Overview

• What: SpamFlow is a spam detection technique that relies on neither content nor reputation analysis. Instead, this work investigates the discriminatory power of the email TCP packet stream.

• Why: Spam's low penetration rate requires that spammers send extremely large volumes of mail, increasingly through botnets, in order to remain commercially viable. Botnet hosts are typically widely distributed with low, asymmetric bandwidth Internet connections. Therefore, while legitimate mail traffic is well-behaved, we observe small congestion windows, retransmissions, loss and large latencies in spam flows.

• How: Using machine learning and feature selection to identify the most selective flow properties, thereby adapting to different networks and users.

• Benefit: By capitalizing on spam's fundamental requirement to source large quantities of mail, often from resource constrained hosts and networks, SpamFlow promises a unique and difficult-to-subvert complement to existing spam defenses.

Paper

Exploiting Transport-Level Characteristics of Spam
Robert Beverly and Karen Sollins
Fifth Conference on Email and AntiSpam (CEAS2008),
Mountain View, CA, August 2008.

[Full Technical Report]

FAQ

Frequently Asked SpamFlow Questions

Software

Coming soon... please contact us if interested.

CEAS2008 Notes

My notes from the Conference on Email and AntiSpam are available on-line here.

Contact Information

Please direct questions, comments and flames toward SpamFlow's author: Rob Beverly