垃圾郵件(SPAM)長久以來都是一個很嚴重的議題，在西元2012年，SPAM約占了全球郵件流量的百分之七十二，其中botnet所寄送的垃圾郵件，占了絕大多數的比例，除此之外botnet的拓展也十分迅速，因此botnet所寄送SPAM的問題最為嚴重。由於這些問題的產生，所以吸引了許多學者、廠商投入這方面的研究，提出各式各樣防止SPAM的方法，而大多數的方法主要都是針對botnet SPAM。

在各種防治SPAM的方法被廣泛使用之後，botnet SPAM所能造成的效果已經不如以往，因此spammers開始尋找新的途徑去散播垃圾郵件，其中一個有效的方法就是利用被盜的合法帳號(或 機器人合法帳號)來寄送SPAM，因為這些合法帳號擁有信譽良好的IP地址，並且寄信的流程完全遵從SMTP協定，例如:Google Gmail、Yahoo!Mail、Microsoft Live Mail、等等，導致目前防治SPAM的技術，很難偵測出來自合法帳號的SPAM。因為這些原因，我們想要想出一個能夠防止合法帳號寄送垃圾郵件的方法。

根據我們的研究，一般的使用者很少會去回覆垃圾郵件，而這些特徵也是spammers很難去隱藏的，不只如此我們在分析實際的數據時，我們也証實，惡意帳號的被回覆率十分的低。因此我們實做出一套系統，稱為"HAWKEYE"，它可以依據"回覆率的高低"來快速的判對出那些帳號是可疑的，除此之外我們也利用真實的郵件伺服器來測試我們HAWKEYE，結果我們成功地在真實的郵件伺服器中找出惡意的帳號。

Email spam is a critical problem to the Internet for a long time. The average amount of spam mail reached 72.1\% of all email traffic in the world in 2012. The greatest threat to the email service providers was the spam mail sent from botnet, because the spam mail sent from botnet was accounting for more than 78\% in 2011; therefore appeared many anti-spam solutions and techniques that were focus on the botnet. Owing to these anti-spam techniques, botnet spam are not effective as before. Spammers are finding new way to send the spam mail. One of the effective methods is using compromised accounts (or bot accounts) to send the spam mail because compromised accounts have good reputation IP addresses and compromised accounts send the spam mail with complete SMTP implemented server, such as Gmail, Yahoo!Mail, and Microsoft Live Mail. The spam mail send form compromised accounts are very difficult to be detected by any anti-spam techniques. Hence, we focus on the features spammers can not easily hide. According to our research we find that normal users usually do not reply to the spam mail. Moreover, our empirical analysis reveals that the compromised account actually have low reply rate. We develop a system called "Hawkeye" that can find the compromised accounts effectively by checking the account's reply rate. We run our "Hawkeye" in the empirical mailserver, and we actually find the compromised accounts.

中文摘要............. i
Abstract........... ii
Acknowledgements... iii
Table of Contents. iv
List of Figures.... v
List of Tables .... vi
1. Introduction................ 1
1.1 Spam Mail 1
1.2 Old Issues 2
1.3 New Issues 4
2. Background.................. 6
2.1 Anti-Spam Technologies 6
2.2 Sending Spam 8
2.3 Postfix Maillog 10
3. System Design............... 11
3.1 Methods 11
3.2 Hawkeye 13
3.3 Reply Rate 14
3.4 Hawkeye Components 15
4. Evaluation.................. 17
4.1 System environment 17
4.2 Result 17
4.3 Evasion 21
4.4 Limitations and Future Work 22
5. Related Work................ 24
5.1 Famous Anti-Spam Techniques 24
5.2 Anti Webmail Spam 26
6. Conclusion.................. 27
References..................... 28

[1] ”Kaspersky Security Bulletin Spam Evolution 2012,”
http://www.securelist.com/en/analysis/204792276/
Kaspersky_Security_Bulletin_Spam_Evolution_2012,
Accessed: July 5 2013.
[2] ”Kaspersky: Spam in February 2013,”
http://www.securelist.com/en/analysis/204792284/Spam_
in_February_2013 , Accessed: 5 July 2013.
[3] ”Federal Trade Commission,”
http://www.ftc.gov/opa/2004/01/opsecure.shtm, January 29,
2004.
[4] ”Symantec Corp. Spam Reasearch,”
http://www.symantec.com/threatreport/topic.jsp?id=spam_
fraud_activity_trends&aid=analysis_of_spam_delivered_
by_botnets, Accessed: 5 July 2013.
[5] ”Symantec Corp. MessageLabs Intelligence: 2010 Annual Security
Report,” http://www.symantec.com/about/news/release/
article.jsp?prid=20101207_01, Accessed: 5 July 2013.
[6] ”Symantec Corp. State Of Spam 2012,”
http://www.symantec.com/content/en/us/enterprise/other_
resources/b-intelligence_report_10_2012.en-us.pdf,
Accessed: 5 July 2013.
[7] Natale Maria Bianchi, ”Spamhaus.org: Spam through compromised
passwords: can it be stopped,” http://www.spamhaus.org/news/
article/681/, May 9, 2012.
[8] ”Times of india: Rustock Botnet,”
http://timesofindia.indiatimes.com/tech/itslideshow/
6206110.cms, July 23, 2010.
[9] G. Stringhini, M. Egele, A. Zarras, T. Holz, C. Kruegel, and G.
Vigna, ??B@ bel: leveraging email delivery for spam mitigation,??
in Proceedings of the USENIX Security Symposium, pp. 22, Aug.
8-10, 2012.
[10] G. Stringhini, T. Holz, B. Stone-Gross, C. Kruegel, and G. Vigna,
”BOTMAGNIFIER: Locating Spambots on the Internet,” in Proceedings
of the USENIX Security Symposium,Aug. 8-12, 2011.
[11] ”Spamhaus: Top 10 Worst ISP,”
http://www.spamhaus.org/statistics/networks/,
Accessed: 5 Mar. 2013.
[12] ”Trustwave: SpiderLabs - Spam statistics,”
https://www.trustwave.com/support/labs/spam_statistics.
asp, Accessed: 1 Jan. 2013.
[13] ”Commtouch: Spam Report 2011 July,”
http://www.commtouch.com/sites/default/files/
Commtouch-Trend-Report-2011-July_0.pdf,
Accessed: 5 July 2013.
[14] ”Commtouch: Spam Report 2011 October,”
http://www.commtouch.com/uploads/pdf/
Commtouch-Trend-Report-2011-October.pdf,
Accessed: 5 July 2013.
[15] ”Commtouch: Hacked Accounts Report,”
http://www.commtouch.com/sites/default/files/
The-state-of-hacked-accounts.pdf, Accessed: 5 July 2013.
[16] ”The Spamhaus Project,”
http://www.spamhaus.org/, Accessed: 5 July 2013.
[17] ”Google Blog: An Update On Our War Against Account Hijackers,”
http://googleblog.blogspot.tw/2013/02/
an-update-on-our-war-against-account.html,
February 19, 2013.
[18] ”Messaging Anti-Abuse Working Group 2010 Survey,”
http://www.maawg.org/system/files/2010_MAAWG-Consumer_
Survey.pdf, March, 2010.
[19] ”National Technology Readiness Survey 2004 Summary Report,”
http://www.technoreadymarketing.com/articles.php, February
3, 2005.
[20] ”National Technology Readiness Survey 2009 SPAM Report,”
http://www.technoreadymarketing.com/NTRS_2009_SPAM_
Cost.php, Accessed: 5 July 2013.
[21] A. Ramachandran, A. Dasgupta, N. Feamster, and K. Weinberger,
”Spam or ham?: characterizing and detecting fraudulent not spam
reports in web mail systems,” in Proceedings of the 8th Annual Collaboration,
Electronic messaging, Anti-Abuse and Spam Conference,
pp. 210-219, 2011.
[22] Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, et al., ”BotGraph:
Large Scale Spamming Botnet Detection,” in Proc. 6th USENIX
NSDI, pp. 321-334, Apr, 2009.
[23] ”Email-Sending-Limit,”
http://www.yetesoft.com/free-email-marketing-resources/
email-sending-limit/, April, 2013.
[24] ”Email Sending Limits Of ISPs And Other Providers,”
http://support.e-zekiel.com/templates/System/details.
asp?id=31606&fetch=26546, April, 2012.
[25] ”Gmail Sending Limits,”
https://support.google.com/a/bin/answer.py?hl=
en&answer=166852, Accessed: 5 July 2013.
[26] ”Vipul’s Razor,”
http://razor.sourceforge.net/, Accessed: 5 July 2013.
[27] T. A. Meyer and B. Whateley, ”SpamBayes: Effective open-source,
Bayesian based, email classification system,” in Collaboration, Electronic
messaging, Anti-Abuse and Spam Conference, 2004.
[28] M. Sahami, S. Dumais, D. Heckerman, and E. Horvitz, ”A Bayesian
approach to filtering junk e-mail,” in Learning for Text Categorization:
Papers from the 1998 workshop, pp. 98-105, 1998.
[29] D. Sculley and G. M. Wachman, ”Relaxed online SVMs for spam filtering,”
inProceedings of the 30th annual international ACM SIGIR
conference on Research and development in information retrieval,
pp. 415-422, 2007.
[30] B. Taylor, ”Sender Reputation in a Large Webmail Service,” in In
Collaboration, Electronic messaging, Anti-Abuse and Spam Conference,
2006.
[31] D. Lowd and C. Meek, ”Good Word Attacks on Statistical Spam
Filters,” in In Collaboration, Electronic messaging, Anti-Abuse and
Spam Conference, 2005.
[32] B. Nelson, M. Barreno, F. J. Chi, A. D. Joseph, B. I. Rubinstein, U.
Saini, et al., ”Exploiting Machine Learning to Subvert Your Spam
Filter,” in In USENIX Symposium on Networked Systems Design
and Implementation, pp. 1-9, 2008.
[33] Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov,
”Spamming botnets: signatures and characteristics,” in ACM
SIGCOMM Computer Communication Review, pp. 171-182, 2008.
[34] H. Drucker, D. Wu, and V. N. Vapnik, ”Support vector machines
for spam categorization,” Neural Networks, IEEE Transactions.,
vol. 10, pp. 1048-1054, 1999.
[35] Y. Gao, M. Yang, and A. Choudhary, ”Semi supervised image spam
hunter: A regularized discriminant em approach,” in Advanced Data
Mining and Applications, pp. 152-164, 2009.
[36] S. Hao, N. A. Syed, N. Feamster, A. G. Gray, and S. Krasser, ”Detecting
Spammers with SNARE: Spatio-temporal Network-level Au-
tomatic Reputation Engine,” in USENIX Security Symposium, pp.
101-118, 2009.
[37] A. Ramachandran, N. Feamster, and S. Vempala, ”Filtering spam
with behavioral blacklisting,” inProceedings of the 14th ACM conference
on Computer and communications security, pp. 342-351,
2007.
[38] S. Venkataraman, S. Sen, O. Spatscheck, P. Haffner, and D. Song,
”Exploiting network structure for proactive spam mitigation,” in
USENIX Security Symposium, pp. 149-166, 2007.
[39] ”Sender Policy Framework,”
http://www.openspf.org/, Accessed: 5 July 2013.
[40] ”DomainKeys Identified Mail,”
http://www.dkim.org/, Accessed: 5 July 2013.
[41] ”Greylisting.org,”
http://www.greylisting.org/, Accessed: 5 July 2013.
[42] C. Jennings, ”Computational Puzzles for SPAM Reduction in SIP,”
in Internet-draft, 2007.
[43] M. Cristea and B. Groza, ”Augmenting a webmail application with
cryptographic puzzles to deflect spam,” inNew Technologies, Mobility
and Security, 2011 4th IFIP International Conference, pp. 1-5,
2011.
[44] W.-c. Feng and E. Kaiser, ”kapow webmail: Effective disincentives
against spam,” in Proc. of 7th CEAS, 2010.