The Georgia Tech researchers also looked at the autonomous server (AS) number associated with an e-mail. (An AS number is assigned to every independently operated network, whether it’s an Internet service provider or a campus network.) Knowing that a significant percentage of spam comes from a handful of autonomous server numbers, the researchers decided to integrate that characteristic into SNARE, too.
The end result was a system capable of detecting spam 70 percent of the time, with a 0.3 percent false positive rate. Feamster says that’s comparable to existing spam filters but notes that when used in tandem with existing systems, the process should be far more efficient.
“Consider SNARE a first line of defense,” says Shuang Hao, a PhD candidate in computer science at the Georgia Institute of Technology and a SNARE researcher. Each of the characteristics in the SNARE system contributes to the overall score of an e-mail. So far SNARE has been implemented only in a research environment, but if used in a corporate setting, the network administrator could set rules about what happens to e-mail based on its SNARE score. For example, e-mail that scores poorly could be dropped before it even hits the mail server. Hao says this can save considerable resources, as many companies have a policy that requires they retain a copy of every e-mail that hits the server, whether or not it’s junk. Messages with mediocre scores could be further assessed by traditional content filters.
Hao is currently helping Yahoo improve its spam filter, based on what he’s learned developing SNARE. He says that Cisco has also expressed interest in the work.
“It is fairly clever in the way that they combine a bunch of data that’s cheap to use,” says John Levine, president of the Coalition Against Unsolicited Commercial Email and a senior technical advisor to the Messaging Anti-Abuse Working Group, a consortium of companies involved in fighting spam. “On the other hand, I think some of their conclusions are a bit too optimistic. Spammers are not dumb; any time you have a popular scheme [for identifying spam], they’ll circumvent it.”
The research team will present their work on SNARE at the Usenix Security Conference next month in Montreal. In the future, Feamster hopes to able to apply their findings to other computer security problems, such as phishing e-mails, in which the sender pretends to be from a trusted institution to con recipients into divulging their passwords.