Zhiyun Qian, Zhuoqing Morley Mao, Yinglian Xie, and Fang Yu
Spam is increasingly accepted as a problem associated with compromised hosts or email accounts. This problem not only makes the tracking of spam sources difficult but also enables a massive amount of illegitimate or unwanted emails to be disseminated quickly. Various attempts have been made to analyze, backtrack, detect, and prevent spam using both network as well as content characteristics. However, relatively less attention has been given to understanding how spammers actually carry out their spamming activities from a network angle. Spammers’ network behavior has significant impact on spammers’ common goal, sending spam in a stealthy and efficient manner. Our work thoroughly investigates a fairly unknown spamming technique we name as triangular spamming that exploits routing irregularities of spoofed IP packets. It is highly stealthy and efficient in that triangular spamming enables 1) exploiting bandwidth diversity of botnet hosts to carry out spam campaigns effectively without divulging precious high-bandwidth hosts and 2) bypassing the current SMTP traffic blocking policies. Despite its relative obscurity, its use has been confirmed by the network operator community. Through carefully devised probing techniques and actual deployment of triangular spamming on Planetlab (a wide-area distributed testbed), we investigate the feasibility, impact of triangular spamming and propose practical detection and prevention methods. From our probing experiments, we found that 97% of the networks which block outbound SMTP traffic are vulnerable to triangular spamming and only 44% of them are listed on Spamhaus Policy Blocking List (PBL).
|Published in||IEEE Symposium on Security and Privacy (Oakland) 2010|