A New Approach for Detecting Abnormal Email Traffic in Backbone Network

This paper develops a new approach for detecting abnormal email traffic in backbone network by using an extended finite state automata (EFSA) model. Our idea is that bad email server configuration, network attack, and spamware usually generate special or abnormal packets, which are often reflected by the characterization of email traffic. Therefore, we process these traffic data by selecting some indicating parameters on the basis of the EFSA model, and then investigate abnormal traffic by identifying abnormal values. We apply our mechanism to email traffic data captured at one of the largest commercial Internet service provider (ISP) in China. Our initial results are quite unexpected and interesting, which include uncommon command packet number distribution, unexpected event sequence combinations, and surprising protocol errors. In terms of the number of command packet, the number of abnormal email accounts for 10.5%. Based on event sequence analysis, we believe that the SMTP port scan happened at the time of data collection