worm blog: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network

« Modeling Botnet Propagation Using Time Zones | Main | Worm propagation strategies in an IPv6 Internet »

Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network

Given all of the recent mass-mailer worm activity, it makes sense to put a paper on dealing with them here.

Malicious mass-mailing activity on the Internet is a serious and continuing threat that includes mass- mailing worms, spam, and phishing. A mechanism commonly used to deliver such malicious mass mail is an SMTP-engine, which turns an infected system into a malicious mail server. We present a technique that enables, in certain network environments, detection and containment of (even zero-day) SMTP-engine based mass-mailing activity within a single mailing attempt. Contrary to other mass- mailing detection techniques our approach is content independent and requires no attachment processing, statistical measures, or system behavioral analysis. It relies strictly on the observation of DNS MX queries within the enterprise network. Our approach can be used as an alternative to port 25 blocking and in conjunction with current proposals to address mass-mailing abuses (e.g. SPF, DomainKeys). Our analysis on network traces from a medium sized university network indicates that MX query activity from client systems is a viable SMTP-engine detection method with a very low false positive rate. Our detection and containment approach has been successfully tested with a prototype using a live mass- mailing worm in an isolated test network.

Source: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network, David Whyte P.C. van Oorschot Evangelos Kranakis.

February 9, 2006 in mass mailers, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

Hmmm, customers of a security service my company provides have such a protection, which I thought of AND implemented somewhere in Q3 2005.
We called it 'Block MX queries from host' protection, and it is indeed quite effective.
Never thought to write a whole paper about it...

Posted by: Yaniv Kaul | Feb 10, 2006 2:04:22 AM

I'd like to thank David Whyte P.C. van Oorschot Evangelos Kranakis for such a good paper on Mass-Mailing worms. I also agree that content and attachment processing would result in Tons of signatures.Everday we have a new mass-mailing worm with new subjects and attachments and body.
But what about the mass-mailing worms using user's SMTP engine and the email client.
For that we need to have signatures based on the contents only, i feel. Am I right?

Posted by: Sandeep Paul | Feb 17, 2006 3:23:50 AM

The comments to this entry are closed.