Tuesday, January 16, 2007

Spam detector?

Spammers attacked another user's site here at 757 recently and it got me to thinking. Carrier ISP's usually have no clue what their customers use their connections for unless people start complaining about abuse. One of the problems is that no one has attacked the problem of detecting the abuse while it occurs.

I may be on the wrong track but here's my thoughts:

  • People who buy big pipes are expected to have large amounts of traffic (why else pay such a large chunk of money)
  • However, the difference between a lot of people visiting a site and a site spamming a lot of blogs/wikis/guest books is the direction of the traffic.
  • This difference in direction can be detected via the TCP handshake. In other words, the SYN, SYN/ACK, ACK sequence.
  • Thousands (millions?) of SYN packets towards a web site (with unique IPs) means one of two things: lots of visitors or a possible botnet attack (which we're not discussing at the moment).
  • Thousands (millions?) of SYN (no ACK) packets from a site, to hundreds or thousands of packets to other web sites)(unique IPs not requried) means that the ISP's customer is either Google or is doing something worth investigating further.

Detecting this sort of thing should be relatively easy. Has anyone tried this? Willing to try it?