Stopping Outgoing Spam by Examining Incoming Server Logs

Processing server logs for the email arriving at an ISP can be used to detect remote sites where machines are infected by email viruses or have been hijacked and used for sending spam. Simple heuristics distinguish the patterns of such traffic from those of legitimate email. Stopping this material being sent is matter for the remote site. Nevertheless, this paper shows that processing can also detect if any of the ISP’s own customers have problems, because their email is logged when it is sent to other customers (or even back to themselves). Experimental results from a medium-sized ISP show that the scheme is successful in detecting customer problems. Unfortunately, if the spam or virus is not sent to anyone local then the problem remains undetected. Estimates of worldwide rates of compromise of end-user machines are used to give an indication of the likely overall effectiveness of the detection scheme.