摘要 |
We show how a Network Service Provider (NSP) can detect if any of its customers are involved in malware. Like spamming or phishing. This involves the NSP's router performing a sampled packet analysis of outgoing and incoming messages. And combining this with our earlier methods for detecting spammer domain clusters (swarms) or phishing. Our method lets an NSP quickly shut down spammer customers, and reduces the risk that it and its innocent customers get blacklisted by other NSPs and ISPs. We use static and dynamic blacklists in the detection of spam/bulk messages in a message stream. Also, we use 3 sets of Bulk Message Envelopes (BMEs). A static set, which might be found from an Aggregation Center. A dynamic blacklisted BME set, which comes from messages hit by our blacklists. And a dynamic BME set that "good" bulk messages are put into. In tests, our method has programatically and consistently detected around 80% of sets of email messages as bulk/spam.
|