Enhanced content analysis of fraudulent Nigeria electronic mails using e-STAT

A large percentage of fraudulent spam mails are believed to originate from Nigeria or from Nigerians in remote locations. These mails (popularly referred to as 419 spam) come in broad categories but all with the intent of defrauding the recipients'. Testing the validity of senders and receivers address is one method that has been used to filter spam mails. This approach will not filter out ordinary e-mails since typical e-mail users will always include their true e-mail addresses to facilitate replies. Checking the IP-addresses of 419 mails is a way of ascertaining their actual origin. This can be done with the intention to build a database of e-mail abuse or to blacklist addresses from which fraudulent mails are originating keeping in mind that blacklisted IP addresses could be used to stop the delivery of further mails from such addresses in the future. To this end, this research examines features selected specifically from the content analysis of Nigeria spam e-mail. A domain specific statistical content analysis tool (e-STAT) was developed and implemented using Bayesian statistical technique. The software was tested and trained with a sizeable balanced corpus of Nigerian 419 spam e-mails and normal (ham) e-mails. Analysis of classified mails using e-STAT showed that current concept drift patterns among Nigerian 419 spammers and provided a blacklist of about 2,173 e-mail sender's addresses, 563 URLs within spam mails and a total of 13,491 bag-of-words common to Nigerian spam e-mails. The research obtained results that will guide future research in the domain of 419 mails in designing effective spam filters and electronic mail classifiers.