Detecting spamming activities by network monitoring with Bloom filters

Spam delivery is common in the Internet. Most modern spam-filtering solutions are deployed on the receiver side. They are good at filtering spam for end users, but spam messages still keep wasting Internet bandwidth and the storage space of mail servers. This work is therefore intended to detect and nip spamming bots in the bud. We use the Bro intrusion detection system to monitor the SMTP sessions in a university campus, and track the number and the uniqueness of the recipients´ email addresses in the outgoing mail messages from each individual internal host as the features for detecting spamming bots. Due to the huge number of email addresses observed in the SMTP sessions, we store and manage them efficiently in the Bloom filters. According to the SMTP logs over a period of six months from November 2011 to April 2012, we found totally 65 dedicated spamming bots in the campus and observed 1.5 million outgoing spam messages from them.We also found account cracking events on 14 legitimate mail servers, on which some user accounts are cracked and abused for spamming. The method can effectively detect and curb the spamming bots with the precision and the recall up to 0.97 and 0.96.