Legitimate E-mail Forwarding Server Detection Method by X-means Clustering Utilizing DMARC Reports

Konno, Kanako; Kitagawa, Naoya; Sakuraba, Shuji; Yamai, Nariyoshi

Home // INTERNET 2019, The Eleventh International Conference on Evolving Internet // View article

Legitimate E-mail Forwarding Server Detection Method by X-means Clustering Utilizing DMARC Reports

Authors:
Kanako Konno
Naoya Kitagawa
Shuji Sakuraba
Nariyoshi Yamai

Keywords: Spoofed e-mail, SPF, DKIM, DMARC, Clustering

Abstract:
There are several effective spoofed e-mail countermeasures, such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). However, these verification methods have an issue of erroneously determining many forwarded e-mails as malicious spoofing e-mails. When an e-mail is forwarded, the sender's IP address is changed to the forwarder's, thus the receiver cannot verify whether the e-mail is legitimate or not. On the other hand, DMARC has a function, which e-mail senders can receive DMARC aggregate reports that include information about e-mails, such as the authentication results of SPF and DKIM. In this paper, we propose a method to classify legitimate forwarding servers by X-means clustering analysis using a large number of summarized DMARC aggregate reports data. In addition, we apply our method to 5,366 e-mail sending servers that send 207,193,987 e-mails in total. As a result of the clustering, our method detects 451 servers as legitimate forwarders' server. As a result of verification of these servers by utilizing the IP blacklists and the spam filter results, we confirmed that 451 servers are legitimate e-mail sending server. On the other hand, 50.17% in median of the e-mails delivered from these 451 servers are erroneously failed in DMARC authentication. Thus, our method can significantly reduce DMARC verification's False Positives, and e-mail server administrators can detect many legitimate forwarded messages.

Pages: 24 to 29

Copyright: Copyright (c) IARIA, 2019

Publication date: June 30, 2019

Published in: conference

ISSN: 2308-443X

ISBN: 978-1-61208-721-4

Location: Rome, Italy

Dates: from June 30, 2019 to July 4, 2019