Home / Blogs

Filtering Spam at the Transport Level

John Levine

An interesting new paper from the Naval Postgraduate School (paper here, conference slides here) describes what appears to be an interesting new twist on spam filtering, looking at the characteristics of the TCP session through which the mail is delivered.

They observe that bots typically live on cable or DSL connections with slow congested upstreams. TCP sessions from bots turn out to be fairly easy to recognize by RTT, window, and retransmits, something that people have known at least since a paper at the 2008 CEAS conference on the topic.

This paper tries to see whether it would be practical to use that info to manage spam in real time. They have a network analyzer called SpamFlow that figures out per-connection characteristics. Then as a proof of concept they wrote a Spamassassin plugin to train on the data from SpamFlow and try and do filtering. They do some sort of hand-wavey load testing to see whether SpamFlow can keep up with a realistic mail load, and if it trains fast enough that it would provide useful data in real time. They claim that their results show that it does both.

It's not obvious how best you would use this in combination with all of the other anti-spam tools people we have, most notably blacklists like the CBL that very accurately identify IPs of botted hosts by looking at the characteristics of mail received at large spamtraps. One thing that occurs to me is this sort of thing might be useful if mail moves to IPv6, since building v6 blacklists will be hard due to the size of the address space, while this lets you estimate the bottiness of each connection directly. Also, rather than accepting or rejecting mail, you might slow down mail reception from hosts that seem to be bots, both to give preference to non-bot senders, and because bots tend to be impatient so if you slow down a dubious connection and it gives up, it was probably a bot. The Turntide appliance did something similar five years ago, although it used different heuristics for deciding what to slow down.

This technique looks only at the characteristics of the TCP session, and not at the contents of the session, which means it also doesn't look at the contents of the messages. It might be useful in contexts where for legal or political reasons the spam filter isn't allowed to look at the messages, but users want spam filtering anyway. The authors point out that it is in principle applicable to any TCP transaction, so it might be useful against web queries from bots, too.

It's hardly a FUSSP, but it's an interesting paper.

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Internet Protocol, IPv6, Spam

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

How Does Dyn Deliver on Powering the Internet? By Investing in Standards Organizations Like the IETF

Dyn Adds Chris Griffiths As New VP of Labs

New Nixu Solution Slashes Cloud Application Delivery Times from Weeks to Milliseconds

Domain Name Registrations Pass 233 Million in the First Quarter Of 2012

Automate IPAM Set-up with Nixu NEE 1.3 Series

Nominum selected as 2012 AlwaysOn Global 250 Top Private Company

Nominum Releases New Version of Carrier-Grade DHCP Software for Telecom Providers

Nominum Survey of World's Leading ISPs Shows Nearly 60% of ISPs Plan to Roll-Out IPv6 by End of 2012

Nominum Launches Comprehensive Suite of DNS-Based Security Solutions for Russian Service Providers

Nominum Sets New Record for Network Speed and Efficiency

Implementing a Cyber-Security Code of Conduct: Real-Life Lessons From Australia (Webinar)

Nominum and Nixu Software to Deliver Centralized DNS and DHCP Management Solution

DNS on Defense, DNS on Offense

Managing Outbound Spam: A New DNS-based Approach For Stopping Abuse (Webinar)

Nixu NameSurfer 7.2 Strikes Rich at Dojo

DotConnectAfrica Participates at ICANN 43 In Costa Rica, the "Rich Coast"

Nominum Launches World's First Purpose-Built Suite of DNSā€Based Solutions for Mobile Operators

Is IPv6 the New Y2K? (Primer)

MarkMonitor Fraud Intelligence Report, Q4 2011

Sponsored Topics


DNS Security

Sponsored by


Sponsored by


Sponsored by
Afilias - Mobile & Web Services


Sponsored by
Afilias - Mobile & Web Services