SubStop: An analysis on subscription email bombing attack and machine learning based mitigation

Abstract

Email Bombing, a kind of denial-of-service (DoS) attack is crippling internet users and is on the rise recently. A particularly notorious type is the Subscription Bombing attack, where a victim user’s inbox is bombarded with a stream of subscription emails at a particular period. This kind of attack helps the perpetrator to hide their real motive in lieu of a barrage of legitimate-looking emails. The main challenge for detecting subscription bombing attacks is that most of the attacking email appears to be legitimate and benign and thus can bypass existing anti-spam filters. In order to shed some light on the direction of detecting the bombing attacks, in this paper we first conduct some reverse engineering study on the Gmail anti-spam mechanism (as the information is not publicly available) and in-depth feature analysis of real-life bombing attack emails. Leveraging the insights from our reverse engineering study and data analysis, we propose a novel layered detection architecture, termed as SubStop, to detect and mitigate subscription bombs. SubStop exploits the statistics of incoming volume, source domain distribution, the correlation among different features, and implements machine learning to achieve effective detection. In specific, we utilize the weighted support vector machine (WSVM) and properly tune the class weights to achieve high accuracy in detecting bombing attacks. Despite the scarcity of public email data sets, we conduct extensive experiments on a real-life subscription bomb attack and real-time attacks using our bombing simulation script (which is facilitated by our reverse engineering findings), on test email accounts. Detailed experimental results show that our proposed architecture is very robust and highly accurate in detecting and mitigating a subscription bombing attack.