Re: A interesting way to detect spam based on the proximity of the sender with the receiver

[Alex Craven <krei () it net au>]

I'm with Shreyas on this one -- it was interesting (albeit somewhat
obvious... the revelation that proportionally more legitimate messages
come from places nearer the recipient is hardly astonishing), but I don't
think there's much practical value... it's not so difficult to identify
spam (which is what the article focussed on), the trick is to do this
while minimising false positives -- a subject the article carefully
avoided.

Filtering messages based on the number of ports open on the sending
machine is clearly flawed (any legitimate, dedicated mailserver may only
have the SMTP port open to the world). Woe upon anyone who implements
this.

As to the geodisic distance... again I'm sceptical. In Australia we'd have
to accept messages within at least a 4000km radius, more for US/Canada...
and think how many countries that would cover in Eurasia? Sure you could
tune the system depending on your region, but I suspect a simpler aproach
based just on the country of origin (as discussed on this list a few weeks
back) would be more effective. This also makes the assumption that you
only want to communicate with a few neighbouring countries in the first
place (which might work fine if you're in the US [incidentally the top
spam-producing country in the world], but probably not otherwise)...


On Thu, Jul 30, 2009 at 11:09:36AM -0700, Ali, Saqib uttered:
> I am not sure if this will work or not, but the research was
> interesting none-the-less.
>
>
> saqib
> http://kawphi.blogspot.com
>
>
> On Thu, Jul 30, 2009 at 11:02 AM, Shreyas Zare<shreyas () technitium com> wrote:
> > Hi,
> >
> > This wont work in practical environment. Spammers are no dumb, they
> > will make new trojan (or push a update!) which better emulates like a
> > real mail server and get past this technique of spam identification in
> > a matter of hours. And what about false positives? I feel it will
> > block a lot of legitimate mails too as it is never seen by the mail
> > server to check for any other thing like white list, SPF or domain
> > keys.
> >
> > Just my 2 cents.
> >
> > Regards,
> >
> > On Thu, Jul 30, 2009 at 8:14 AM, Ali, Saqib <docbook.xml () gmail com> wrote:
> > > The research revealed that ham (legitimate e-mail) tends to come from
> > > computers that have a lot of channels, or ports, open for
> > > communication. Bots, automated systems that are often used to send out
> > > reams of spam, tend to keep open only the e-mail port, known as the
> > > Simple Mail Transfer Protocol port.
> > >
> > > The researchers [also] found that by plotting the geodesic distance
> > > between the Internet Protocol (IP) addresses of the sender and
> > > receiver--measured on the curved surface of the earth--they could
> > > determine whether the message was junk. Spam, the researchers found,
> > > tends to travel farther than ham. Spammers also tend to have IP
> > > addresses that are numerically close to those of other spammers.
> > >
> > > The Georgia Tech researchers also looked at the autonomous server (AS)
> > > number associated with an e-mail. (An AS number is assigned to every
> > > independently operated network, whether it's an Internet service
> > > provider or a campus network.) Knowing that a significant percentage
> > > of spam comes from a handful of autonomous server numbers, the
> > > researchers decided to integrate that characteristic into SNARE, too.
> > >
> > > Read more (very interesting stuff):
> > > http://www.technologyreview.com/communications/23086/page1/
> > >
> > >
> > >
> > > saqib
> > > http://kawphi.blogspot.com
> >
> >
> > --
> > ("If at first you don't succeed; call it version 1.0")
> >
> > Shreyas Zare
> > Co-Founder, Technitium
> > eMail: shreyas () technitium com
> >
> > ..::< The Technitium Team >::..
> > Visit us at www.technitium.com
> > Contact us at theteam () technitium com
> >
> > Join Sci-Tech News group and get the latest science & technology news
> > in your inbox. Visit http://tech.groups.yahoo.com/group/sci-tech-news
> > to join.
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

-- 
Alex Craven
krei () it net au

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------