Prefilters put spammers in the crosshairs

CipherTrust, Mirapoint, Symantec, and Tumbleweed appliances bring IP blocking, TCP/IP throttling, and other network-level tricks to the battle against spam

Symantec uses a technique similar to that of CipherTrust, relying on the Brightmail reputation service and then throttling connections from IP addresses with bad reputations. The SMS (Symantec Mail Security) 8100 series allows known spammers only a few simultaneous connections -- or only one connection at a time -- and accepts only a few messages or even just one per hour, greatly restricting the ability of spammers to push their messages through the gateway.

Tumbleweed MailGate Edge takes a different approach altogether, focusing on authentication of the sender and recipient. MailGate Edge blocks or throttles bandwidth on mail that is sent to invalid users, using your e-mail server's directory -- Active Directory, Exchange 5.5, LDAP -- to identify valid users. It also identifies senders whose e-mail addresses don't match the IP address from which the e-mail was sent, using a reverse DNS lookup to verify that the domain in the header of the message is truly associated with the source IP address. In addition, MailGate Edge looks for nonstandard SMTP communications, blocking e-mail sent by some spam robots, aka spambots. To protect against DoS and directory harvest attacks, it watches for messages with lots of invalid users or for spikes in connection attempts or message volume.

These appliances can reduce network traffic and the load on the anti-spam filter or e-mail server by 50 percent to 90 percent, eliminating the need to upgrade mail server hardware or deploy additional servers. In addition, they can all protect your system against directory harvest, DoS, and DDoS attacks on e-mail servers, by identifying illegitimate mail flows and blocking the addresses from which they come. They also have the benefit of making spambots work harder to push messages through your gateway, encouraging spammers to remove you from their list of targets.  

All these methods work well for now. Time will tell whether spammers will figure out how to circumvent them. In some cases, evasion may prove possible but too expensive. For instance, if a spambot has to retry hundreds of thousands of connections an hour to push messages past Mirapoint's MailHurdle, the hardware resources necessary may become prohibitively expensive. Nevertheless, in all likelihood, these network-level spam defenses will have to continue to evolve, as spammers become increasingly more sophisticated.

The methods these four appliances use may not be terribly useful to small organizations. If you have only one lightly stressed mail server, you don't need to cut e-mail volume. Organizations with large volumes of e-mail, however, can gain dramatic benefits. Because the domains I use to test anti-spam products receive only about 10,000 messages a week, I contacted customers of each of the four vendors to get a feel for how the products perform in a high-volume production environment.

In addition, I brought the Mirapoint, Symantec, and Tumbleweed units into my lab to examine the administrative interface, management features, ease of installation, and functionality. The latest version of the CipherTrust software, IronMail 6.0, was not available in time for my test.

CipherTrust IronMail Connection Control