Prefilters put spammers in the crosshairs

Anti-spam filtering technologies have been perfected to the point where you can expect to see better than 95 percent accuracy, with no more than a couple of false positives out of every 10,000 messages. Despite this amazing progress, enterprises are still under attack. The grim truth is that filtering even 100 percent of incoming spam doesn't necessarily solve the spam problem for large organizations.

The reason is that a high volume of spam, even when it's caught, can be extraordinarily expensive for larger organizations that are finding that they need to add more mail servers, and more spam filters, to handle the load. Considering that spam can amount to between 80 percent and 95 percent of all incoming e-mail, a large enterprise could substantially reduce the number of mail servers and filters it manages and maintains if most of that spam would just go away.

Too much to ask? Each of the four vendors discussed here -- CipherTrust, Mirapoint, Symantec, and Tumbleweed Communications -- use different approaches to rejecting spam before it enters the corporate network. Although the methods differ, each solution is designed to complement a traditional anti-spam solution. All can dramatically ease the burden on your message filters and mail servers, creating more processing headroom for legitimate messages and ultimately reducing the number of mail systems you need to deploy and maintain.

Rather than filtering e-mail based on its content, these appliances use the sender's IP address, the recipient's address, and other factors to identify messages at the TCP/IP or SMTP protocol level. They then block all traffic from the IP addresses of known spammers, limit the number of connections or messages per minute from the IP address of a likely spammer, or allow all messages from addresses with a clean reputation.

CipherTrust IronMail Connection Control uses a reputation database the company calls TrustedSource to rate IP addresses of e-mail senders, for either sending no spam, sending lots of spam, or sending some spam, based on recent activity monitored by CipherTrust's global network of spam collectors. Connection Control then either rejects connection attempts from known spammers for a designated period or accepts their connections, allowing them to pass only a few messages an hour.

Click for larger view.

Mirapoint MailHurdle sends an SMTP retry message to the originating server, taking advantage of the fact that real e-mail servers will readily resend but most spam engines aren't equipped to retry. The recipient address can also be verified to ensure that the message was sent to a real user and not a random address. This retry and verification helps to stop directory harvest attacks, which attempt to identify all the valid addresses in a domain to sell to other spammers. If a message is addressed to invalid recipients, it is ignored; if it is addressed to both valid and invalid recipients, indicating that the sender is fishing for valid addresses, the connection is throttled, and the IP is marked as a suspicious sender.