{"id":13141,"date":"2021-12-06T19:01:54","date_gmt":"2021-12-07T00:01:54","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?page_id=13141"},"modified":"2021-12-06T19:01:54","modified_gmt":"2021-12-07T00:01:54","slug":"tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network","status":"publish","type":"page","link":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/","title":{"rendered":"TR-05-06: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network"},"content":{"rendered":"

Carleton University
\nTechnical Report<\/a> TR-05-06
\nMay 24, 2005<\/p>\n

Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network<\/h2>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
David Whyte, P.C. Van Oorschot, Evangelos Kranakis<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\n

Abstract<\/h3>\n

Malicious mass-mailing activity on the Internet is a serious and continuing threat that includes massmailing worms, spam, and phishing. A mechanism commonly used to deliver such malicious mass mail is an SMTP-engine, which turns an infected system into a malicious mail server. We present a technique that enables, in certain network environments, detection and containment of (even zero-day) SMTP-engine based mass-mailing activity within a single mailing attempt. Contrary to other massmailing detection techniques our approach is content independent and requires no attachment processing, statistical measures, or system behavioral analysis. It relies strictly on the observation of DNS MX queries within the enterprise network. Our approach can be used as an alternative to port 25 blocking and in conjunction with current proposals to address mass-mailing abuses (e.g. SPF, DomainKeys). Our analysis on network traces from a medium sized university network indicates that MX query activity from client systems is a viable SMTP-engine detection method with a very low false positive rate. Our detection and containment approach has been successfully tested with a prototype using a live massmailing worm in an isolated test network.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

TR-05-06.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Carleton University Technical Report TR-05-06 May 24, 2005 Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network David Whyte, P.C. Van Oorschot, Evangelos Kranakis Abstract Malicious mass-mailing activity on the Internet is a serious and continuing threat that includes massmailing worms, spam, and phishing. A mechanism commonly used to deliver such malicious mass mail is […]<\/p>\n","protected":false},"author":49,"featured_media":0,"parent":12337,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_mi_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"yoast_head":"\nTR-05-06: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network - School of Computer Science<\/title>\n<meta name=\"description\" content=\"Carleton University Technical Report TR-05-06 May 24, 2005 Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network David Whyte,\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/\",\"url\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/\",\"name\":\"TR-05-06: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network - School of Computer Science\",\"isPartOf\":{\"@id\":\"https:\/\/carleton.ca\/scs\/#website\"},\"datePublished\":\"2021-12-07T00:01:54+00:00\",\"dateModified\":\"2021-12-07T00:01:54+00:00\",\"description\":\"Carleton University Technical Report TR-05-06 May 24, 2005 Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network David Whyte,\",\"breadcrumb\":{\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/carleton.ca\/scs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Research\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SCS Technical Reports\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Technical Reports 2005\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"TR-05-06: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/carleton.ca\/scs\/#website\",\"url\":\"https:\/\/carleton.ca\/scs\/\",\"name\":\"School of Computer Science\",\"description\":\"Carleton University\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/carleton.ca\/scs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TR-05-06: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network - School of Computer Science","description":"Carleton University Technical Report TR-05-06 May 24, 2005 Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network David Whyte,","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/","url":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/","name":"TR-05-06: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network - School of Computer Science","isPartOf":{"@id":"https:\/\/carleton.ca\/scs\/#website"},"datePublished":"2021-12-07T00:01:54+00:00","dateModified":"2021-12-07T00:01:54+00:00","description":"Carleton University Technical Report TR-05-06 May 24, 2005 Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network David Whyte,","breadcrumb":{"@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-06-addressing-malicious-smtp-based-mass-mailing-activity-within-an-enterprise-network\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/carleton.ca\/scs\/"},{"@type":"ListItem","position":2,"name":"Research","item":"https:\/\/carleton.ca\/scs\/research\/"},{"@type":"ListItem","position":3,"name":"SCS Technical Reports","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/"},{"@type":"ListItem","position":4,"name":"Technical Reports 2005","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/"},{"@type":"ListItem","position":5,"name":"TR-05-06: Addressing Malicious SMTP-based Mass-Mailing Activity Within an Enterprise Network"}]},{"@type":"WebSite","@id":"https:\/\/carleton.ca\/scs\/#website","url":"https:\/\/carleton.ca\/scs\/","name":"School of Computer Science","description":"Carleton University","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/carleton.ca\/scs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"acf":{"banner_image_type":"none","banner_button":"no"},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13141"}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=13141"}],"version-history":[{"count":1,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13141\/revisions"}],"predecessor-version":[{"id":13142,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13141\/revisions\/13142"}],"up":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/12337"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=13141"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}