Turning the tide against spam
- By J.B. Miles
- Dec 08, 2005
Mirapoint Inc.'s RazorGate 300 is designed to sit at the network edge and perform vendor-independent spam filtering of mail before messages ever get to the e-mail server.
Spam technologies continue to evolve; agencies just have to put them in place
Symantec's 8200 anti-spam appliances can be coupled with the company's 8100 series of e-mail security devices for additional protection.
In a few short years, unsolicited bulk e-mail has blossomed from a mere nuisance into an epidemic that threatens all enterprise messaging. In 2002, spam represented about 20 percent of all e-mail traffic, a rate that was annoying but not yet worrisome. IT managers were too busy fighting network viruses, Trojan horses and worms.
Since then, however, spam has increased exponentially. The Radicati Group, a research company in Palo Alto, Calif., predicts that by 2007, there will be 50 billion spam messages a day in the U.S., costing enterprises almost $200 billion per year in lost productivity. The Meta Group of Stamford, Conn., estimates that in 2005, between 60 and 70 percent of in- bound e-mail has been spam. And Meta Group says that number will grow to at least 80 percent next year if left unchecked.
This deluge puts a burden on e-mail relays, Simple Mail Transfer Protocol gateways and internal mail servers. It also saps human resources by clogging inboxes.
Given the spate of legislative activity around spam, plus the reams of press coverage and a growing industry for e-mail security tools, you'd expect most agencies would be up to speed on this rising tide. Sadly, you'd be wrong.
A recent report from the Government Accountability Office, Emerging Cybersecurity Issues Threaten Federal Information Systems, gave federal agencies no better than a C grade overall for handling of cybersecurity threats. Specifically, nearly 80 percent of agencies failed to identify spam as a true security risk. Only slightly more than half were aware that spam consumes network bandwidth and storage capacity. Which is why anti-spam tools are as important as ever.Blended threats
Now is no time to be complacent. Experts say that as anti-spam and antivirus solutions have proliferated, so have the skills of spammers and hackers. They've learned to combine several methods into a single attack, often called a blended threat.
Industry watchers agree that when facing blended threats, even a best-of-breed anti-spam solution might not be enough to protect an organization. Ideally, an anti-spam solution should be part of an integrated e-mail security program that offers comprehensive protection.
For government enterprises, the best spam protection comes in one of two forms: server- or appliance-based.
Server-based anti-spam software is a common choice for enterprises with enough IT skill and manpower to install and manage the products. The software is often highly flexible and modular, with add-on products that can be installed and managed alongside e-mail and Internet SMTP servers. Server software can be cost-effective to procure, but potentially expensive to integrate, administer and keep up on an ongoing basis.
Anti-spam appliances are de- signed for organizations that want to avoid installing and maintaining software but still want an onsite solution. Many leading server-based programs eventually come out on appliances because customers demand it.
Appliances often feature a hardened, secure hardware/software combination (usually running some version of Linux) that is easier to install, test, configure and run than systems you build yourself. Of course, a plug-and-play box limits the amount of customization you can perform. And you may have to buy updated hardware when the appliance reaches its performance limit.
'Server-based software offers a high degree of customizability,' said Keith Crosley, director of marketing development for Proofpoint Inc., a developer of server-based and appliance-based e-mail security products.
Crosley said large agencies with skilled IT personnel may prefer server-based anti-spam solutions over appliances, but a smaller IT department may be better off with appliances.
'They are easier to set up, use, maintain and administer than server software, and you automatically get firmware and software updates,' he said.Anti-spam approaches
Regardless of how you choose to deploy spam protection, investigate the methods vendors apply to the task. Experts agree that no single approach to identifying and dealing with spam is 100 percent effective, so a combination of techniques is best.
Content analysis techniques are used to analyze inbound e-mail. The idea is to uncover suspicious characteristics within the e-mail message that spammers attempt to hide. There are various types of content analysis, including:
- Keyword analysis, whereby specific keywords and phrases within the text of an e-mail message are scrutinized.
- Lexical analysis, in which the context of words and phrases are analyzed. Suspicious words or phrases are assigned weights depending on the context in which they're found.
- Bayesian analysis, whereby knowledge of prior events is used as a predictive tool. In spam detection, a Bayesian filter examines e-mail known to be legitimate, in addition to known spam, and compares the content to develop a database of words may help identify future spam.
- Heuristic analysis, in which a message's spam-like characteristics are scrutinized. Each characteristic gets a probability score and the entire message receives a cumulative score. If a probability threshold is reached, the message is deemed to be spam.
- Header analysis, whereby message headers are examined to determine the sender's validity.
- URL analysis, in which embedded links in e-mail messages are compared to a list of URL rules or known spam addresses.
Used alone, content analysis can generate many false positives, labeling valid e-mails as spam. One way to guard against this is to place suspect messages in a quarantine area where IT staff or end users can inspect them without infecting the network.
In addition, look for anti-spam solutions that go beyond content analysis to include techniques such as blacklists/whitelists, which compare messages against lists of domain names or e-mail addresses either known as spam sources (blacklists) or legit (whitelists).
Other anti-spam techniques include sender authentication, challenge and response, and re- verse Domain Name System lookups. All three methods attempt to ensure that a sender is legitimate. Honey pots are decoy e-mail mailboxes that act as spam traps. And a growing number of anti-spam solutions can check outbound e-mail for compliance with federal e-mail regulations and internal policies.
Remember, no single technique, whether server-based or in an appliance, can eliminate spam. Look for a vendor with a good track record and an integrated product that draws on multiple techniques. Bottom line: Agencies can no longer be complacent about spam.
J.B. Miles writes from Honomu, Hawaii. E-mail him firstname.lastname@example.org.