretical analyses and trace-based experiments.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Mauro Andreolini , Alessandro Bulgarelli , Michele Colajanni , Francesca Mazzoni, HoneySpam: honeypots fighting spam at the source, Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop, p.11-11, July 07, 2005, Cambridge, MA
	2	Bächer, P., Holz, T., Kötter, M., and Wicherski, G. 2005. Know your enemy: Tracking botnets. http://www.honeynet.org/papers/bots/.
	3	Back, A. 1997. Hashcash: A denial of service counter-measure. http://www.hashcash.org/papers/hashcash.pdf.
	4	Jeremy Blosser , David Josephsen, Awarded Best Paper! - Scalable Centralized Bayesian Spam Mitigation with Bogofilter, Proceedings of the 18th USENIX conference on System administration, November 14-19, 2004, Atlanta, GA
	5	Blum, A., Song, D. X., and Venkataraman, S. 2004. Detection of interactive stepping stones: Algorithms and confidence bounds. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID’04). Sophia Antipolis, France.
	6	CBL. 2007. Composite blocking list. http://cbl.abuseat.org.
	7	Delany, M. 2006. Domain-based e-mail authentication using public keys advertised in the DNS (DomainKeys). RFC 4870.
	8	Scott Garriss , Michael Kaminsky , Michael J. Freedman , Brad Karp , David Mazières , Haifeng Yu, RE: reliable email, Proceedings of the 3rd conference on Networked Systems Design & Implementation, p.22-22, May 08-10, 2006, San Jose, CA
	9	Pawel Gburzynski , Jacek Maitan, Fighting the spam wars: A remailer approach with restrictive aliasing, ACM Transactions on Internet Technology (TOIT), v.4 n.1, p.1-30, February 2004  [doi>10.1145/967030.967031]
	10	R. Gellens , J. Klensin, Message Submission, RFC Editor, 1998
	11	Graham, P. 2002. A plan for spam. http://www.paulgraham.com/spam.html.
	12	Shlomo Hershkop , Salvatore J. Stolfo, Combining email models for false positive reduction, Proceedings of the eleventh ACM SIGKDD international conference on Knowledge discovery in data mining, August 21-24, 2005, Chicago, Illinois, USA  [doi>10.1145/1081870.1081885]
	13	Tim Hunter , Paul Terry , Alan Judge, Distributed Tarpitting: Impeding Spam Across Multiple Servers, Proceedings of the 17th USENIX conference on System administration, October 26-31, 2003, San Diego, CA
	14	Ioannidis, J. 2003. Fighting spam by encapsulating policy in e-mail addresses. In Proceedings of the 10th Annual Network and Distributed System Security Symposium (NDSS’03). San Diego, CA, 1--8.
	15	Jung, J., Paxson, V., Berger, A. W., and Balakrishnan, H. 2004. Fast portscan detection using sequential hypothesis testing. In Proceedings of the 25th IEEE Symposium on Security and Privacy (SSP’04). Oakland, CA, 211--225.
	16	Jaeyeon Jung , Emil Sit, An empirical study of spam traffic and the use of DNS black lists, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy  [doi>10.1145/1028788.1028838]
	17	J. Klensin, Simple Mail Transfer Protocol, RFC Editor, 2001
	18	Krishnamurthy, B. and Blackmond, E. 2004. SHRED: Spam harassment reduction via economic disincentives. http://www.research.att.com/ bala/papers/shred-ext.pdf.
	19	M. Leech , M. Ganis , Y. Lee , R. Kuris , D. Koblas , L. Jones, SOCKS Protocol Version 5, RFC Editor, 1996
	20	Li, K., Pu, C., and Ahamad, M. 2004. Resisting spam delivery by tcp damping. In Proceedings of the 1st Conference on E-mail and Anti-Spam. Mountain View, CA, 191--198.
	21	Kang Li , Zhenyu Zhong, Fast statistical spam filter by approximate classifications, Proceedings of the joint international conference on Measurement and modeling of computer systems, June 26-30, 2006, Saint Malo, France
	22	Lyon, J. and Wong, M. W. 2004. Sender id: Authenticating e-mail. RFC 4406.
	23	MARID. 2004. MTA authorization records in DNS. http://www.ietf.org/html.charters/OLD/marid-charter.html.
	24	MessageLabs. 2006. Messagelabs intelligence annual e-mail security report 2006. http://www.messagelabs.com/Threat_Watch/.
	25	Microsoft. 2003. The penny black project. http://research.microsoft.com/research/sv/PennyBlack/.
	26	Postini. 2006. Sender behavior analysis. http://www.postini.com.
	27	Prakash, V. V. 2007. Vipul’s razor. http://razor.sourceforge.net/.
	28	Niels Provos, A virtual honeypot framework, Proceedings of the 13th conference on USENIX Security Symposium, p.1-1, August 09-13, 2004, San Diego, CA
	29	Svetlana Radosavac , John S. Baras , Iordanis Koutsopoulos, A framework for MAC protocol misbehavior detection in wireless networks, Proceedings of the 4th ACM workshop on Wireless security, September 02-02, 2005, Cologne, Germany  [doi>10.1145/1080793.1080801]
	30	Ramachandran, A., Dagon, D., and Feamster, N. 2006. Can DNS-based blacklists keep up with bots? In Proceedings of the 3rd Conference on E-mail and Anti-Spam (CEAS’06). Mountain View, CA, 55--56.
	31	Anirudh Ramachandran , Nick Feamster, Understanding the network-level behavior of spammers, Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications, September 11-15, 2006, Pisa, Italy
	32	Rhyolite. 2000. Distributed checksum clearinghouse (dcc). http://www.rhyolite.com/anti-spam/dcc/.
	33	Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
	34	SecurityTracker. 2001. Formmail.pl web-to-e-mail cgi script allows unauthorized users to send mail anonymously. http://www.securitytracker.com/alerts/2001/Mar/1001108.html.
	35	SORBS. 2006. Spam and open relay blocking system (sorbs). http://www.sorbs.net/.
	36	SpamAssassin. 2006. The apache spam assassin project. http://spamassassin.apache.org/.
	37	Spamhaus. 2005. Increasing spam threat from proxy hijackers. http://www.spamhaus.org/news.lasso?article=156.
	38	SpamLinks. 2006. Challenge/response spam filters. http://spamlinks.net/filter-cr.htm.
	39	TopLayer. 2006. http://www.toplayer.com.
	40	Turner, A. 2006. Tcpreplay. http://tcpreplay.synfin.net/trac/.
	41	Dan Twining , Matthew M. Williamson , Miranda J. F. Mowbray , Maher Rahmouni, Email prioritization: reducing delays on legitimate mail caused by junk mail, Proceedings of the annual conference on USENIX Annual Technical Conference, p.4-4, June 27-July 02, 2004, Boston, MA
	42	Wald, A. 2004. Sequential Analysis. Dover Publications.
	43	Michael Walfish , J. D. Zamfirescu , Hari Balakrishnan , David Karger , Scott Shenker, Distributed quota enforcement for spam control, Proceedings of the 3rd conference on Networked Systems Design & Implementation, p.21-21, May 08-10, 2006, San Jose, CA
	44	Watson, D., Holz, T., and Mueller, S. 2005. Know your enemy: Phishing. http://www.honeynet.org/papers/phishing/.
	45	Matthew M. Williamson, Design, Implementation and Test of an Email Virus Throttle, Proceedings of the 19th Annual Computer Security Applications Conference, p.76, December 08-12, 2003
	46	Wong, M. W. and Schlitt, W. 2006. Sender policy framework (SPF) for authorizing use of domains in e-mail, version 1. RFC 4408.
	47	Woolridge, D., Law, J., and Kawasaki, M. 2004. The qmail spam throttle mechanism. http://spamthrottle.qmail.ca/man/qmail-spamthrottle.5.html.
	48	Yerazunis, B. 2003. CRM114 - the controllable regex mutilator. http://crm114.sourceforge.net.
	49	Yin Zhang , Vern Paxson, Detecting stepping stones, Proceedings of the 9th conference on USENIX Security Symposium, p.13-13, August 14-17, 2000, Denver, Colorado
	50	Zhou, F., Zhuang, L., Zhao, B. Y., Huang, L., Joseph, A. D., and Kubiatowicz, J. 2003. Approximate object location and spam filtering on peer-to-peer systems. In Proceedings of the 4th ACM/IFIP/USENIX International Middleware Conference (MIDDLEWARE’03), Rio de Janeiro, Brazil. M. Endler and D. Schmidt, eds. Lecture Notes in Computer Science, vol. 2672. Springer Berlin, Germany, 1--20.