SocialFilter: Collaborative Spam Mitigation using Social Networks

Spam mitigation can be broadly classified into two main approaches: a) centralized security infrastructures that rely on a limited number of trusted monitors to detect and report malicious traffic; and b) highly distributed systems that leverage the experiences of multiple nodes within distinct trust domains. The first approach offers limited threat coverage and slow response times, and it is often proprietary. The second approach is not widely adopted, partly due to the lack of assurances regarding the trustworthiness of nodes that comprise the system. Our proposal, SocialFilter, aims to achieve the trustworthiness of centralized security services and the wide coverage, responsiveness and inexpensiveness of large-scale collaborative spam mitigation. We propose a large-scale distributed system that enables nodes with no email classification functionality to query the network on whether a host is a spammer. A SocialFilter node builds trust for its peers by auditing their reports on spamming hosts and by leveraging the social network of SocialFilter administrators. The node combines the confidence its peers have in their own spammer reports and the trust it places on its peers to derive the likelihood that a host is a spammer. The simulation-based evaluation of our approach indicates its potential under a real-world deployment: during a simulated spam campaign, SocialFilter nodes characterized 95% of spam connections with confidence greater than 50%, while yielding no false positives.