Reflexion effectively blocks spam without fallible filters

Challenge-and-response approach gives users ample control over who can and can't contact them

Most anti-spam engines use a variety of filtering engines to block messages based on originating IP address of the sender, the domain, words in the message, or a wide variety of other indicators. There are two inherent problems with this approach, however: Spammers are able to change their approaches in order to bypass filters, and at times, filters can block legitimate mail. I regularly receive bounced messages, for instance, because some black-hole lists such as sorbs.net have decided I shouldn't operate an e-mail server on a dynamic DNS address.

RTC (Reflexion Total Control) 3.0 takes a different approach to blocking spam. Rather than filtering messages, it gives each of your users a different alias e-mail address for everyone they correspond with. This is initiated with a challenge/response approach.

For example, suppose someone outside your company sends an e-mail for the first time to Joe Smith at joesmith@mycompany.com. The e-mail will bounce back to the sender with a request to resend it to a new, automatically generated address, such as joesmith.8105@mycompany.com. When the sender replies, he or she will be able to send e-mail freely to the address without being challenged. A legitimate sender presumably will comply with the request; however, most specialized spam-sending e-mail servers won't.

Furthermore, with RTC, users are allowed to generate additional alias addresses themselves to use, for instance, when filling out registration forms on Web sites. A different address could be used for each site, which would allow you to determine which Web vendor sold the address to a third party.

Return to (Unwanted) Sender

Addresses can be set up such that they receive messages only from one domain. Likewise, an address can be set so that it can be shared, and if messages from other senders arrive, those senders are given their own unique addresses to send to. Thus, by its nature, RTC protects against directory harvest attacks, given that mail sent to an alias address from an unapproved sender is blocked.

Although this may seem complex, the process is generally transparent to end-users. They don't have to remember the dozens or hundreds of addresses; RTC maintains them all.

The initial installation is a little more complex than it is for some filtering products because there are a number of additional options from which the administrator must choose. Initial configuration of the IP network information can be done with a keyboard, mouse, and monitor, or via serial terminal.

When that has been accomplished, the rest of the configuration can be completed from the admin's Web console, which is laid out nicely, is easy to navigate, and provides very good help screens. If you need to change IP network information, you will have to go back to the serial terminal; there is no provision to alter network information from the Web console.

When the initial configuration has been completed, you can set up accounts for each end-user. You'll need to enter each account separately; there is no mechanism for bulk importing addresses from a list or from Active Directory or other directories.

Setting the Stage

Account configuration can be performed in stages. You can start in a Pass-through mode, for which there is no security. This mode is generally used only for testing. Then an account can be moved to Flag mode, which doesn't stop e-mail but marks any message from a new sender as Reflected. Replying to the message adds the sender to a list of allowed senders automatically.

By default, Reflexion puts a control panel at the top of every message received. Users click on a link in the control panel that opens a browser session. From there, users can allow messages from a sender, allow mail from the user's domain, or block all messages from the user or domain if the message is spam.

After a list of allowed senders has been built, the next step is to move the account to Total Control mode. Here, new senders not on the approved list get their first message bounced back with the request to resend it to a new unique address. The user has the option of exempting new senders from this process. After users have corresponded with their regular list of contacts once, there should be little ongoing effort required from users -- only exempting new contacts as they come in.

RTC even has a back-out mode that reverses the process of sending out alias addresses so that a company can move back to single addresses for each user if desired.

When the cut over to aliased addresses and Total Control mode is in place, spam drops off to nearly nil. After the system had been running for a couple of weeks, I found that spam was reduced from several hundred messages a day to a few, with no false positives.

Unlike filtering products, RTC gets more effective the longer it is installed, and it doesn't require regular updates. After all, it isn't filtering e-mail; it's simply verifying that e-mail is being sent from an approved sender.

InfoWorld Scorecard
Manageability (30.0%)
Scalability (20.0%)
Setup (10.0%)
Effectiveness (30.0%)
Value (10.0%)
Overall Score (100%)
Reflexion Total Control 3.0 8.0 8.0 8.0 9.0 9.0 8.4
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies