Measuring the Role of Greylisting and Nolisting in Fighting Spam

Spam has been largely studied in the past years from different perspectives but, unfortunately, it is still an open problem and a lucrative and active business for criminals and bot herders. While several countermeasures have been proposed and deployed in the past decade, their impact and effectiveness is not always clear. In particular, on top of the most common content-and sender-based anti-spam techniques, two minor approaches are popular among system administrators to cope with this annoying problem: greylisting and nolisting. These techniques exploit known features of the Simple Mail Transfer Protocol (SMTP) protocol that are not often respected by spambots. This assumption makes these two countermeasures really simple to adopt and, at least in theory, quite effective. In this paper we present the first comprehensive study of nolisting and greylisting, in which we analyze these spam countermeasures from different perspectives. First, we measure their world-wide deployment and provide insights from their distribution. Second, we measure their effectiveness against areal dataset of malware samples responsible to generate over 70% of the global spam traffic. Finally, we measure the impact of these two defensive mechanisms on the delivery of normal emails. Our study provides a unique and valuable perspective on two of the most innovative and atypical anti-spam systems. Our findings may guide system administrators and security experts to better assess their anti-spam infrastructure and shed some light on myths about greylisting and nolisting.

[1]  Miranda Mowbray,et al.  Email Prioritization: Reducing Delays on Legitimate Mail Caused by Junk Mail , 2004, USENIX Annual Technical Conference, General Track.

[2]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[3]  Yehuda Koren,et al.  Collaborative filtering with temporal dynamics , 2009, KDD.

[4]  Tatsuya Mori,et al.  Router-Level Spam Filtering Using TCP Fingerprints: Architecture and Measurement-Based Evaluation , 2009, CEAS 2009.

[5]  Arvind Krishnamurthy,et al.  Studying Spamming Botnets Using Botlab , 2009, NSDI.

[6]  Tatsuya Mori,et al.  On the effectiveness of IP reputation for spam filtering , 2010, 2010 Second International Conference on COMmunication Systems and NETworks (COMSNETS 2010).

[7]  Minyi Guo,et al.  An innovative analyser for multi-classifier e-mail classification based on grey list analysis , 2009, J. Netw. Comput. Appl..

[8]  Gianluca Stringhini,et al.  Leveraging Email Delivery for Spam Mitigation , 2012 .

[9]  Gianluca Stringhini,et al.  B@bel: Leveraging Email Delivery for Spam Mitigation , 2012, USENIX Security Symposium.

[10]  Geoff Hulten,et al.  Spamming botnets: signatures and characteristics , 2008, SIGCOMM '08.

[11]  Po-Ching Lin,et al.  Blocking spam sessions with greylisting and block listing based on client behavior , 2013, 2013 15th International Conference on Advanced Communications Technology (ICACT).

[12]  Shigeki Goto,et al.  Understanding the World's Worst Spamming Botnet , 2009 .

[13]  Ken Chiang,et al.  A Case Study of the Rustock Rootkit and Spam Bot , 2007, HotBots.

[14]  Santosh S. Vempala,et al.  Filtering spam with behavioral blacklisting , 2007, CCS '07.

[15]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[16]  Jonathan B. Postel Rfc821: simple mail transfer protocol , 1982 .

[17]  Tomas Sochor,et al.  Efficiency comparison of greylisting at several SMTP servers , 2011, WCIT.

[18]  Tomas Sochor Greylisting — long term analysis of anti-SPAM effect , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).

[19]  Kwang-Ting Cheng,et al.  Using visual features for anti-spam filtering , 2005, IEEE International Conference on Image Processing 2005.

[20]  John R. Levine Experiences with Greylisting , 2005, CEAS.

[21]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[22]  Tomas Sochor Greylisting method analysis in real SMTP server environment - Case-study , 2008, SCSS.