Connection filtering versus keyword approaches to anti-spam
Traditional anti-spam weapons are not enough, argues Ralph Casey
Casey: Anti-spam requires connection filtering to reduce the volume and management of potential spam email
Spam has become a permanent headache for IT administrators. As high-speed internet access spreads, more PCs become susceptible to viruses, which spew out most spam.
Convictions of spammers and closures of the spam networks do reduce the amount of spam. However, these successes are temporary.
One of the world's largest spam gangs was shut down in October 2008, but in weeks spam levels had recovered. Administrators are therefore on their own.
At a server level, anti-spam methods, such as accepting an email, scanning it for various keywords and suspect URLs, and categorising it, have failed miserably.
Connection filtering has stepped into the breach. This involves the analysis of the conversation between the sending email server and the recipient server before the email is accepted by the recipient server.
As a sending server connects to a recipient server to send an email, it follows a set of procedures as part of the SMTP protocol.
The analysis of all the information that can be gathered from the sending source and transmitted during the SMTP conversation can provide effective anti-spam filters that block spam and keep false positives as close to zero as possible.
If the connection is rejected by the filters, an email is not transmitted to the recipient server. Instead, the sending server receives the appropriate error message and the connection is dropped.
Content-based filters, which include anti-virus scanning, do have their place in an overall email filtering strategy, but should be used only after email has passed through connection filters.
A certain amount of spam is sent from legitimate email servers as opposed to home broadband connections and so connection filtering does not catch all spam. Anti-virus scanning of email is also required to prevent the spread of viruses and thus more spam.
The advantages of connection filtering as opposed to the traditional keyword-based scanning approach are many. For a start, users no longer have to trawl through large boxes of suspected spam messages in quarantine.
Spam has not been accepted in the first place so there is no need to check for it. IT administrator productivity is also enhanced as a result of this because helpdesk calls about spam are less needed. Email security is improved. Effective connection filtering can block 95 per cent of spam at source. This includes spam containing viruses and Trojans.
These threats are dropped at the perimeter and not stored in any form on the network. Connection filtering carried out by an external provider would stop this traffic from even reaching your network. The resulting bandwidth savings can be considerable if spam volumes are high.
Fewer resources are also required by email servers. Spam is being dropped at its source before being accepted by the recipient server. Less storage space is required as spam is not being stored in quarantine.
The processing power required to filter connections is far less than scanning the whole email, which can be CPU-intensive. Overall server loads are reduced by connection filtering.
Another advantage of connection filtering is that it reduces the potential of your email server being blacklisted. 'Back-scatter' spam has become a large proportion of total spam. This form of spam occurs when a spammer spoofs the sender address to be that of a legitimate email address.
If the original recipient server accepts and then bounces the email, as it would in traditional anti-spam approaches, the rejection is sent to the spoofed sender address rather than the original spammer.
If the email was rejected when initially being sent, no 'back-scatter' spam would have been sent onto the spoofed sender address.
Sending 'back-scatter' spam takes up valuable network bandwidth and can lead to a server being blacklisted, reducing email access and requiring additional resources to correct it.
An ancilliary benefit to reducing 'back-scatter' spam is that there is less overall spam on the internet.
Connection filtering has become a key component in the battle against spam. It is an effective way to reduce email-borne threats and fully protect networks and users who depend on email to communicate.
Ralph Casey is technical director at Clean Communications