The best way to can spam

Spontaneous end-to-end communication used to be the Internet’s magic ingredient. But scarcity of IPv4 address space and legions of vandals resulted in NATs and firewalls. Now, unfiltered end-to-end communication happens, for the most part, by invitation only.

Until recently, the lone exception was e-mail. You didn’t need permission to contact someone by e-mail, and you could be reasonably certain that a message you sent would land in the recipient’s inbox. Inevitably that had to change, too. The spam epidemic compels us to create and use the e-mail equivalent of NATs and firewalls: a combination of content filters, white lists, and blacklists.

The immediate tactical question is not whether to use these techniques, but how. There are also long-term strategic questions about the things we expect e-mail to do. But first things first: If more than a trickle of spam is landing in your organization’s inboxes, you need to solve that problem now.

Identifying the sender

The two main types of anti-spam solutions — those based on the identity of the sender and those based on the content of the message — can be, and usually are, deployed in combination. The two models for deploying anti-spam solutions — on gateways and servers or on clients — can also be used in combination, although many enterprises would prefer a server-based approach that won’t add to existing desktop support and training burdens.

Click for larger view.

Enterprise-oriented products, such as Proofpoint’s Protection Server and ActiveState’s PureMessage, run inbound e-mail through a gauntlet of checks defined by corporate policy. These can include virus scans as well as spam detection. In the latter case, the customer decides which identity- and/or content-oriented spam-detection modules to deploy and whether to reject, quarantine, or merely tag a message when its score tips the spam scale.

Identity is, however, a double-edged sword that can vilify or sanctify a sender. Modules that use DNSBLs (DNS-based blacklists) look up the sender’s IP address in databases that track misconfigured mail servers and reported spammers. These services exhibit varying degrees of transparency and accountability, making them useful yet controversial (see “Blacklists: The New Neighborhood Watch”). Some anti-spam vendors ship with DNSBL modules disabled, subject to customer override. Others use them by default, but judiciously, as a component of an overall score.

Eric Allman, CTO of Emeryville, Calif.-based Sendmail and creator of the company’s eponymous e-mail solution, calls DNSBLs “a dull sword”; a sample of my own messages caught by DNSBL filtering shows why this method should not be used in isolation:

Subject: Caldwell and Associates, Inc. Expands Grant Writing Department

Subject: Final Reminder — SOHO Reception