摘要
Spampot是一个基于分布式低交互蜜罐的垃圾邮件捕获系统,在对SMTP,HTTP proxy和SOCKS协议分析研究的基础上,实现了集成开放中继(open relay)与开放代理(open proxy)服务的邮件蜜罐系统;建立了垃圾邮件发送者攻击行为特征库、新型垃圾邮件样本库、垃圾邮件发送者源IP地址黑名单库、垃圾邮件提取URL黑名单库等数据库系统.讨论了邮件蜜罐系统在实现和部署时应考虑的一些具体问题,使其既可以提高对垃圾邮件发送者的吸引力,又避免被反垃圾邮件组织列入黑名单,最大限度地降低蜜罐系统对网络资源的占用,从而可以维持蜜罐系统的长期运行和有效工作;在6个月的实际部署中捕获了大量的攻击行为和垃圾邮件样本,通过对数据进行分析,发现了垃圾邮件发送者行为新特征和垃圾邮件新技术,并发现了用于大规模发送垃圾邮件的僵尸网络.
Spampot is a spare capturing system based on distributed low-interaction on the previous research on SMTP, HTTP proxy and SOCKS protocols, we honeypot. Based designed a spam honeypot system integrated with open relay and open proxy services and built the repositories of spammers' attack behaviors, new spam samples, spammers' IP and their geographic locations, the URLs blacklist from spam. We also discussed some of our considerations when designing the system, including improving the attractiveness for spammers, avoiding being blacklisted by anti-spam organization, and reducing the impact of the honeypot system on the real network. Our experimental deployment in CERNET for 6 months showed that Spampot could attract spammers effectively without being blacklisted by well-known anti-spam organization in the Internet. During the 6 months period, Spampot captured bulks of spam samples and spammers' attack traffic. Our analysis show that these spammers are mainly from Taiwan, China and Brazil while their main targets are Taiwan (such as yahoo, com. tw and hinet, com). We have also discovered some new spammer behaviors and some new technologies that the spammer used to escape the filtering of anti-spam system. What's more, through cluster analysis on the spam samples, we have identified some cases in which botnets are used for large-scale spam campaign.
出处
《计算机研究与发展》
EI
CSCD
北大核心
2014年第5期1071-1080,共10页
Journal of Computer Research and Development
基金
国家自然科学基金项目(61003127,60803134,90412010,60203044)
