{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:59:51Z","timestamp":1750309191706,"version":"3.41.0"},"reference-count":50,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2008,12,1]],"date-time":"2008-12-01T00:00:00Z","timestamp":1228089600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2008,12]]},"abstract":"<jats:p>\n            Laundering e-mail spam through open-proxies or compromised PCs is a widely-used trick to conceal real spam sources and reduce spamming cost in the underground e-mail spam industry. Spammers have plagued the Internet by exploiting a large number of spam proxies. The facility of breaking spam laundering and deterring spamming activities close to their sources, which would greatly benefit not only e-mail users but also victim ISPs, is in great demand but still missing. In this article, we reveal one salient characteristic of proxy-based spamming activities, namely packet symmetry, by analyzing protocol semantics and timing causality. Based on the packet symmetry exhibited in spam laundering, we propose a simple and effective technique, DBSpam, to online detect and break spam laundering activities inside a customer network. Monitoring the bidirectional traffic passing through a network gateway, DBSpam utilizes a simple statistical method, Sequential Probability Ratio Test, to detect the occurrence of spam laundering in a timely manner. To balance the goals of promptness and accuracy, we introduce a noise-reduction technique in DBSpam, after which the laundering path can be identified more accurately. Then DBSpam activates its spam suppressing mechanism to break the spam laundering. We implement a prototype of DBSpam based on\n            <jats:italic>libpcap<\/jats:italic>\n            , and validate its efficacy on spam detection and suppression through both theoretical analyses and trace-based experiments.\n          <\/jats:p>","DOI":"10.1145\/1455518.1455525","type":"journal-article","created":{"date-parts":[[2008,12,17]],"date-time":"2008-12-17T13:25:20Z","timestamp":1229520320000},"page":"1-32","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Thwarting E-mail Spam Laundering"],"prefix":"10.1145","volume":"12","author":[{"given":"Mengjun","family":"Xie","sequence":"first","affiliation":[{"name":"College of William and Mary"}]},{"given":"Heng","family":"Yin","sequence":"additional","affiliation":[{"name":"College of William and Mary"}]},{"given":"Haining","family":"Wang","sequence":"additional","affiliation":[{"name":"College of William and Mary"}]}],"member":"320","published-online":{"date-parts":[[2008,12]]},"reference":[{"volume-title":"Proceedings of the 1st USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI\u201905)","author":"Andreolini M.","key":"e_1_2_1_1_1"},{"key":"e_1_2_1_2_1","unstructured":"B\u00e4cher P. Holz T. K\u00f6tter M. and Wicherski G. 2005. Know your enemy: Tracking botnets. http:\/\/www.honeynet.org\/papers\/bots\/.  B\u00e4cher P. Holz T. K\u00f6tter M. and Wicherski G. 2005. Know your enemy: Tracking botnets. http:\/\/www.honeynet.org\/papers\/bots\/."},{"volume-title":"Hashcash: A denial of service counter-measure","year":"1997","author":"Back A.","key":"e_1_2_1_3_1"},{"volume-title":"Proceedings of the 18th USENIX Large Installation Systems Administration Conference (LISA\u201904)","author":"Blosser J.","key":"e_1_2_1_4_1"},{"volume-title":"Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID\u201904)","author":"Blum A.","key":"e_1_2_1_5_1"},{"key":"e_1_2_1_6_1","unstructured":"CBL. 2007. Composite blocking list. http:\/\/cbl.abuseat.org.  CBL. 2007. Composite blocking list. http:\/\/cbl.abuseat.org."},{"key":"e_1_2_1_7_1","doi-asserted-by":"crossref","unstructured":"Delany M. 2006. Domain-based e-mail authentication using public keys advertised in the DNS (DomainKeys). RFC 4870.  Delany M. 2006. Domain-based e-mail authentication using public keys advertised in the DNS (DomainKeys). RFC 4870.","DOI":"10.17487\/rfc4870"},{"volume-title":"Proceedings of the 3rd USENIX Symposium on Networked Systems Design and Implementation (NSDI\u201906)","author":"Garriss S.","key":"e_1_2_1_8_1"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/967030.967031"},{"key":"e_1_2_1_10_1","doi-asserted-by":"crossref","unstructured":"Gellens R. and Klensin J. C. 1998. Message submission. RFC 2476.   Gellens R. and Klensin J. C. 1998. Message submission. RFC 2476.","DOI":"10.17487\/rfc2476"},{"key":"e_1_2_1_11_1","unstructured":"Graham P. 2002. A plan for spam. http:\/\/www.paulgraham.com\/spam.html.  Graham P. 2002. A plan for spam. http:\/\/www.paulgraham.com\/spam.html."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1081870.1081885"},{"volume-title":"Proceedings of the 17th USENIX Systems Administration Conference (LISA\u201903)","author":"Hunter T.","key":"e_1_2_1_13_1"},{"volume-title":"Proceedings of the 10th Annual Network and Distributed System Security Symposium (NDSS\u201903)","year":"2003","author":"Ioannidis J.","key":"e_1_2_1_14_1"},{"volume-title":"Proceedings of the 25th IEEE Symposium on Security and Privacy (SSP\u201904)","author":"Jung J.","key":"e_1_2_1_15_1"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1028788.1028838"},{"key":"e_1_2_1_17_1","doi-asserted-by":"crossref","unstructured":"Klensin J. 2001. Simple mail transfer protocol. RFC 2821.   Klensin J. 2001. Simple mail transfer protocol. RFC 2821.","DOI":"10.17487\/rfc2821"},{"volume-title":"SHRED: Spam harassment reduction via economic disincentives","year":"2004","author":"Krishnamurthy B.","key":"e_1_2_1_18_1"},{"volume-title":"RFC","year":"1928","author":"Leech M.","key":"e_1_2_1_19_1"},{"volume-title":"Proceedings of the 1st Conference on E-mail and Anti-Spam","author":"Li K.","key":"e_1_2_1_20_1"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1140277.1140317"},{"key":"e_1_2_1_22_1","unstructured":"Lyon J. and Wong M. W. 2004. Sender id: Authenticating e-mail. RFC 4406.  Lyon J. and Wong M. W. 2004. Sender id: Authenticating e-mail. RFC 4406."},{"key":"e_1_2_1_23_1","unstructured":"MARID. 2004. MTA authorization records in DNS. http:\/\/www.ietf.org\/html.charters\/OLD\/marid-charter.html.  MARID. 2004. MTA authorization records in DNS. http:\/\/www.ietf.org\/html.charters\/OLD\/marid-charter.html."},{"volume-title":"Messagelabs intelligence annual e-mail security report","year":"2006","author":"MessageLabs","key":"e_1_2_1_24_1"},{"key":"e_1_2_1_25_1","unstructured":"Microsoft. 2003. The penny black project. http:\/\/research.microsoft.com\/research\/sv\/PennyBlack\/.  Microsoft. 2003. The penny black project. http:\/\/research.microsoft.com\/research\/sv\/PennyBlack\/."},{"key":"e_1_2_1_26_1","unstructured":"Postini. 2006. Sender behavior analysis. http:\/\/www.postini.com.  Postini. 2006. Sender behavior analysis. http:\/\/www.postini.com."},{"key":"e_1_2_1_27_1","unstructured":"Prakash V. V. 2007. Vipul\u2019s razor. http:\/\/razor.sourceforge.net\/.  Prakash V. V. 2007. Vipul\u2019s razor. http:\/\/razor.sourceforge.net\/."},{"volume-title":"Proceedings of the 13th USENIX Security Symposium (SECURITY\u201904)","year":"2004","author":"Provos N.","key":"e_1_2_1_28_1"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/1080793.1080801"},{"volume-title":"Proceedings of the 3rd Conference on E-mail and Anti-Spam (CEAS\u201906)","author":"Ramachandran A.","key":"e_1_2_1_30_1"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1159913.1159947"},{"key":"e_1_2_1_32_1","unstructured":"Rhyolite. 2000. Distributed checksum clearinghouse (dcc). http:\/\/www.rhyolite.com\/anti-spam\/dcc\/.  Rhyolite. 2000. Distributed checksum clearinghouse (dcc). http:\/\/www.rhyolite.com\/anti-spam\/dcc\/."},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.5555\/1039834.1039864"},{"key":"e_1_2_1_34_1","unstructured":"SecurityTracker. 2001. Formmail.pl web-to-e-mail cgi script allows unauthorized users to send mail anonymously. http:\/\/www.securitytracker.com\/alerts\/2001\/Mar\/1001108.html.  SecurityTracker. 2001. Formmail.pl web-to-e-mail cgi script allows unauthorized users to send mail anonymously. http:\/\/www.securitytracker.com\/alerts\/2001\/Mar\/1001108.html."},{"key":"e_1_2_1_35_1","unstructured":"SORBS. 2006. Spam and open relay blocking system (sorbs). http:\/\/www.sorbs.net\/.  SORBS. 2006. Spam and open relay blocking system (sorbs). http:\/\/www.sorbs.net\/."},{"key":"e_1_2_1_36_1","unstructured":"SpamAssassin. 2006. The apache spam assassin project. http:\/\/spamassassin.apache.org\/.  SpamAssassin. 2006. The apache spam assassin project. http:\/\/spamassassin.apache.org\/."},{"key":"e_1_2_1_37_1","unstructured":"Spamhaus. 2005. Increasing spam threat from proxy hijackers. http:\/\/www.spamhaus.org\/news.lasso?article=156.  Spamhaus. 2005. Increasing spam threat from proxy hijackers. http:\/\/www.spamhaus.org\/news.lasso?article=156."},{"key":"e_1_2_1_38_1","unstructured":"SpamLinks. 2006. Challenge\/response spam filters. http:\/\/spamlinks.net\/filter-cr.htm.  SpamLinks. 2006. Challenge\/response spam filters. http:\/\/spamlinks.net\/filter-cr.htm."},{"key":"e_1_2_1_39_1","unstructured":"TopLayer. 2006. http:\/\/www.toplayer.com.  TopLayer. 2006. http:\/\/www.toplayer.com."},{"key":"e_1_2_1_40_1","unstructured":"Turner A. 2006. Tcpreplay. http:\/\/tcpreplay.synfin.net\/trac\/.  Turner A. 2006. Tcpreplay. http:\/\/tcpreplay.synfin.net\/trac\/."},{"volume-title":"Proceedings of USENIX Annual Technical Conference (USENIX\u201904)","author":"Twining R. D.","key":"e_1_2_1_41_1"},{"volume-title":"Sequential Analysis","author":"Wald A.","key":"e_1_2_1_42_1"},{"volume-title":"Proceedings of the 3rd USENIX Symposium on Networked Systems Design and Implementation (NSDI\u201906)","author":"Walfish M.","key":"e_1_2_1_43_1"},{"key":"e_1_2_1_44_1","unstructured":"Watson D. Holz T. and Mueller S. 2005. Know your enemy: Phishing. http:\/\/www.honeynet.org\/papers\/phishing\/.  Watson D. Holz T. and Mueller S. 2005. Know your enemy: Phishing. http:\/\/www.honeynet.org\/papers\/phishing\/."},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.5555\/956415.956450"},{"key":"e_1_2_1_46_1","doi-asserted-by":"crossref","unstructured":"Wong M. W. and Schlitt W. 2006. Sender policy framework (SPF) for authorizing use of domains in e-mail version 1. RFC 4408.  Wong M. W. and Schlitt W. 2006. Sender policy framework (SPF) for authorizing use of domains in e-mail version 1. RFC 4408.","DOI":"10.17487\/rfc4408"},{"key":"e_1_2_1_47_1","unstructured":"Woolridge D. Law J. and Kawasaki M. 2004. The qmail spam throttle mechanism. http:\/\/spamthrottle.qmail.ca\/man\/qmail-spamthrottle.5.html.  Woolridge D. Law J. and Kawasaki M. 2004. The qmail spam throttle mechanism. http:\/\/spamthrottle.qmail.ca\/man\/qmail-spamthrottle.5.html."},{"key":"e_1_2_1_48_1","unstructured":"Yerazunis B. 2003. CRM114 - the controllable regex mutilator. http:\/\/crm114.sourceforge.net.  Yerazunis B. 2003. CRM114 - the controllable regex mutilator. http:\/\/crm114.sourceforge.net."},{"volume-title":"Proceedings of the 9th USENIX Security Symposium (SECURITY\u201900)","author":"Zhang Y.","key":"e_1_2_1_49_1"},{"volume":"2672","volume-title":"Proceedings of the 4th ACM\/IFIP\/USENIX International Middleware Conference (MIDDLEWARE\u201903)","author":"Zhou F.","key":"e_1_2_1_50_1"}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1455518.1455525","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1455518.1455525","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:54:18Z","timestamp":1750287258000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1455518.1455525"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,12]]},"references-count":50,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2008,12]]}},"alternative-id":["10.1145\/1455518.1455525"],"URL":"https:\/\/doi.org\/10.1145\/1455518.1455525","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"type":"print","value":"1094-9224"},{"type":"electronic","value":"1557-7406"}],"subject":[],"published":{"date-parts":[[2008,12]]},"assertion":[{"value":"2007-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2007-08-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2008-12-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}