Departmental Papers (CIS)

Date of this Version


Document Type

Conference Paper


26th Annual Computer Security Applications Conference, Orlando, Florida, December 5-9, 2010.


IP blacklists are a spam filtering tool employed by a large number of email providers. Centrally maintained and well regarded, blacklists can filter 80+% of spam without having to perform computationally expensive content-based filtering. However, spammers can vary which hosts send spam (often in intelligent ways), and as a result, some percentage of spamming IPs are not actively listed on any blacklist. Blacklists also provide a previously untapped resource of rich historical information. Leveraging this history in combination with spatial reasoning, this paper presents a novel reputation model (PreSTA), designed to aid in spam classification. In simulation on arriving email at a large university mail system, PreSTA is capable of classifying up to 50% of spam not identified by blacklists alone, and 93% of spam on average (when used in combination with blacklists). Further, the system is consistent in maintaining this blockage-rate even during periods of decreased blacklist performance. PreSTA is scalable and can classify over 500,000 emails an hour. Such a system can be implemented as a complementary blacklist service and used as a first-level filter or prioritization mechanism on an email server.

Subject Area

CPS Internet of Things

Publication Title

26th Annual Computer Security Applications Conference (ACSAC '10)

First Page


Last Page




Permission Statement

© ACM 2010. This is the author's version of the work. It is posted here for your personal use. Not for redistribution. The definitive Version of Record was published in Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC '10),


Email spam, blacklists, reputation



Date Posted: 05 January 2011

This document has been peer reviewed.