Arid Zone Journal of Engineering, Technology and Environment, August, 2017; Vol.

13(3):389-397
Copyright Faculty of Engineering, University of Maiduguri, Maiduguri, Nigeria.
Print ISSN: 1596-2490, Electronic ISSN: 2545-5818, www.azojete.com.ng.

MANIPULATING E-MAIL SERVER FEEDBACK FOR SPAM PREVENTION

O. A. Okunade
(Department of Computer Science, Faculty of Sciences, National Open University of Nigeria
(NOUN), Cadastral Zone, Nnamdi Azikiwe Expressway, Jabi, Abuja, Nigeria)
*Corresponding authors e-mail address: aokunade@noun.edu.ng
Abstract
The cyber criminals who infect machines with bots are not the same as the spammers who rent botnets to distribute
their messages. The activities of these spammers account for the majority of spam emails traffic on the internet. Once
their botnets and campaigns are identified, it is not enough to keep on filtering the spam emails, it is necessary to
deploy techniques that will carry the fight to their end. It is observed that spammers also take into account server
feedback (for example to detect and remove non-existent recipients from email address lists). We can take advantage
of this observation by returning fake information, thereby poisoning the server feedback on which the spammers rely.
The results of this paper show that by sending misleading information to a spammer, it is possible to prevent recipients
from receiving subsequent spam emails from that same spammer.

Keywords: Spam, Spamtrap, Spam Campaign, Bot, Botnet

1. Introduction
Email spam, or unsolicited bulk email, is one of the major open security problems on the Internet.
This accounts for more than 77% of the overall world-wide email traffic (Kaspersky Lab. Spam
Report: April 2012), Spam mails are annoying to users who receive emails they did not request for
and it is damaging for users who fall victim of email scams and other attacks. Spam mails are unit
used for spreading virus or malicious codes, for fraud in banking, for phishing, and for advertising.
This it will cause major problem for web users like loading traffic on the network, wasting looking
out time and energy of the user and wastes resources on Simple Mail Transfer Protocol (SMTP)
servers, which have to process a significant amount of unwanted emails (Taylor, 2006). Email user
receives hundreds of spam emails per day with a new address or identity and new content which
are automatically generated by robot software (Gurwinder and Rupinder, 2016). A modern spam
mass mailing containing hundreds of thousands of messages that can be distributed within a few
minutes to thousands of recipients, most often spam comes from zombie networks formed by a
quantity of users computers infected by malicious programs to deceive filters or to motivate a
recipient to click on their links (Marco et al., 2011). What can be done to resist these attacks?
Since nowadays, about 85% of world-wide spam traffic is sent by botnets (Symantec Corp. State
of spam & phishing report, 2010). Botnets are networks of compromised computers that act under
the control of a single entity, known as the botmaster. It is observed that spammers also take into
account server feedback (for example to detect and remove non-existent recipients from email
address lists). We can take advantage of this observation by returning forged information.
Spammers are the persons which are technically skilled and are hired by companies to send spam
(Reena and Gurjot, 2016). This study attempts to observe the effect of the poisoning of the botnets
and their bot master through server feedback manipulation. Earlier studies not only detected botnet
membership across the internet but also tracks the sending behavior and the associated email
content patterns that are directly observable from an email service provider. The work of Xie et al.
(2008) performs a large scale analysis of spamming botnet characteristics and identifies trends that
can benefit future botnet detection and defense mechanisms. This study is inspired by botnet
judo: fighting spam with itself Pitsillidis et al., (2010) as well the work of (Stringhinix et al.,
2012). However, since spam is an adversarial activity and an arms race, it is necessary to combat

389
Arid Zone Journal of Engineering, Technology and Environment, August, 2017; Vol. 13(3):389-397
ISSN 1596-2490; e-ISSN 2545-5818; www.azojete.com.ng

spam with any technique that can reduce the effectiveness of their campaigns, hence this server
feedback manipulation. Current techniques to detect and block spam mostly fall in two
categories: content analysis and origin analysis, content analysis techniques look at what is being
sent, and typically analyze the content of an email to see if it is indicative of spam (for example, if
it contains words that are frequently linked to spam content) these classification techniques for
spam filtering by using content-based filtering approach that will identify attributes (usually
keywords often used in spam emails) (Mohammed and Monir, 2016). Origin analysis techniques,
on the other hand, look at who is sending an email, and flag the email as spam if the sender (for
example the IP address the email is coming from) is known to be malicious. Both content and
origin analysis techniques have their short comings and have problems in practice. For instance,
content analysis is usually very resource intensive, and cannot be run on every email sent to large,
busy mail servers (Taylor, 2006). Also, it can be evaded by carefully crafting the spam email
Nelson et al., (2008). On the other hand, origin analysis techniques often have coverage problems
(The Spamhaus Project), and fail to detect as malicious many sources that are actually sending out
spam (Sinha et al., 2008).
The idea behind this approach is simple: the SMTP protocol, which is used to send emails on the
Internet, follows Postel's Law, which states that: "Be liberal in what you accept, but conservative
in what you send". As a consequence of this, email software developers can come up with their
own interpretation of the SMTP protocol, and still be able to successfully send emails. This is the
basis of poisoning the botnets or the botmaster or bot herder with false SMTP server response. By
sending misleading information to a spammer, it is possible to prevent recipients from receiving
subsequent spam emails from that same spammer. The SMTP protocol is used by a client to send a
message to the server. During this transaction, the client receives from the server information
related to the delivery process. One important piece of information is whether the intended
recipient exists or not. The performance of a spam campaign can improve significantly when a
botmaster takes into account server feedback. In particular, it is beneficial for spammers to remove
non-existent recipient addresses from their email lists. This prevents a spammer from sending
useless messages during subsequent campaigns. Indeed, previous research has shown that certain
bots report the error codes received from email servers back to their command and control nodes
(Stone-Gross et al., 2011). To exploit the way in which botnets currently leverage server feedback,
it is possible to manipulate the responses from the mail server to a bot. In particular, when a mail
server identifies the sender as a bot, instead of dropping the connection, the server could simply
reply that the recipient address does not exist. To identify a bot, one can either use traditional
content/origin-based approaches. When the server feedback is poisoned in this fashion, spammers
have to decide between two options. One possibility is to continue to consider server feedback
and, as a result, remove valid email addresses from their email list with the hope that it is invalid.
This reduces the spam emails that these users will receive in the future. Alternatively, spammers
can decide to distrust and discard any server feedback. This reduces the effectiveness of future
campaigns since emails will be sent to non-existent users. Although not perfect, this technique
reduces the effectiveness of the spammers email campaigns, and it is a useful advancement in the
war against spamming botnets.
Recent estimates by reliable organization nonetheless indicate that spam makes up between 70%
and 80% of email traffic worldwide. Thus, spam can create a significant burden for network
operators, and the problems associated with spam may be magnified in developing countries,

390
Adekunle: Manipulating E-Mail Server Feedback for Spam Prevention.
AZOJETE, 13(3):389-397. ISSN 1596-2490; e-ISSN 2545-5818, www.azojete.com.ng

especially Nigeria, where high volumes of incoming and outgoing spam can cause a severe drain
on the limited and costly bandwidth that is available in those regions. Spam is a big problem for
everyone from the individual home Internet user to the multi-national corporation that depends on
email communications to conduct business. With spam increasing steadily, it is important to take a
proactive stance and arm oneself with knowledge about the methods that spammers use so you can
decide how best to implement strategies to block spam. Email spam is a well-known problem that
has attracted a substantial amount of research over the past years. The following discussion briefly
show how this approach is related to previous work in this area and elaborate on the novel aspects
of the proposed methods. Spam Filtering: Existing work on spam filtering can be broadly
classified in two categories: post-acceptance methods and pre-acceptance methods. Post-
acceptance methods receive the full message and then rely on content analysis to detect spam
emails. There are many approaches that allow one to differentiate between spam and legitimate
emails: popular methods include Nave Bayes, Support Vector Machines (SVMs), or similar
methods from the field of machine learning (Sculley and Wachman, 2007). Other approaches for
content-based filtering rely on identifying the URLs used in spam emails (Xie et al., 2008). A third
method is Domain Keys Identified Mail (DKIM), a system that verifies that an email has been sent
by a certain domain by using cryptographic signatures (Leiba, 2007). In practice, performing
content analysis or computing cryptographic checksums on every incoming email can be
expensive and might lead to high load on busy servers (Taylor, 2006). Furthermore, an attacker
might attempt to bypass the content analysis system by crafting spam messages in specific ways
(Nelson et al., 2008).
In general, the drawback of post acceptance methods is that an email has to be received before it
can be analyzed. Pre-acceptance methods attempt to detect spam before actually receiving the full
message. Some analysis techniques take the origin of an email into account and analyze distinctive
features about the sender of an email (IP address or autonomous system the email is sent from, or
the geographical distance between the sender and the receiver) (Hao et al., 2009). In practice, these
sender-based techniques have coverage problems: previous work showed how IP blacklists miss
detecting a large fraction of the IP addresses that are actually sending spam, especially due to the
highly dynamic nature of the machines that send spam (typically botnets) (Ramachandran, Dagon
and Feamster, 2006). The proposed method here is a novel, third approach that focuses on how
messages are sent. This avoids costly content analysis, and does not require the design and
implementation of a reputation metric or blacklist. This complements both pre acceptance and
post-acceptance approaches. Another work that went in this direction was done by Beverly and
Sollins, (2008); Kakavelakis, Beverly and Andy (2011). The authors of these two papers leveraged
on the fact that spambots often have bad connections to the Internet, and perform spam detection
by looking at TCP-level features such as retransmissions and connection resets. This approach is
more robust, because it does not rely on assumptions based on the network connectivity of a mail
client. Moreover, it is not unlikely that this is the first study of the effects of manipulating server
feedback to poison the information sent by a bot to the botmaster. Protocol analysis and
subsequent manipulation of the feedback is the core idea behind this approach. This problem is
closely related to the problem of automated protocol reverse-engineering, where an unknown
protocol is analyzed to determine the individual records/elements and the protocols structure
(Comparetti et al., 2009). Initial work in this area focused on clustering of network traces to group
similar messages (Cui, Kannan, and Wang, 2007), while later methods extracted protocol

391
Arid Zone Journal of Engineering, Technology and Environment, August, 2017; Vol. 13(3):389-397
ISSN 1596-2490; e-ISSN 2545-5818; www.azojete.com.ng

information by analyzing the execution of a program while it performs network communication

(Lin et al., 2008). Sophisticated methods can also handle multiple messages and recover the
protocols state machine. For example, Dispatcher is a tool capable of extracting the format of
protocol messages when having access to only one endpoint, namely the bot binary (Caballero et
al., 2009). Cho and Babic (2010) leverage the information extracted by Dispatcher to learn
Command and Control protocols. Brumley, et al., (2007) studied how deviations in the
implementation of a given protocol specification can be used to detect errors or generate
fingerprints. The differences in how a given program checks and processes inputs are identified
with the help of binary analysis (more specifically, symbolic execution). However, in this work,
the speaker of the protocol (the bot) is treated as a black box, and code analysis or instrumentation
is not performed to find protocol formats or deviations. This is important because (i) malware is
notoriously difficult to analyze and (ii) a malware sample might always not be available. Instead,
this technique allows the building of SMTP dialect state machines even when interacting with a
previously-unknown spambot. There is also a line of research on fingerprinting protocols. Initial
work in this area leveraged manual analysis. Nonetheless, there are methods, such as FiG, that
automatically generate fingerprints for DNS servers (Venkataraman, Caballero, Poosankam, Kang,
and Song, 2007). The main difference between this work and FiG is that these dialects are stateful
while FiG operates on individual messages. This entirely avoids the need to merge and explore
protocol state machines. However, as discussed previously, individual messages are typically not
sufficient to distinguish between SMTP engines. This paper attempts to leverage the server
feedback to manipulate the botnet in the email spam campaigns.
2. Methodology
2.1 HELO/EHLO Analysis
The HELO and EHLO SMTP commands are intended to provide the domain name, such as
Babalaje.com, or IP address of the sending SMTP server to the receiving SMTP server. Malicious
users, or spammers, frequently forge the HELO/EHLO statement in various ways. For example,
they type an IP address that does not match the IP address from which the connection originated.
Spammers also put domains that are known to be locally supported at the receiving server in the
HELO statement in an attempt to appear as if the domains are in the organization. In other cases,
spammers change the domain that is passed in the HELO statement. The typical behavior of a
legitimate user may be to use a different, but relatively constant set of domains in their HELO
statements. Therefore, analysis of the HELO/EHLO statement on per-sender basis may indicate
that the sender is likely to be a spammer. For example, a sender that provides many different
unique HELO/EHLO statements in a specific time period is more likely to be a spammer. Senders
who consistently provide an IP address in the HELO statement that does not match the originating
IP address as determined by the connection filter agent are also more likely to be spammers.
Remote senders who consistently provide a local domain name in the HELO statement that is in
the same organization as the exchange server are also more likely to be spammers.

2.2 Reverse DNS lookup

In figure 1, Sender reputation also verifies that the originating IP address from which the sender
transmitted the message matches the registered domain name that the sender submits in the HELO
or EHLOSMTP command Sender reputation performs a reverse DNS query by submitting the
originating IP address to DNS. The result that is returned by DNS is the domain name that is
registered by using the domain naming authority for that IP address. Sender reputation compares
392
Adekunle: Manipulating E-Mail Server Feedback for Spam Prevention.
AZOJETE, 13(3):389-397. ISSN 1596-2490; e-ISSN 2545-5818, www.azojete.com.ng

the domain name that is returned by DNS to the domain name that the sender submitted in the
HELO/EHLO SMTP command. If the domain names do not match, the sender is likely to be a
spammer, and the overall SRL rating for the sender is increased. The Sender ID agent performs a
similar task, but the success of the Sender ID agent relies on legitimate senders to update their
DNS infrastructure to identify all the email-sending SMTP servers in their organization. By
performing a reverse DNS lookup, you can help identify potential spammers.

Mail sent SERVER with

through SMTP Inbuilt Botnet

SENDER Is
Yes No RECIPIENT
CLIENT sender
CLIENT
a Bot? Mail delivered
Recipient does not
to legitimate
exit feedback to
Client
Bot Client

Figure 1: Design Architecture for Manipulating e-Mail Server Feedback for Spam Prevention

A pure Spamtrap is obtained from cooperating ISP. A Spamtrap is a set of email addresses that do
not belong to real users, and, therefore, collect only spam mails. It is widely documented that all
but a small fraction of todays spam e-mail is transmitted by just a handful of distributed botnets
(John et al., 2009), and these, in turn, use template based macro languages to specify how
individual e-mail messages should be generated (Kreibich et al., 2008).
2.3 The SMTP Protocol
The Simple Mail Transfer Protocol (SMTP), as defined in RFC 821 (RFC 821: Simple Mail
Transfer Protocol. http://tools ietf.org/html/rfc821.), is a text-based protocol that is used to send
email messages originating from Mail User Agents (MUAs for example, Outlook), through
intermediate Mail Transfer Agents (MTAs for example, Exchange) to the recipients
mailboxes. The protocol is defined as an alternating dialogue where the sender and the receiver
take turns transmitting their messages. Messages sent by the sender are called commands, and they
instruct the receiver to perform an action on behalf of the sender. The SMTP RFC defines 14
commands. Each command consists of four case-insensitive, alphabetic-character command codes
(for example, MAIL) and additional, optional arguments (for example,
FROM:<me@example.com>). One or more space character separate command codes and
argument fields. All commands are terminated by a line terminator, which we denote as
<CR><LF>. An exception is the DATA command, which instructs the receiver to accept the
subsequent lines as the emails content, until the sender transmits a dot character as the only
character on a line (that is, <CR><LF>.<CR><LF>).SMTP replies are sent by the receiver to
inform the sender about the progress of the email transfer process. Replies consist of a three-digit
status code, followed by a space separator, followed by a short textual description. For example,
the reply 250 Ok indicates to the sender that the last command was executed successfully. And the
reply 550 2, 1, 5, indicates that the address does not exist.
393
Arid Zone Journal of Engineering, Technology and Environment, August, 2017; Vol. 13(3):389-397
ISSN 1596-2490; e-ISSN 2545-5818; www.azojete.com.ng

Modern spamming botnets typically use template-based spamming to send out emails (Pitsillidis,
Levchenko, Kreibich, Kanich, Voelker, Paxson, Weaver, and Savage, 2010). With this technique,
the botnet Command & Control infrastructure tells the bots what kind of emails to send out, and
the bots relay back information about the delivery as they received it from the SMTP server. This
server feedback is an important piece of information to the botmaster, since it enables him to
monitor if his botnet is working correctly. A rational spammer is interested in whether the delivery
failed because the recipient address does not exist. This case, in which the recipient address does
not exist, is the most interesting, because it implies that the spammer can permanently remove that
email address from his email lists, and avoid using it during subsequent campaigns. Recent
research suggests that bot feedback is an important part of a spamming botnet operation. For
example, Stone-Gross et al., (2011), showed that about 35% of the email addresses used by the
cutwail botnet were in fact non-existent. By leveraging the server feedback received by the bots, a
rational botmaster can get rid of those non-existing addresses, and optimize his spamming
performance significantly. However, if we provide false information about the status of a
recipients address, this leads to a double bind for the spammer: on the one hand, if a spammer
considers server feedback, he will unknowingly remove a valid recipient address from his email
list. Effectively, this leads to a reduced number of spam emails received at this particular address.
On the other hand, if the spammer does not consider server feedback, this reduces the effectiveness
of his spam campaigns since emails are sent to non-existent addresses. In the long run, this will
significantly degrade the freshness of his email lists and reduce the number of successfully sent
emails. In the following, we discuss how we can take advantage of this situation. As a first step,
we need to identify that a given SMTP conversation belongs to a bot. To this end, a mail server
can either use traditional, IP-based blacklists or leverage the analysis of SMTP HELLO/EHLO
introduced previously. Once we have identified a bot, a mail server can (instead of closing the
connection) start sending erroneous feedback that is reply SMTP HELLO/EHLO with 550 Error
reply to the bot, which will relay this information to the Command & Control infrastructure.
Specifically, the mail server could, for example, report that the recipient of that email does not
exist.

Start
Incomi
ng Mail
Reduction in Recipient Create a sender Connection
subsequent mail does not
sends by exit Add additional accepted domain
eliminating not feedback
exit feedback to Bot Configure the default email address policy
response Filt
er Configure external URLs
Quaranti
Inbo ne Configure internal URLs
x
Configure an SSL certificate
Read

Stop
Figure 2: Experimental process

Figure 3: Experimental settings

394
Adekunle: Manipulating E-Mail Server Feedback for Spam Prevention.
AZOJETE, 13(3):389-397. ISSN 1596-2490; e-ISSN 2545-5818, www.azojete.com.ng

3. Result and Discussion

Manipulating e-mail server feedback would enable the server to lead the botmaster to lose-lose
situation discussed earlier. For a rational botmaster, we expect that this technique would reduce the
amount of spam the email address receives figure 2. The mail server is configured to always report
to the client that the recipient of an email does not exist, which is used to study how spammers use
the feedback they receive from their bots. To assess whether the different botnets stopped sending
emails to those addresses, a spamtrap is leveraged. A spamtrap is a set of email addresses that do
not belong to real users, and, therefore, collect only spam mails. To evaluate this approach, the
following idea is leveraged: if an email address is successfully removed from an email list used by
a spam campaign, the same campaign will not be observed in targeting that address again. A spam
campaign is defined as the set of emails that share the same URL templates in their links, similar
to the work of (Xie et al, 2008). While there are more advanced methods to detect spam campaigns
(Pitsillidis, et al., 2010), the chosen approach leads to sufficiently good results for our purposes.
Since the spamtrap was initially conceived to receive spam emails from botnet, the observation
was to see the difference in the amount of spam email received at the beginning of the spam
campaign and the amount of the spam email received at the end of the spam campaign using
separate server in parallel to the main one used but whose purpose it is to observe when a
campaign starts and ends. This will help to reduce the amount of spam emails received at the end
of the campaign compared to the initial figure. This reduction will account for the email addresses
the spammer took pain to remove from his list in order to boost the effectiveness of his spamming.

4. Conclusion
In mitigating email spam, it is necessary to address those elements that a spammer needs to set to
make his botnet perform well. The first element is the number of bots that the spammer uses.
Having too many bots connecting to the Command and Control server saturates its bandwidth and
results in bad performance. Another element is the size of the email list used by spammers.
Good spammers trim their email list from non-existing email addresses, avoiding their bots to
waste time sending emails that will never get delivered. A third element consists in having bots
retry to send an email multiple times after receiving a server error: since many bots have poor
Internet connections, this helps keeping the fraction of emails successfully sent high. The last
surprising finding is that the physical location of bots seems not to influence the performance of a
spam campaign. As a side effect of this, successful spammers typically purchase bots located in
developing countries, like Nigeria, which are typically cheaper. This study provides fake/forge
feedback on whether an email address exists or not anytime it detects the sender as a bot. This
forged feedback would make it impossible for spammers to clean up their lists from non-existing
email addresses, compromising the performance of their operations.

References
Beverly, R., and Sollins K, 2008. Exploiting Trasport-level Characteristics of Spam. In
Collaboration, Electronic messaging, Anti-Abuse and Spam Conference (CEAS).

Brumley, D., Caballero, J., Liang, Z., Newsom, J. and Song, D. 2007. Towards Automatic
Discovery of Deviations in Binary Implementations with Applications to Error Detection and
Fingerprint Generation. In USENIX Security Symposium.

395
Arid Zone Journal of Engineering, Technology and Environment, August, 2017; Vol. 13(3):389-397
ISSN 1596-2490; e-ISSN 2545-5818; www.azojete.com.ng

Caballero, J., Poosankam, P., Kreibich, C. and Song, DX. 2009. Dispatcher: Enabling Active
Botnet Infiltration Using Automatic Protocol Reverse-Engineering. In ACM Conference on
Computer and Communications Security (CCS).

Cho, C. and Babic, DSD. 2010. Inference and Analysis of Formal Models of Botnet Command and
Control Protocols. In ACM Conference on Computer and Communications Security (CCS).

Comparetti, PM., Wondracek, G., Kruegel, C. and Kirda, E. 2009. Prospex: Protocol Specification
Extraction. In IEEE Symposium on Security and Privacy.

Cui, W., Kannan, J., and Wang, HJ. 2007. Discoverer: Automatic Protocol Reverse Engineering
from Network Traces. In USENIX Security Symposium.

Elifenesh Y. and Manisha T. 2016. Email Classification using Classification Method. International
Journal of Engineering Trends and Technology (IJETT) Volume 32 Number 3. ISSN: 2231-5381
http://www.ijettjournal.org Page 142

Hao, S., Syed, NA., Feamster, N., Gray, AG., and Krasser, S. 2009. Detecting Spammers with
SNARE: Spatiotemporal Network-level Automatic Reputation Engine. In USENIX Security
Symposium. http://techn Result and Discussionet.microsoft.com/en-us/library/jj218640
(v=exchg.150).aspx

John, JP., Moshchuk, A., Gribble, SD., and Krishnamurthy, A. 2009. Studying Spamming
BotnetsUsing Botlab. In USENIX Symposium on Networked Systems Design and
Implementation (NSDI).

Kakavelakis, G., Beverly, R., and Young, J. 2011. Auto-learning of SMTP TCP Transport-Layer
Features for Spam and Abusive Message Detection. In USENIX Large Installation System
Administration Conference.

Kasperskylab.SpamReport: 2012.https://www.securelist.com/en/analysis/204792230/Spam_Report

Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, GM., Paxson, V., and Savage,
2008. On the Spam Campaign Trail. In USENIX Workshop on Large-Scale Exploits and
Emergent Threats (LEET).

Leiba, B. 2007. Domain Keys Identified Mail (DKIM): Using digital signatures for domain
verification. In Collaboration, Electronic messaging, Anti-Abuse and Spam Conference (CEAS).

Lin, Z., Jiang, X., Xu, D., And Zhang, X. 2008. Automatic Protocol Format Reverse Engineering
through Context-Aware Monitored Execution. In Symposium on Network and Distributed System
Security (NDSS).

Lowd, D., And Meek, C., 2005. Good word attacks on statistical spam filters. In Collaboration,
Electronic messaging, Anti-Abuse and Spam Conference (CEAS).

Marco, T. R., Pedro, H. Calais G., Leonardo V.,Adriano V., Dorgival G., Wagner M. Jr. 2011.
Spam Detection Using Web Page Content: a New Battleground. CEAS 2011 - Eighth annual
Collaboration, Electronic messaging, Anti-Abuse and Spam Conference, Perth, Western Australia.
ACM 978-1-4503-0788-8/11/09

396
Adekunle: Manipulating E-Mail Server Feedback for Spam Prevention.
AZOJETE, 13(3):389-397. ISSN 1596-2490; e-ISSN 2545-5818, www.azojete.com.ng

Mohammed A and Monir F. 2016. Email Spam Classification Using Hybrid Approach of RBF
Neural Network and Particle Swarm Optimization. International Journal of Network Security & Its
Applications (IJNSA) Vol.8, No.4. DOI: 10.5121/ijnsa. 8402 17

Nelson, B., Barreno, M., Chi, F. J., Joseph, A. D., Rubinstein, B. I. P.,Saini, U., Sutton, C., Tygar,
J. D., and Xia, K., 2008, Exploiting Machine Learning to Subvert Your Spam Filter. In USENIX
Symposium on Networked Systems Design and Implementation (NSDI).

Pitsillidis, A., Levchenko, K., Kreibich, C., Kanich, C., Voelker, G. M., Paxson, V., Weaver, N.
and Savage, S., 2010. Botnet Judo: Fighting Spam with Itself. In Symposium on Network and
Distributed System Security (NDSS).

Ramachandran, A., Dagon, D., and Feamster, N., 2006. Can DNS-based blacklists keep up with
bots? In Collaboration, Electronic messaging, Anti-Abuse and Spam Conference (CEAS).

Reena S. and Gurjot K. 2016. E-Mail Spam Detection Using SVM and RBF. I.J. Modern
Education and Computer Science. MECS http://www.mecs-press.org/. DOI: 10.5815
/ijmecs.2016.04.07. MECS I.J. Modern Education and Computer Science. 4, 57-63

Sculley, D., and Wachman, GM. 2007. Relaxed Online SVMs for Spam Filtering. In ACM. SIGIR
Conference on Research and Development in Information Retrieval.

Sinha, S., Bailey, M., and Jahanian, F. 2008. Shades of Grey: On the Effectiveness of Reputation-
based Blacklists. In International Conference on Malicious and Unwanted Software.

Stone-Gross, B., Holz, T., Stringhini, G. and Vigna, G. 2011. The Underground Economy of
Spam: A Botmasters Perspective of Coordinating Large-Scale Spam Campaigns. In USENIX
Workshop on Large-Scale Exploits and Emergent Threats (LEET).

Stringhinix, Egelex, Zarrasz, Holzz, Kruegel, and Vignax, 2012. B@bel: Leveraging Email
Delivery for Spam Mitigation, USENIX Security

Symantec Corp. 2010. State of spam & phishing report. http://www.symantec.com/business

/theme.jsp?themeid=state_of_spam,.

Taylor, B. 2006. Sender reputation in a large webmail service. In Collaboration, Electronic

messaging, Anti-Abuse and Spam Conference (CEAS). The Spamhaus Project.
http://www.spamhaus.org

Venkataraman, S., Caballero, J., Poosankam, P., Kang, MG., and Song, DX. 2007. FiG: Automatic
Fingerprint Generation. In Symposium on Network and Distributed System Security (NDSS).

Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G. and Osipkov, I. 2008. Spamming Botnets:
Signatures and Characteristics. SIGCOMM Computer Communication.

397