External links

Full text: PDF

Information about this paper

Abstract

End users are often unaware that their systems have been compromised and are being used to send bulk unsolicited email (spam). We show how automated processing of the email logs recorded on the "smarthost" provided by an ISP for their customer's outgoing email can be used to detect this spam. The variability and obfuscation being employed by the spammers to avoid detection at the destination creates distinctive patterns that allow legitimate email traf c to be distinguished from spam at the source. Some relatively simple heuristics result in the detection of low numbers of "false positives" despite tuning to ensure few "false negatives". The system is deployed at a major ISP and has considerably improved the "time-to-fix" for customers who are inadvertently relaying spam and, as a bonus, has proved very effective at detecting a number of recent email virus epidemics.