A new type of spam filter

Kevin Stine, the Food and Drug Administration's chief information security officer, knew he had to do something to tackle the agency's spam problem last year. Out of 150,000 daily inbound e-mails, 40,000 were spam.

The FDA's information technology employees spent 5 percent to 10 percent of their time weeding out unsolicited commercial e-mail messages, which consumed valuable, limited resources, he said.

The FDA's biggest problem was the huge number of false positives triggered by the filters that examined e-mail messages for keywords, Stine said. The filters flagged messages that contained words such as "sex" and "Viagra," which occur in both legitimate e-mail messages and spam selling pornography and fraudulent access to pharmaceuticals.

The filters caught real spam but also corralled thousands of genuine messages, inconveniencing the FDA's 12,000 users.

The FDA didn't have an agencywide antispam system in place. Instead, it used more localized efforts based on keyword filtering, but Stine said those efforts were neither efficient nor accurate.

Realizing that they needed a more effective solution, agency officials turned to IronPort Systems, which offers a line of antispam appliances that block unwanted messages while letting in legitimate e-mail.

Most antispam products use keyword analysis of e-mail content to determine if a message is spam. This method leads to a cat-and-mouse game between spammers and information security professionals because the former can easily manipulate content to bypass filters, said Tom Gillis, IronPort's senior vice president of worldwide marketing. Then the filter-makers refine their tools, and the cycle begins anew.

IronPort uses a behavioral model of filtering, which grants or blocks access to its customers' networks based on e-mail senders' behavior instead of their messages' content.

This reputation-based filtering blocks spam and viruses while letting legitimate traffic pass through with greater accuracy and reliability, IronPort officials and customers say.

IronPort engineers got the idea for reputation-based filtering from a question: Aside from a message's content, how can you identify a spammer? They knew that message volume is the biggest tip-off because spam's business model requires volume for success, Gillis said.

That question led to a list of other criteria that IronPort uses to evaluate whether an e-mail message is spam.

For example, if an e-mail source sends millions of messages in a matter of seconds, doesn't accept messages in response and has a consumer IP address that normally doesn't send that volume of traffic, it's a spammer and IronPort will block messages from it.

"In the end, reputation has turned out to be the single most important element of spam control," said Peter Christy, principal analyst at the Internet Research Group, a market strategy and research firm.

America Online has been using reputation-based blocking for years. He said the Internet titan can block 50 percent to 70 percent of e-mail traffic by IP address alone with no real probability of it not being spam.

Hey, big sender

IronPort uses its worldwide network of probes to see who is sending gargantuan amounts of e-mail messages, Gillis said. IronPort fields more than 5 billion queries a day about the reputation of 100,000 Internet service providers in its SenderBase network, which puts it in the position to know who the big senders are.

IronPort acts like a consumer credit service, such as Equifax and others, by assigning a relative score of -10 to +10 on 200 separate data points for each e-mail source based on the source's spammer characteristics, Gillis said.

The score helps IronPort users choose whom to let into their networks, Gillis said. They can allow full, limited or no access depending on the safety score of an incoming e-mail. Any e-mail message below a customer-defined minimum score never makes it onto the network.

IronPort customers have the tools to manage their risk better by implementing policies that block spam and malware automatically, said Thomas Topping, IronPort's manager of federal sales in the Washington, D.C., region.

IronPort tracks server use and user complaints and has used that knowledge to help the FBI successfully prosecute spammers, Topping said.

IronPort sells the most advanced reputation-based filtering system and also is the only manufacturer that offers hardware for installation at customers' locations, Christy said.

It also is unique because it has its own means to score IP addresses and enable its customers to create policies to base access on them, he said.

Symantec offers some reputation-based filtering in its Brightmail AntiSpam e-mail product. CipherTrust also offers it, Christy said, although CipherTrust's product is less comprehensive and sophisticated than IronPort's.

Filling a need

Since February 2004, IronPort has gone from having no federal customers to counting the Army, Navy, Department of Veterans Affairs, Transportation Department and Labor Department as customers, Topping said.

Three million federal employees now have their e-mail systems protected by IronPort products, he said.

The Army Knowledge Online portal is IronPort's biggest customer, Topping said. A two-person team using two IronPort X1000 high-performance appliances and 10 C600 e-mail security appliances protects more than 2 million users, he said.

Stine bought the FDA two IronPort C600s a year ago. Installing the filters and fine-tuning the policy were easy, he said. Since then, the units have quarantined about 11 million messages without producing any false positives, he said.

By blocking the 40,000 daily spam messages, IronPort's products opened up a lot of storage formerly used to quarantine spam and "freed up a lot of time for people to get back to their normal jobs," Stine said. FDA user satisfaction and productivity rose, too.

"We definitely spend less time on spam than we did before," Stine said. Another plus: The decline in spam has boosted the IT shop's reputation within the agency.

Stine is so pleased with IronPort that he said the agency will deploy the company's virus-outbreak filters in the next fiscal year. According to IronPort, the filters protect users for as many as 13 hours before companies release antivirus signatures after a virus outbreak.

Spammer checklist

IronPort Systems, a developer of antispam technology, uses a checklist of roughly 100 criteria to determine the reputation of every IP address. Any one item might be negative, but by looking at all of them through a statistical algorithm, the technology provides a reliable prediction of whether a spammer is using a certain IP address.

The criteria asks many questions, such as:

• What is the global volume of mail sent from the sender?
• How long has mail been sent from a sender?
• Has there been a change in the volume of sent mail?
• Does the sender accept mail in return?
• Is the sender one of the world's largest companies?
• Is the sender listed on any white lists or accreditation services?
• Is the sender listed on any black lists?
• Are users complaining about spam coming from the sender?
• Does the sender have a history of sending viruses?
• Is the sender coming from an IP range of a consumer broadband network?