Page 2 of 2

Spam gets few replies and is often sent out 24 hours a day. It also is regional. For example, legitimate traffic flows between the United Kingdom and South Korea, but it's uncommon, Clayton writes. Spam tends to consist of a huge number of short messages, while real e-mail is a mixture of sizes and sent in small numbers.

Clayton writes there is very little cooperation between ISPs so far in detecting and reporting spam.

The project, which is funded by LINX and Intel, hopes to tap into LINX's network of ISPs. LINX, whose members include Google and the British Broadcasting Corp., is known primarily for its peering capabilities, which allow ISPs to connect directly with each other, Hutty says.

The direct connection avoids data transit charges for Internet traffic carried on other networks, he says.

LINX is enabling its peering infrastructure to produce sFlow data, packet header information for traffic flowing through its switches. Researchers believe they will be able to distinguish between real e-mail and spam using the characteristics of the sFLOW traffic without examining the content, and identify the sending machines.

The end result will be a real-time list of e-mail sources that ISPs can use to investigate misuse. Through heuristic analysis, an ISP should be alerted to odd behavior, such as if one of their customers starts sending 10 times the number of e-mails as in the previous week.

The guidelines can be viewed at LINX's Web site. 

The IDG News Service is a Network World affiliate.

---