Catching spam before it arrives: domain specific dynamic blacklists

The arrival of any piece of unsolicited and unwanted email (spam) into a user’s email inbox is a problem. It results in real costs to organisations and possibly an increasing reluctance to use email by some users. Currently most spam prevention techniques rely on methods that examine the whole email message at the mail server. This paper describes research that aims to deny spam entry into the internal network in the first place. Examination of live amalgamated audit logs from a Linux kernel firewall, the PortSentry intrusion detection system and the Sendmail mail transfer agents has shown that it is possible that automated mailing programs send characteristic probes to the network gateway just before launching an avalanche of mail. Similarly it seems possible to detect precursor activity from some potential zombie machines. A real time system that could detect such activity needs to be certain that a particular IP address is about to send spam before blocking all of its packets at the network gateway. The architecture for a system that establishes certainty that a particular IP address is about to or has started sending spam is described in this paper. The eventual aim is to recognise precursor activity from spammers in real time, establish certainty that this IP address is about to send or is currently sending spam packets and to then deny packets from this IP address at a range of communicating gateways