Small networks can use sender verification to block spam
- By William Jackson
- Apr 30, 2009
Spam is a problem for everyone, but it can be especially challenging for operators of small networks to find a cost-effective way to reliably block huge volumes of unwanted e-mail messages.
“We were getting inundated with spam,” said Keith Hooker, network administrator for Allegany County, N.Y., which has about 450 users. He was receiving 100 to 150 unwanted e-mail messages a day. “I couldn’t deal with them any more.” Perhaps even more important, “a couple of the higher-ups were getting them, too.”
Bart Anthony, director of the Computer Systems Department for Reynoldsburg, Ohio, a town of about 35,000 residents, was in a similar situation.
“I used to get 100 or more spams a day,” Anthony said. “We have about 140 computers. That includes in-car laptops in the police cruisers. Since we’re a small shop, we can’t afford to spend a fortune.”
However, Hooker and Anthony were able to nearly eliminate spam by automating a set of policies for checking the validity of sender and recipient addresses and asking senders to verify that they did, indeed, send a message. They used Sendio’s E-mail Security Platform (ESP), which combines technology with human involvement to identify unwanted e-mail messages.
“We don’t determine the intent of a message from its content,” said Tal Golan, Sendio’s president and chief technology officer. “We don’t think that’s possible with e-mail.”
The platform scans for malicious code but does not evaluate content. Instead, it presents a series of hurdles that the sender and his or her e-mail server must clear before a message is accepted as valid. The approach is based on the premise that spam is usually a high-volume, low-overhead operation and any verification request will be ignored.
ESP is an appliance that sits between the network’s firewall and e-mail server to act as a proxy for the server. It monitors all port 25 traffic. The first time it sees an e-mail server’s address on an incoming message, it automatically sends a response to that server, telling it that the recipient’s address could not be found. With legitimate e-mail, a server will typically resend the message within minutes, and ESP will accept it on the second try.
“About 90 to 95 percent of bad guys will not retry,” Golan said, so the first filter eliminates a lot of unwanted traffic.
After accepting the e-mail message, ESP queries a root Domain Name System server to validate a sender’s domain the first time it sees that domain, and ESP checks internally to verify that the recipient’s address is valid if it has not seen that address before. That approach stops another large chunk of spam messages that use phony sender addresses or try to guess recipient e-mail addresses so hackers can get inside a network and look around.
If an e-mail message makes it that far, ESP applies the corporate policy, which it gets from the network’s Lightweight Directory Access Protocol server. It also can apply Sender Policy Framework (SPF), an open standard that lets a user verify that a sender is authorized to use the sender’s domain, based on policy information published by the domain’s owner.
Another option is applying DomainKeys Identified Mail (DKIM), an authentication scheme in which the outgoing server digitally signs e-mail messages using a public-key infrastructure. ESP can sign outgoing messages and check signatures on incoming mail.
“Less than 25 percent of e-mail providers are using both” SPF and DKIM, Golan said. But those using the schemes include some high-value targets, such as eBay and Google.
The last step is to deliver a challenge e-mail to a new sender, asking him or her to respond and verify that he or she did indeed send the message. When the system receives an initial response from the sender, that name is added to a safe list.
Anthony said Reynoldsburg had tried another anti-spam tool but had problems with false positives and negatives.
“There was too much spam getting through, and it was also blocking good ones,” he said. “So we started looking around.” He read a review of ESP, which concluded that it was a good product for the price. City officials began testing the appliance in March 2008 and put it into production later that spring.
Like Reynoldsburg, Allegany County first tried the appliance in passive mode, Hooker said. It was easy to set up, and best of all, “it worked. They said it would block 100 percent of the spam, and it did. The users noticed the difference right away.”
In the fourth quarter of 2008, the Reynoldsburg network received 557,000 e-mail messages. Of those, the network firewall blocked 24,800 spam messages, or about 4.5 percent of the total. ESP blocked another 476,000, or about 85 percent.
One possible weakness in the system is the challenge-response e-mail sent to first-time senders to validate the message.
“We found out that not everybody responds to them, even if they are valid,” Anthony said.
But users can view blocked mail and choose to accept a message and put it on the valid list even if the sender has not responded.
Best of all, Anthony said, the city can afford the system, the primary cost of which is a per-user license.
“We had to buy a server, but that’s all right,” he said. “The hardware part of it wasn’t that expensive — about $2,000.”
ESP comes in two standard models, the 1U rackmount 360 that can handle as many as 1,000 users, and the 430, a 2U box that can handle as many as 20,000 users. The appliances start at $1,995, with a license fee of $2.25 per user per month. Sendio can also build appliances that are optimized for customers’ networks.
William Jackson is freelance writer and the author of the CyberEye blog.