Genotype spam detection
Dmitry Samosseiko SophosLabs
download slides (PDF)
There is a growing similarity and convergence between spam and virus threats, spammers and virus writers. Yet anti-spam and anti-virus techniques have so far evolved separately from each other.
Each virus definition attacks a particular type or family of viruses. On the other side, most anti-spam techniques, like sender reputation or content filtering, try to address the spam problem in general and do not provide 100% protection against certain campaigns. This is caused by spammers having found many ways to target these techniques to make sure at least some of their messages will get through. Various obfuscation techniques randomly applied, ‘fresh’ open proxies and ‘throw-away’ URLs impact our ability to reliably stop all messages within a particular campaign by blocking yet another IP address, URL or body signature.
Just like virus definitions in the anti-virus world, Sophos Spam Genotype technology provides the ability to create spam campaign definitions that describe a set of specific features or ‘static genes’ of a given spam campaign. These definitions are able proactively and reliably to detect future mutations of this campaign in cases when conventional anti-spam techniques are less efficient or do not work.
This paper will present technical details of Spam Genotype technology, including real-world examples of using Genotypes to identify long-lasting spam campaigns.
