To beat spam, turn its own weapons against it

SPAMMERS' own trickery has been used to develop an "effectively perfect" method for blocking the most common kind of spam, a team of computer scientists claims.

Most of the billions of spam messages sent each day originate in networks of compromised computers, called botnets. Unbeknown to their owners, the machines quietly run malicious software in the background that pumps out spam.

Researchers have now come up with a system that deciphers the templates a botnet is using to create spam. These templates are then used to teach spam filters what to look for.

The system, developed by a team at the International Computer Science Institute in Berkeley, California, and the University of California, San Diego, works by exploiting a trick that spammers use to defeat email filters. As spam is churned out, subtle changes are typically incorporated into the messages to confound spam filters. Each message is generated from a template that specifies the message content and how it should be varied. The team reasoned that analysing such messages could reveal the template that created them. And since the spam template describes the entire range of the emails a bot will send, possessing it might provide a watertight method of blocking spam from that bot.

To test their idea, the team installed a previously captured software bot onto a machine. After analysing 1000 emails generated by this compromised machine - less than 10 minutes' work for most bots - the researchers were able to reverse-engineer the template. Knowledge of that template then enabled filters to block further spam from that bot with 100 per cent accuracy.

High accuracy can be achieved by existing spam filters, but sometimes at the cost of blocking legitimate mail. The new system did not produce a single false positive when tested against more than a million genuine messages, says Andreas Pitsillidis, one of the team: "The biggest advantage is this false positive rate."

"This is an interesting approach which really differs by using the bots themselves as the oracles for producing the filters," says Michael O'Reirdan, chairman of the Messaging Anti-Abuse Working Group, a coalition of technology companies. But he adds that botnets have grown so large that even a 1-minute delay in cracking the template would be "long enough for a very substantial spam campaign".

The research will be presented in March at the Network and Distributed System Security Symposium in San Diego.

Courtesy Computer Crime