The first generation of email security solutions used a simple approach to stopping spam—keyword analysis. These early filters would look for words typically found in spam (words like “free”, “Viagra”, or other more spicy language). The filters would typically use a scoring algorithm—if the word “free” occurs next to “Viagra” than it’s probably spam. The problem with this approach was twofold. The first issue being that it would frequently trap legitimate messages—Viagra is actually a product used in business, and the word free is almost unavoidable in the business lexicon. The other drawback to keyword filtering is it is relatively easy for spammers to defeat by using a zero instead of the letter o (I L0ve Y0u) or adding blocks of text that would fool the filters.
Nearly all modern spam systems have moved to a two-layer defense. The outer layer is known as a reputation filter. A reputation filter asks the simple question, “who is sending this email?” before accepting it. By examining the reputation or sending history of a given sender, the vast majority of spam can be eliminated before it even enters the network.
At the heart of any reputation system is a database that identifies “good guys” from “bad guys”. As might be expected, the quality and accuracy of a reputation filter is directly tied to the quality and accuracy of the underlying database. Ironport Systems invented the concept of reputation filtering in 2003. The underlying database behind IronPort’s solution is SenderBase®— the world’s first, largest, and most accurate reputation database. Senderbase collects data from more than 100,000 networks that make up over 30 percent of the entire world’s email traffic. This massive data footprint means that SenderBase can detect the sending patterns of literally every mail server on the Internet, in real time.
IronPort is the only company in the industry that shares this valuable data with entities outside of its customer base. IronPort has made SenderBase available to select ISPs and open source programs. IronPort also makes SenderBase data available via a web portal at www.senderbase.org. This open policy has lead to widespread adoption of
SenderBase as the default reputation service— and the more entities that use the SenderBase data, the better the quality of data. Note that SenderBase is not licensed to other commercial solutions—it is embedded into the IronPort
appliances. SenderBase measures objective parameters about a given mail server. In total, more than 150 different parameters are measured, such as how much mail does an IP send, do they accept mail in return, how long have they been sending mail from a given IP address, and what is their country of origin. This data is then rolled up into a score, using a statistical algorithm. The score is made available to all IronPort appliances. The appliances then use the score to determine how much, if any, mail to accept from a given sender. Coupling the reputation score with the ability to rate limit a given sender is another IronPort innovation. The system has the capacity to “push back” and slow down senders that appear suspicious, but not necessarily block them outright. This capability allows the IronPort appliance to deal with questionable senders—senders that appear to be spamming, but not conclusively. By rate limiting these senders the most hostile mail can be kept out of the system, without introducing the false positive problems associated with first generation systems.
The process of reputation filtering is very similar to consumer credit systems. Every sender has a reputation, and the email transactions of that sender are tracked, just like the transaction history of any individual is tracked by a credit bureau. These transactions are rolled into a score, and the score is made available to merchants in the credit example, and to receiving mail servers in the email example. The merchant then makes a determination on how much credit (if any) to extend, just like the receiving IronPort appliance makes a determination of how much (if any) mail to accept. This simple but powerful concept is very effective—blocking as much as 80 percent of incoming spam at the connection level, before it even enters the network. Network level blocking has the added benefit of saving bandwidth and system resources.
IronPort Reputation Filters™ take known good, trusted senders and will route them directly to the anti-virus scanners. Known bad senders are (typically) blocked. Senders in the middle are rate limited and sent to a second stage of filtering, known as context analysis. IronPort has developed a Context Adaptive Scanning Engine (CASE). CASE technology does a second examination of messages, asking 4 basic questions—who sent it, what does it contain, where does it direct the user, and how was it constructed. It’s almost a rule set of common sense: examine who, what, where and how of a message. For example, if the CASE is analyzing a message that contains multiple references to “Viagra” (the what?), this message is considered suspicious. But if the message in question is coming from a known pharmaceutical company (who?) and doesn’t contain any links to an external online pharmacy (where?), then the CASE will determine the message is valid. If this message had been examined without the benefit of a full context analysis it would likely have been marked as spam.
The combination of reputation filtering to sort out the obvious good from bad and then the more careful context filtering to evaluate a message in its full context makes for a “1-2 punch” against spam. This architecture has been deployed at more than 25 percent of the world’s largest enterprises and has proven to be very effective at stopping spam, without suffering from false positives. Many small and medium businesses have had experience with first generation spam filters that rely on simple key words to identify spam. As discussed earlier, these filters have proven to be fairly inaccurate, letting spam in and occasionally blocking legitimate messages. To account for this, first generation solutions include complex end user controls that allow end users to white-list or blacklist certain senders. End users also need to check a quarantine to review spam messages and make sure none are legitimate. These tools are really a work-around for an inaccurate spam filter. While the IronPort solution supports much of this end user facing functionality, most IronPort users choose not to enable it. Therefore, all the end users know is that email works again—and their IT team is genius.
No comments:
Post a Comment