Lesson 11.2 - Spam

Question 1

What is the problem with SPAM?

Answer 1

1. Filters: Someone must design filters
2. Storage: email servers must store SPAM
3. Security problems: Phishing

Question 2

How much of email traffic is SPAM

Answer 2

95%?

Question 3

How to differentiate “SPAM” from “Ham”

Answer 3

1. Content-based: Looked at what in the mail
2. IP address of sender (blacklist)
3. Behavioral features - if the mail is sent at a time or in a batch.

Question 4

What’s the problem with Content-based filtering?
A: Too slow
B: Easy for attackers to evade
C: Words are difficult to parse

Answer 4

B: Easy to evade

Question 5

Behavioral features

Answer 5

1. Geographical location of sender/receiver
2. Set of target recipients
3. Upstream ISP
4. Botnet?

This is challenging because you must understand network behavior and then build classifiers

Question 6

BGP “Agility” make blacklists ineffective why?

Answer 6

1. Hijack IP prefix (within 10 minutes)
2. Send SPAM
3. Withdraw IP prefix. This makes IP blacklists ineffective.

Question 7

Features that worked well that the receiver could make a decision make on based on the first packet?

Answer 7

Single packet features:
- Distance between sender/rec
- Density IP space 
- Time of day
- AS
Single message 
- # of recipients
- length of message
Aggregates (group of messages9
- variation in message length