TY - GEN
T1 - Spam or ham? Characterizing and detecting fraudulent "not spam" reports in Web mail systems
AU - Ramachandran, Anirudh
AU - Dasgupta, Anirban
AU - Feamster, Nick
AU - Weinberger, Kilian
PY - 2011
Y1 - 2011
N2 - Web mail providers rely on users to "vote" to quickly and collaboratively identify spam messages. Unfortunately, spammers have begun to use bots to control large collections of compromisedWeb mail accounts not just to send spam, but also to vote "not spam" on incoming spam emails in an attempt to thwart collaborative filtering. We call this practice a vote gaming attack. This attack confuses spam filters, since it causes spam messages to be mislabeled as legitimate; thus, spammer IP addresses can continue sending spam for longer. In this paper, we introduce the vote gaming attack and study the extent of these attacks in practice, using four months of email voting data from a large Web mail provider. We develop a model for vote gaming attacks, explain why existing detection mechanisms cannot detect them, and develop a new, scalable clustering-based detection method that identifies compromised accounts that engage in vote-gaming attacks. Our method detected 1.1 million potentially compromised accounts with only a 0.17% false positive rate, which is nearly 10 times more effective than existing clustering methods used to detect bots that send spam from compromised Web mail accounts.
AB - Web mail providers rely on users to "vote" to quickly and collaboratively identify spam messages. Unfortunately, spammers have begun to use bots to control large collections of compromisedWeb mail accounts not just to send spam, but also to vote "not spam" on incoming spam emails in an attempt to thwart collaborative filtering. We call this practice a vote gaming attack. This attack confuses spam filters, since it causes spam messages to be mislabeled as legitimate; thus, spammer IP addresses can continue sending spam for longer. In this paper, we introduce the vote gaming attack and study the extent of these attacks in practice, using four months of email voting data from a large Web mail provider. We develop a model for vote gaming attacks, explain why existing detection mechanisms cannot detect them, and develop a new, scalable clustering-based detection method that identifies compromised accounts that engage in vote-gaming attacks. Our method detected 1.1 million potentially compromised accounts with only a 0.17% false positive rate, which is nearly 10 times more effective than existing clustering methods used to detect bots that send spam from compromised Web mail accounts.
UR - http://www.scopus.com/inward/record.url?scp=80053647103&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=80053647103&partnerID=8YFLogxK
U2 - 10.1145/2030376.2030401
DO - 10.1145/2030376.2030401
M3 - Conference contribution
AN - SCOPUS:80053647103
SN - 9781450307888
T3 - ACM International Conference Proceeding Series
SP - 210
EP - 219
BT - Proceedings of the 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2011
T2 - 8th Annual Collaboration, Electronic Messaging, Anti-Abuse and Spam Conference, CEAS 2011
Y2 - 1 September 2011 through 2 September 2011
ER -