Router-level spam filtering using TCP fingerprints: Architecture and measurement-based evaluation

Holly Esquivel, Tatsuya Mori, Aditya Akella

研究成果: Paper査読

13 被引用数 (Scopus)


Email spam has become costly and difficult to manage in recent years. Many of the mechanisms used for controlling spam are located at local SMTP servers and end-host machines. These mechanisms can place a significant burden on mail servers and end-host machines as the number spam messages received continues to increase. We propose a preliminary architecture that applies spam detection filtering at the router-level using light-weight signatures for spam senders. We argue for using TCP headers to develop fingerprint signatures that can be used to identify spamming hosts based on the specific operating system and version from which the email is sent. These signatures are easy to compute in a light-weight, stateless fashion. More importantly, only a small amount of fast router memory is needed to store the signatures that contribute a significant portion of spam. We present simple heuristics and architectural enhancements for selecting signatures which result in a negligible false positive rate. We evaluate the effectiveness of our approach on data sets collected at two different vantage points simultaneously, the University of Wisconsin-Madison and a corporation in Tokyo, Japan over a one month period. We find that by targeting 100 fingerprint signatures, we can reduce the amount of received spam by 28-59% with false positive ratio less than 0.05%. Thus, our router-level approach works effectively to decrease the workload of subsequent anti-spam filtering mechanisms, such as, DNSBL look up, and content filtering. Our study also leverages the AS numbers of spam senders to discover the origin of the majority of spam seen in our data sets. This information allows us to pin-point effective network locations to place our router-level spam filters to stop spam close to the source. As a byproduct of our study, the extracted TCP fingerprints reveal signatures which originate all over the world but only send spam indicating the potential existence of global-scale spamming infrastructures.

出版ステータスPublished - 2009
イベント6th Conference on Email and Anti-Spam, CEAS 2009 - Mountain View, CA, United States
継続期間: 2009 7月 162009 7月 17


Conference6th Conference on Email and Anti-Spam, CEAS 2009
国/地域United States
CityMountain View, CA

ASJC Scopus subject areas

  • ソフトウェア


「Router-level spam filtering using TCP fingerprints: Architecture and measurement-based evaluation」の研究トピックを掘り下げます。これらがまとまってユニークなフィンガープリントを構成します。