论文信息 - Analyzing Network and Content Characteristics of Spim Using Honeypots

Analyzing Network and Content Characteristics of Spim Using Honeypots

Instant messaging spam (spim), while less widespread than email spam, is a challenging problem which has received little attention in formal research. Spim is harder to study than spam because of the "walled garden" nature of popular instant messaging platforms. We designed and deployed a proxy based IM honeypot with protocol decoding and analyzed content characteristics of spim and network characteristics of hosts sending spim. Our analysis strongly suggests that adversaries make use of botnets and well coordinated command and control mechanisms in sending spim. Current anti-spim mechanisms rely heavily on content filtering, whitelisting and blacklisting. Our analysis suggests that the same botnets are being employed by spimmers and spammers. Hence network-layer and cross-protocol information sharing between email and IM anti-spam solutions and the use of cross-protocol IP reputation would significantly improve blocking rates. By comparing spim and ham IM data, we also identify several heuristics that can be used to distinguish spim traffic from spam traffic.

Sven Krasser | Paul Judge | Aarjav J. Trivedi

[1] L. Spitzner,et al. Honeypots: Tracking Hackers , 2002 .

[2] Mohammad Mannan. Secure Public Instant Messaging: A Survey † , 2004 .

[3] Paul C. van Oorschot,et al. On instant messaging worms, analysis and countermeasures , 2005, WORM '05.

[4] Na Li,et al. Detecting and filtering instant messaging spam - a global and personalized approach , 2005, 1st IEEE ICNP Workshop on Secure Network Protocols, 2005. (NPSec)..

[5] Michele Colajanni,et al. HoneySpam: Honeypots Fighting Spam at the Source , 2005, SRUTI.

[6] Aaron D. Wyner,et al. Prediction and Entropy of Printed English , 1993 .

[7] Computer Network Security , 2005 .

[8] Paul C. van Oorschot,et al. A Protocol for Secure Public Instant Messaging , 2006, Financial Cryptography.

[9] Claude E. Shannon,et al. Prediction and Entropy of Printed English , 1951 .

[10] G. Schryen. An e-mail honeypot addressing spammers' behavior in collecting and applying addresses , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[11] Peter Saint-Andre,et al. Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence , 2004, RFC.

[12] Henry L. Owen,et al. The Use of Honeynets to Increase Computer Network Security and User Awareness , 2005 .

[13] Virgílio A. F. Almeida,et al. Characterizing a spam traffic , 2004, IMC '04.

[14] Niels Provos,et al. A Virtual Honeypot Framework , 2004, USENIX Security Symposium.