[Discussion] The approach to detect proxybots

Mon Jun 1 12:07:37 UTC 2009

You might consider also posting this on the spamassassin mailing list  
(mailto:users at spamassassin.apache.org) .  Lots of email managers and  
anti spam gurus over there.

jp

Quoting Gurvinder Singh <gurvinde at stud.ntnu.no>:

> Hi,
>
> First of all thanks to matt for introducing me to the open information
> security foundation. I was in touch with matt and he suggested me to put
> the concept in discussion list to get feedback on it from team. If
> possible we can implement  this concept to a preprocessor of the new
> engine (read message from matt below).
>
> The approach is based on Interarrival Packet Time (IPT). The IPT is the
> difference between current packet arrival time and the last packet
> arrival time from the sender under current session. The IPT is recorded
> from incoming packets at the receiving end. Consider the following scenario
>                     (200ms)                                 (50ms)
> Spammer   ------------>      Proxybot         ------------->       Mail
> server
>
> The spammer starts a session by sending a command to a bot. The bot
> initiates a connection with the mail server and establishes a
> connection. The mail server responds with greeting message and the bot
> relays this message to the spammer. After receiving the greeting
> message, the spammer sends HELO message to the bot and bot will relay
> message to the server. The server will receive message after delay of
> 250ms or higher which is the total delay on connection between mail
> server and spammer. If the bot system is the real originator of message
> request, then the HELO message will be received in 50ms by mail server.
> This delay is seen on each command (MAIL FROM, RCPT TO and DATA etc.)
> received from bot at server end.
>
> There is a probability that the delay can be due to congestion on the
> network. But in above case server will receive an ACK message from bot
> system after 50ms which signifies the lack of congestion on the network.
>
> I tested the approach for different protocols and find it working on
> FTP, HTTP GET request (Tor), Telnet and simple data transfer using TCP.
> I will be happy to answer any question regarding above approach and
> looking forward to hear from you about feedback on the concept. The
> above concept is result of my master thesis work. If possible, I would
> like to join the team.
>
> P.S. The code can be released under GPL.
>
> Thanks for your time.
>
> Best Regards,
> Gurvinder Singh
>
>>
>> Matt Jonkman wrote:
>>> Forgot to mention that this code will all be GPL. :)
>>>
>>> matt
>>>
>>> Matt Jonkman wrote:
>>>
>>>> Hello Gurvinder! Your timing couldn't be better.
>>>>
>>>> I'm fascinated by the concept, that would help in a lot of things we
>>>> are
>>>> currently challenged in with IDS.
>>>>
>>>> The timing is perfect because we've received US Dept of homeland
>>>> security funding to build a new next generation IDS. We're about to get
>>>> the bulk of our funding and begin development work.
>>>>
>>>> I'd like to talk to you about applying this concept to a
>>>> preprocessor of
>>>> the new engine. If you're interested I'd like to introduce you to the
>>>> rest of the team. We're having our final planning and hiring meeting
>>>> late next week. So this couldn't be more perfect.
>>>>
>>>> More information about us at http://www.openinfosecfoundation.org
>>>>
>>>> If you hop on the discussion mailing list we could bring the idea up
>>>> and
>>>> see what the community thinks about it as well.
>>>>
>>>> Thanks for contacting me!
>>>>
>>>> Matt
>>>>
>>>> Gurvinder Singh wrote:
>>>>
>>>>> Dear Matt Jonkmans,
>>>>>
>>>>> I am Gurvinder Singh, master student at Department of Telematics,
>>>>> NTNU,
>>>>> Trondheim, Norway. Currently i am working on my master thesis on topic
>>>>> tittled "Detection of Intermediary Hosts through TCP latency
>>>>> propagation". I performed experiments for different protocols and
>>>>> find a
>>>>> method to detect the intermediary hosts. After reading your article i
>>>>> realize that my approach can be used to detect the spam coming from a
>>>>> proxy system which is actually sent by some other system behind it. In
>>>>> the scenario like this
>>>>>
>>>>> Spammer ---->          ProxyBot  ------>      Mail Server or Relay
>>>>>
>>>>> at Mail server or relay we can detect the message is relayed via proxy
>>>>> bot and thus server can drop the message and if the behavior is
>>>>> persistent the IP address of Proxybot can be added to blacklists. I
>>>>> was
>>>>> wondering if you have some live traces of communication during arrival
>>>>> of spam messages at mail server from proxybot, then i can have real
>>>>> world data not just data from my lab. If yes, can it be possible to
>>>>> share with me? I would appreciate any comment from you in this regard.
>>>>>
>>>>> Thanks for your valuable time.
>>>>>
>>>>> Best Regards,
>>>>> Gurvinder Singh
>>>>>
>>>
>>>
>>
>>
>
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>

-- 
Simple compliance is a hacker's best friend

----------------------------------------------------------------
@fferent Security Labs:  Isolate/Insulate/Innovate  
http://www.afferentsecurity.com