Blocking spam by separating end-user machines from legitimate mail server machines

Spamming botnets present a critical challenge in the control of spam messages because of the sheer volume and wide spread of the botnet members. In this paper, we advocate the approach for recipient mail servers to filter messages directly delivered from remote end-user (EU) machines, given that the majority of spamming bots are EU machines. We develop a support vector machine (SVM)-based classifier to separate EU machines from legitimate mail server (LMS) machines, using a set of machine features that cannot be easily manipulated by spammers. We investigate the efficacy and performance of the SVM-based classifier using a number of real-world data sets. Our performance studies show that the SVM-based classifier is indeed a feasible and effective approach in distinguishing EU machines from LMS machines. For example, training and testing on an aggregated data set containing both EU machines and LMS machines, on average, we found that the SVM-based classifier can achieve a 99.25% detection accuracy, with very small false positive rate (0.35%) and false negative rate (1.27%), significantly outperforming eight Domain Name System-based blacklists widely used today. Copyright (c) 2012 John Wiley & Sons, Ltd.