Stopping Spam by Extrusion Detection

End users are often unaware that their systems have been compromised and are being used to send bulk unsolicited email (spam). This paper shows how automated processing of the email logs recorded on the "Smarthost" provided by an ISP for their customer's outgoing email can be used to detect this spam. The variability and obfuscation being employed by the spammers to avoid detection at the destination creates distinctive patterns that allow legitimate email traffic to be distinguished from spam at the source. Some relatively simple heuristics result in the detection of low numbers of "False positives" despite tuning to ensure few "False negatives".