研究顯示,超過 80% 的垃圾郵件是由 bot 發出的,這些發送垃圾郵件的。這些垃圾郵件不只傳送像釣魚網站 URL 的惡意內容,也浪費掉了巨大的網路頻寬。除此之外,這些發送垃圾郵件的 bot 也會發動其它的攻擊,例如 DoS / DDoS 攻擊以及個人資料的竊取。所以,上述問題的解決是關鍵且緊急的議題。因為多數發送垃圾郵件的 bot 並不是電子郵件伺服器,而且它們通常只送信而不收信。在這篇論文中我們基於這個觀察,提出了一個以垃圾郵件為出發點的解決方案,來做 botnet 的偵測以及節省網路頻寬,取名為 SpamFinder。SpamFinder 觀察經過 router 的電子郵件相關網路流量,來辨認只送信而不收信的主機。並對它們做進一步的檢查,以過濾掉電子郵件伺服器,如此可以準確地辨認出發送垃圾郵件的 bot。最後 SpamFinder 禁止傳播垃圾郵件,藉由阻斷這些發送垃圾郵件 bot 的電子郵件相關網路流量,來節省網路頻寬的浪費。我們己在 Linux router 上實作出 Spamfinder 而且實驗結果顯示 Spamfinder 沒有誤判且在最差的情況下只有 4% 的效能開銷。Research shows that more than 80% spam mails are sent by the bots, called spam bots hereafter, of botnets. These spam mails not only are used to deliver malicious contents, such as the URLs of phishing sites, but also eat up tremendous precious network bandwidth. Besides, spam bots are also frequently used to launch various other attacks, such as DoS/DDoS attacks and identity theft. Hence, solving the above problems soon becomes a critical and emergent issue. Because the majority of spam bots are not e-mail servers, spam bots usually only send mails but do not receive mails. Based on this observation, in this paper we propose a spam mail-based solution, called SpamFinder, for botnet detection and network bandwidth protection. SpamFinder observes e-mail related traffic passing through a router to identify the hosts that only send e-mails but do not receive e-mails. Then by making further examinations to filter out e-mail servers, SpamFinder can identify spam bots with high accuracy. Finally by blocking e-mail related traffic originating from spam bots, SpamFinder prohibits the transmission of spam mails which in turn can save the bandwidth. We have implemented SpamFinder on a Linux router and experimental results show that with zero false positives SpamFinder only introduces 4% overhead in the worst case.
