Information Theoretic Approach for Characterizing Spam Botnets Based on Traffic Properties

In this paper, we present several novel identifying characteristics of spam-sending bots (or spambots) based on traffic statistics. We use the entropy to measure the distribution skewness for a number of traffic features including packet inter-departure time, email per recipients, rate of change in recipient list and destination domains, and inconsistency in email header information of the outgoing email traffic. We also show how we can measure the deviation in these features from benign emails traffic to decisively detect spambots. Our tool is developed to sit anonymously behind the mail server in a network, capturing SMTP data packets and analyzing the traffic while keeping all of the personal email data private and unrecoverable. Unlike content filtering, our technique is hard to evade and used to detect spam email close to the source. In addition, our technique uses online light weight calculations and can be efficiently deployed in the end-user or ISP devices as well. We evaluated our technique using about 6 million email records of real spambot traffic collected during June 2007 - June 2008. Our evaluation results show that our tool can detect spambots accurately and efficiently even with high traffic volume.