垃圾郵件(SPAM)長久以來都是一個很嚴重的議題,在西元2012年,SPAM約占了全球郵件流量的百分之七十二,其中botnet所寄送的垃圾郵件,占了絕大多數的比例,除此之外botnet的拓展也十分迅速,因此botnet所寄送SPAM的問題最為嚴重。由於這些問題的產生,所以吸引了許多學者、廠商投入這方面的研究,提出各式各樣防止SPAM的方法,而大多數的方法主要都是針對botnet SPAM。在各種防治SPAM的方法被廣泛使用之後,botnet SPAM所能造成的效果已經不如以往,因此spammers開始尋找新的途徑去散播垃圾郵件,其中一個有效的方法就是利用被盜的合法帳號(或 機器人合法帳號)來寄送SPAM,因為這些合法帳號擁有信譽良好的IP地址,並且寄信的流程完全遵從SMTP協定,例如:Google Gmail、Yahoo!Mail、Microsoft Live Mail、等等,導致目前防治SPAM的技術,很難偵測出來自合法帳號的SPAM。因為這些原因,我們想要想出一個能夠防止合法帳號寄送垃圾郵件的方法。根據我們的研究,一般的使用者很少會去回覆垃圾郵件,而這些特徵也是spammers很難去隱藏的,不只如此我們在分析實際的數據時,我們也証實,惡意帳號的被回覆率十分的低。因此我們實做出一套系統,稱為"HAWKEYE",它可以依據"回覆率的高低"來快速的判對出那些帳號是可疑的,除此之外我們也利用真實的郵件伺服器來測試我們HAWKEYE,結果我們成功地在真實的郵件伺服器中找出惡意的帳號。 Email spam is a critical problem to the Internet for a long time. The average amount of spam mail reached 72.1\% of all email traffic in the world in 2012. The greatest threat to the email service providers was the spam mail sent from botnet, because the spam mail sent from botnet was accounting for more than 78\% in 2011 therefore appeared many anti-spam solutions and techniques that were focus on the botnet. Owing to these anti-spam techniques, botnet spam are not effective as before. Spammers are finding new way to send the spam mail. One of the effective methods is using compromised accounts (or bot accounts) to send the spam mail because compromised accounts have good reputation IP addresses and compromised accounts send the spam mail with complete SMTP implemented server, such as Gmail, Yahoo!Mail, and Microsoft Live Mail. The spam mail send form compromised accounts are very difficult to be detected by any anti-spam techniques. Hence, we focus on the features spammers can not easily hide. According to our research we find that normal users usually do not reply to the spam mail. Moreover, our empirical analysis reveals that the compromised account actually have low reply rate. We develop a system called "Hawkeye" that can find the compromised accounts effectively by checking the account's reply rate. We run our "Hawkeye" in the empirical mailserver, and we actually find the compromised accounts.