PreSTA is scalable and can classify over 500,000 emails an hour. Further, the system is consistent in maintaining this blockage-rate even during periods of decreased blacklist performance. In simulation on arriving email at a large university mail system, PreSTA is capable of classifying up to 50% of spam not identified by blacklists alone, and 93% of spam on average (when used in combination with blacklists). Leveraging this history in combination with spatial reasoning, this paper presents a novel reputation model (PreSTA), designed to aid in spam classification. Blacklists also provide a previously untapped resource of rich historical information. However, spammers can vary which hosts send spam (often in intelligent ways), and as a result, some percentage of spamming IPs are not actively listed on any.
Centrally maintained and well regarded, blacklists can filter 80+% of spam without having to perform computationally expensive content-based filtering. IP blacklists are a spam filtering tool employed by a large number of email providers. Thus, we can detect the IP addresses of the BW-infected PC terminals by watching the traffic of the DNS resolution access and the abnormal random TCP one. And (4) the unique source IP address-based entropy (randomness) also frequently correlates well with the query contents-based one. (3) The total traffic of the DNS query access from the outside of the campus network frequently correlates with that of the number of their unique source IP addresses. (2) The traffic of the abnormal client MX record based DNS query packet synchronizes with that of the abnormal random TCP access like ports of 135, 139, and/or 445 from the W32/Zotob BW-infected PC terminals. "gate", and "relay" as their query contents. The interesting results are: (1) The W32/Mytob.A BW-infected PC terminal sends only the A resource record (RR) based DNS query packets including several keywords of "mail", "smtp", "mx", "ns".
The DNS query packet traffic in the topdomain DNS server for Kumamoto University were statistically investigated when infection of bot worm (BW) like W32/Mytob and W32/Zotob BWs were increased worldwidely.
0 kommentar(er)
