Abstract

Spam is increasingly accepted as a problem
associated with compromised hosts or email accounts. This
problem not only makes the tracking of spam sources difficult
but also enables a massive amount of illegitimate or unwanted
emails to be disseminated quickly. Various attempts have been
made to analyze, backtrack, detect, and prevent spam using
both network as well as content characteristics. However,
relatively less attention has been given to understanding
how spammers actually carry out their spamming activities
from a network angle. Spammers’ network behavior has
significant impact on spammers’ common goal, sending spam
in a stealthy and efficient manner. Our work thoroughly
investigates a fairly unknown spamming technique we name
as triangular spamming that exploits routing irregularities of
spoofed IP packets. It is highly stealthy and efficient in that
triangular spamming enables 1) exploiting bandwidth diversity
of botnet hosts to carry out spam campaigns effectively without
divulging precious high-bandwidth hosts and 2) bypassing the
current SMTP traffic blocking policies. Despite its relative
obscurity, its use has been confirmed by the network operator
community. Through carefully devised probing techniques and
actual deployment of triangular spamming on Planetlab (a
wide-area distributed testbed), we investigate the feasibility,
impact of triangular spamming and propose practical detection
and prevention methods. From our probing experiments,
we found that 97% of the networks which block outbound
SMTP traffic are vulnerable to triangular spamming and only
44% of them are listed on Spamhaus Policy Blocking List
(PBL).