Stopping Spam Before It Hits the Mail Server 157
Al writes "A team of researchers at the Georgia Institute for Technology say they have developed a way to catch spam before it even arrives on the mail server. Instead of bothering to analyze the contents of a spam message, their software, called SNARE (Spatio-temporal Network-level Automatic Reputation Engine), examines key aspects of individual packets of data to determine whether it might be spam. The team, led by assistant professor Nick Feamster, analyzed 2.5 million emails collected by McAfee in order to determine the key packet characteristics of spam. These include the geodesic proximity of end mail servers and the number of ports open on the sending machine. The approach catches spam 70 percent of the time, with a 0.3 false positive rate. Of course, revealing these characteristics could also allow spammers to fake their packets to avoid filtering."
It'll work..except when it doesn't. (Score:4, Interesting)
I'll go first.
All spammers have to do is change the characteristics of the message. It's always going to be a cat and mouse game, just like antivirus and antispyware, so saying that they've found THE solution to blocking spam from hitting the server is slightly irresponsible.
I don't get it... (Score:1, Interesting)
Why do we need a crazily complex scheme like this when a simple entry in your router's 'Deny' list (for the source IP of the spam) has the same end effect?
Given the spew pouring out of the IP space of China, LACNIC, and Russia, blocking in such a manner appears to be near-lossless compression.
Re:It'll work..except when it doesn't. (Score:3, Interesting)
Unless they use a truly novel approach of stopping spam before it hits the server.
I suggest an AK-47.
Is that really a practical trade-off? (Score:3, Interesting)
And of course as others have already pointed out, this just starts another round of whac-a-mole by pursuing this avenue.
Re:False positive rate? (Score:3, Interesting)
.3 is 300 out of 1000.
.3% is 3 out of 1000.
It's similar to the confusion created when idiots write "It only costs me .25 cents to make a phone call" when they really mean ".25" or "25 cents".
Re:I don't get it... (Score:3, Interesting)
Many have found, if your outside the US, blocking US is much more effective then blocking China and Russia.
Re:"IP addresses, he notes, are easy to fake." (Score:3, Interesting)
oh ye of little knowledge.
If I compromise any layer 2 device on any network between you and the destination, not only can I fake the address, I can have it doing 480 spins in a pink tutu. Have you read any of the reports from the major network access points around the world? Bogus packets pass through them all the time. They even have a name for them -- martian packets.
Even Better (Score:1, Interesting)