Addressing SMTP-Based Mass-Mailing Activity Within Enterprise Networks

Malicious mass-mailing activity on the Internet is a serious and continuing threat that includes mass-mailing worms, spam, and phishing. A mechanism commonly used to deliver such malicious mass mail is an SMTP-engine, which turns an infected system into a malicious mail server. The authors present a technique that enables, within a single mailing attempt in many popular network environments, detection and containment of (even zero-day) SMTP-engine based mass-mailing activity. Contrary to other mass-mailing detection techniques their approach is content independent and requires no attachment processing, network traffic correlation, statistical measures, or system behavioral analysis.