Title :
Addressing SMTP-Based Mass-Mailing Activity within Enterprise Networks
Author :
Whyte, David ; van Oorschot, Paul C. ; Kranakis, Evangelos
Author_Institution :
Carleton University, Canada
Abstract :
Malicious mass-mailing activity on the Internet is a serious and continuing threat that includes mass-mailing worms, spam, and phishing. A mechanism commonly used to deliver such malicious mass mail is an SMTP-engine, which turns an infected system into a malicious mail server. We present a technique that enables, within a single mailing attempt in many popular network environments, detection and containment of (even zero-day) SMTP-engine based mass-mailing activity. Contrary to other mass-mailing detection techniques our approach is content independent and requires no attachment processing, network traffic correlation, statistical measures, or system behavioral analysis. It relies instead on the observation of DNS MX queries within the enterprise network. This stateless detection technique requires minimal computational resources making it ideally suited for real-time wire-speed deployment.
Keywords :
Computer science; Computer worms; Electronic mail; IP networks; Information filtering; Information filters; Network servers; Protocols; System testing; Web server;
Conference_Titel :
Computer Security Applications Conference, 2006. ACSAC '06. 22nd Annual
Conference_Location :
Miami Beach, FL, USA
Print_ISBN :
0-7695-2716-7
DOI :
10.1109/ACSAC.2006.11