Not your typical spam fighters

Inside the Project: Anti-Spam

Challenge: The Food and Drug Administration had a unique spam problem: Many unwanted messages looked a lot like legitimate e-mail. The agency needed a way, for instance, of keeping out frivolous Viagra offers while letting through genuine Viagra correspondence.

Solution: Traditional keyword-based spam filtering didn't fit the bill for FDA. So the agency found a spam technology from IronPort Systems that relies heavily on filtering mail based on the people or groups who sent it.

Mission Benefit: In its first year using the IronPort anti-spam appliances, FDA had exactly zero false positives (legitimate message erroneously flagged as spam). The system examines as many as 150,000 e-mails a day and blocks about 40,000 of them. Workers don't have to waste time handling spam, IT workers can concentrate on other projects and the FDA network is more secure because potentially malicious messages are kept away.

Lessons learned: FDA's IT security shop was careful to lay the groundwork for the implementation, paying attention both to the needs of its IT users and the technology it selected to protect e-mail. 'We were sensitive to the fact that we wanted to bring this in gradually,' said CISO Kevin Stine.

Stine's advice to other agencies taking a fresh look at their anti-spam programs:

  • 'Really understand your mission and the information you are trying to protect.' Each agency has unique needs. Unlike many other agencies, FDA actually wants to get e-mail with words like 'Viagra' in the subject line.

  • Listen to the user community. Knowing what their headaches are can help ease your own. Each call to the help desk drains resources that are needed elsewhere.

  • Do your homework and understand the technology you're considering. Contact references who can give you their real-world experiences in rolling out a product in a production environment.

'William Jackson

FDA security officer Kevin Stine chose IronPort C600 appliances that examine and filter as many as 150,000 in-bound e-mails a day, blocking about 40,000 of them. As a result, the "good" Viagra messages are getting through, while the "bad" ones are being blocked.

The Food and Drug Administration is like many other federal agencies: It's a complex organization with eight operating divisions and 14,000 end users, each with a different set of IT needs. And like most agencies, it has long been the target of e-mail spammers.

'We didn't have a way to measure it quantitatively,' said FDA's chief information security officer Kevin Stine. 'But from the user frustration we knew there was a problem.'

That problem not only wasted workers' time, but it also pulled IT staff off more critical work. Plus it was a growing security threat, as over time spam morphed into a distribution channel for malicious code.

But blocking unwanted e-mail at FDA is actually more complicated than at many other agencies. To FDA workers, some spam looks like regular daily correspondence. As a result, Stine and his group needed more than your average filter.

'A lot of the products FDA regulates are the subjects of spam e-mails. A lot of the key words you see in spam are words that FDA uses on a regular basis,' Stine said. Specifically, words like 'Viagra' and 'Cialis' often need to get through, so the most commonly used techniques for filtering spam won't work well at FDA.

'But we didn't have any automated solution,' Stine said. There were filters at the server level to block files and deny executable attachments, but they didn't adequately address the spam problem. 'It wasn't uncommon for users to get 20 or 30 spam e-mails a day in their mailboxes.'

With that in mind, the agency started researching the anti-spam market in the summer of 2004. Stine said he wanted spam reduction, but with a low false-positive rate, meaning the solution shouldn't incorrectly block too many legitimate messages.

After evaluating several vendors, FDA chose systems from IronPort Systems Inc. of San Bruno, Calif. IronPort makes security appliances that use a sender-reputation filter as a first line of defense, eliminating the need to rely on keyword filtering. In other words, the technology looks more closely at who sent the message than what the message says.

'We liked the idea of reputation scoring,' Stine said. 'That significantly reduced the risk of getting false positives.'

The good Viagra gets through

FDA now has a pair of IronPort C600 appliances that examine and filter as many as 150,000 in-bound e-mails a day, blocking about 40,000 of them. The good Viagra messages are getting through, while the bad ones are being blocked.

'We haven't identified any false positives' in more than a year of operation, Stine said.

The C600 is IronPort's enterprise model, designed for service providers and enterprises with more than 10,000 users, capable of filtering up to 500,000 messages an hour. The distinguishing feature of the C-series appliances is the reputation filter, which lets users block traffic from known or suspected spammers without having to inspect content.

The filter uses IronPort's SenderBase monitoring service, which gathers data on traffic from 100,000 organizations using the company's e-mail appliances. It evaluates 110 attributes on an estimated 30 percent of the world's e-mails, including:

  • The volume and pattern of mail from the sender

  • Complaints of spamming made against the sender

  • Whether the IP address of the sender matches the domain of the sender's URL.

'Every single piece of information we can gather,' said Thomas R. Topping, IronPort's federal sales manager.

Based on the patterns identified in this data, each source IP address is scored on a 200-point scale, ranging from 10 for the best reputations to negative-10 for the worst.

Users can set filter policies to deal with each message based on the score of the source address. Each address can be allowed through, blocked, quarantined or sent on for further inspection, as appropriate.

The reputation filter can stop up to 80 percent of spam based on scores alone.

'Reputation filter was a big piece for the FDA,' Topping said. 'This was important to the FDA because they never have to look at it. They have already established it's from a bad guy and they block it.'

In addition to the reputation filter, the appliance incorporates Brightmail anti-spam technology from Symantec Corp. of Cupertino, Calif. Symantec uses a system of honeypots to trap and identify spam. Brightmail can block known spam using this data, without relying on keyword scans.

That said, the IronPort appliance does have a content scanning engine that can enforce regulatory and acceptable use policies, as well as an antivirus filter from Sophos AntiVirus Inc. of Wakefield, Mass. It also provides tools for central monitoring and management of e-mail traffic.

FDA is able to manage its e-mail stream with a single C600 box, using the second appliance for redundancy.

'How many you use is partly a function of mail volume, and partly a function of network architecture,' Topping said.

Other factors include the number of filters being used and the amount of scanning required.

'The more you look at it, the more CPU cycles you need,' Topping said.

Rolling out across offices

According to Stine, FDA began a phased deployment of IronPort's capabilities in August 2004. 'As we gained more confidence, we geared up to rolling out to the whole agency.'

Each appliance can handle multiple filtering policies for different divisions within the organization. It also integrates with directories to create rules and exceptions for individual users.

Before deployment, the CISO explained to end uses exactly what was being done and why. This, and the evaluation done prior to rollout, resulted in a smooth deployment.

'We did a lot of our homework up front, so we had a level of confidence going into the physical rollout,' Stine said. 'The way the tool is deployed is transparent.'

The results, however, have been highly visible. Computer users are happier and spend time deleting spam; the IT staff devotes more of its time to more important issues; and there have been fewer infections and outbreaks of malicious code within the agency.

'We've blocked about 11 million unwanted e-mails in the last year,' Stine said. 'And we've realized other benefits.'


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected