Evaluating third-party Bad Neighborhood blacklists for Spam detection

The distribution of malicious hosts over the IP address space is far from being uniform. In fact, malicious hosts tend to be concentrated in certain portions of the IP address space, forming the so-called Bad Neighborhoods. This phenomenon has been previously exploited to filter Spam by means of Bad Neighborhood blacklists. In this paper, we evaluate how much a network administrator can rely upon different Bad Neighborhood blacklists generated by third-party sources to fight Spam. One could expect that Bad Neighborhood blacklists generated from different sources contain, to a varying degree, disjoint sets of entries. Therefore, we investigate (i) how specific a blacklist is to its source, and (ii) whether different blacklists can be interchangeably used to protect a target from Spam. We analyze five Bad Neighborhood blacklists generated from real-world measurements and study their effectiveness in protecting three production mail servers from Spam. Our findings lead to several operational considerations on how a network administrator could best benefit from Bad Neighborhood-based Spam filtering.

[1]  Aiko Pras,et al.  Internet Bad Neighborhoods: The spam case , 2011, 2011 7th International Conference on Network and Service Management.

[2]  A. Narwade,et al.  Faculty of Electrical Engineering, Mathematics and Computer Science , 2015 .

[3]  Aiko Pras,et al.  Internet bad neighborhoods aggregation , 2012, 2012 IEEE Network Operations and Management Symposium.

[4]  Vince Fuller,et al.  Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan , 2006, RFC.

[5]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[6]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[7]  Athina Markopoulou,et al.  Predictive Blacklisting as an Implicit Recommendation System , 2009, 2010 Proceedings IEEE INFOCOM.

[8]  John R. Levine DNS Blacklists and Whitelists , 2010, RFC.

[9]  Arvind Krishnamurthy,et al.  Studying Spamming Botnets Using Botlab , 2009, NSDI.

[10]  Aiko Pras,et al.  Filtering spam from bad neighborhoods , 2010, Int. J. Netw. Manag..

[11]  Andreas Terzis,et al.  On the Effectiveness of Distributed Worm Monitoring , 2005, USENIX Security Symposium.

[12]  V. Chandra,et al.  Ways to Evade Spai Filters and Machine Learning as a Potential Solution , 2006, 2006 International Symposium on Communications and Information Technologies.

[13]  Joseph B. Kadane,et al.  Using uncleanliness to predict future botnet addresses , 2007, IMC '07.