FEATURE
New Roadblock Fights Spam

A new generation of anti-spam artillery is helping Internet Service Providers fight more successful battles in the war against spammers.

IronPort Systems is arming some of the largest ISPs with a new type of Reputation Filter powered by the SenderBase E-mail Traffic Monitoring Network. This filtering system gives the computer industry a new tool in blocking spam coming out of ISP's so that compromised or infected computers, known as zombies, cannot deliver their spam mail payloads.

"Through SenderBase we see that over 70 percent of all spam originates from consumer broadband users," IronPort System's Product Marketing Director Pete Schlampp told TechNewsWorld.

So far, six of the 10 largest ISP's and five of the 10 largest media companies in the world are using IronPort's Reputation Filters, he said.

Innovation Concept

This next generation Reputation Filter by e-mail security leader IronPort Systems allows ISPs to stop spam from originating in their networks. The first generation of Reputation Filters only looked at inbound traffic.

Schlampp said spammers took advantage of that weakness and found ways to lessen the impact of the filters. One common method is for spammers to infect unprotected PCs with a virus. The virus then installs its own e-mail client on the compromised computer, turning it into a spam mill.

So Iron Port enhanced the filters by putting its boxes in front of all outgoing connections.

The results have been dramatic. ISPs and enterprise networks have cut the volume of spam nearly fourfold.

"We found that our enterprise customers are seeing a 75 to 80 percent decrease in spam," Schlampp said. "One client was able to reduce its own perimeter spam filtering servers from 68 to just eight of IronPort's devices."

He said this enterprise customer saw a decrease of 25 million inbound spam messages per day to 6 million spam messages blocked at the perimeter before having to filter messages.

Matter of Reputation

IronPort, which developed the largest e-mail filtering system known as SenderBase, built its database of e-mail senders by having legitimate e-mail providers register their IP address. The database was bolstered by additional sources of e-mail.

SenderBase is an e-mail reputation service that helps e-mail administrators research senders, identify legitimate sources of e-mail and block spammers. The database contains details about more than 28,000 organizations that receive e-mail.

"Our philosophy was to open the database so anyone can look up sender information. That is how we have gotten such a strong reputation," Schlampp said. The database is available for anyone to use at http://www.senderbase.org/.

How It Works

IronPort's Reputation Filters help spot sudden suspicious activity at its source. The company is now using more than 50 different factors for assigning a reputation score. The process analyzes more than 50 different parameters from more than 50,000 participating networks.

This massive quantity of data is analyzed in real time and used to develop a "reputation score" for any given sender on the Internet. This score is made available to the IronPort E-mail Security Appliances, which have a unique ability to limit a given sender based on their score.

The more suspicious a sender appears, the slower the filtering processes goes. If an e-mail parcel is flagged for having a failing reputation score, it is not delivered.

This process gives enterprise IT staffs and ISPs a means to regulate the flow of suspicious or clearly spammed e-mail.

Zombies, or hijacked computers, are most often found in the large IP ranges of consumer broadband ISPs such as cable operators and DSL providers. With more than 70 percent of spam being created by unsuspecting computer users' PCs, the industry cannot wait for consumers to harden their equipment.

Industrywide Cooperation

Schlampp said the goal is to have outbound e-mail filtering performed by a universally used system. Large ISPs and enterprise customers are not usually in competition with each other for mail handling. So it is in the best interest for all concerned to have everyone in the industry contribute to this process, he said.

"The technology is sophisticated, but the concept is simple," Craig Taylor, vice president of technology at IronPort, said. "Some first generation systems will simply control the number of connections allowed from a given sender. Spammers easily circumvent this tactic by sending multiple messages per connection and multiple recipients per message. Only IronPort has the ability to perform true traffic shaping by limiting the message flow rate in recipients per hour."

SenderBase gathers data from more than 50,000 ISPs, universities, and corporations around the world. It measures the global volume of e-mail being sent by any given sender. It also tracks how long that sender has been sending and whether the sender accepts mail in return. It verifies if the sender's DNS servers resolve properly, are an open proxy or open relay, and process users' complaints about spam from their servers.

Charter Customer

Charter Communications (Nasdaq: CHTR) is one of IronPort's customers now using IronPort C-60 e-mail security appliance to power and protect e-mail for more than 1.8 million e-mail customers.

"The increase in spam and viruses has become an increasing burden on our networking infrastructure and operational staff," Robert Bosco, Charter's director of HSD mail, said. "Deploying IronPort technology has allowed us to effectively combat these issues while minimizing capital and operating expenditures."

Charter relies on the IronPort C60-throttling and Reputation Filtering. The combination helps address two major pain points: preventing spam from reaching customer inboxes and controlling spam originating from customer PCs.

"For Charter, who sees upwards of 100 million messages a day, the IronPort C60s stop 50 percent at the perimeter. This translates into the highest performance available, greater accuracy and huge cost savings," Thomas Gillis, senior vice president of Worldwide Marketing at IronPort, said.

The IronPort C60 appliance allows Charter to divide e-mail senders into unique categories, such as IP address, domain name or sender reputation. It provides specific message-based rate limit thresholds for each sender.

Rate limiting detects when outgoing mail exceeds a preset limit. When a throttle limit is exceeded, the IronPort C60 will temporarily reject more mail from that sender.

"IronPort Reputation Filtering allows e-mail administrators to sort e-mail senders based on the quality of mail they send. This provides restrictive policies for spammers and more liberal policies to legitimate senders," Gillis explained.