Proposal Guidelines Archives Information Security Glossary Catalog InfoSecurityNetBASE Auerbach Publications Information Systems Security
Auerbach Publications

Stopping Spam Before It Stops You

Charlie Cano

The volume and sophistication of attacks that threaten business e-mail networks and systems are growing at exponential rates. This growth curve poses significant problems for IT and security groups trying to manage these threats, not to mention user inboxes filled with junk that they must wade through every morning. Recently, however, a new solution has emerged that places an additional message security layer at the network edge, significantly strengthening a company's overall messaging security posture and effectively stopping spam before it can get to your users.

But first, just how big is the spam problem, and why should you be concerned? According to recent studies, the current volume of overall e-mail sent worldwide is now over 75 billion messages per day. By 2008, this number is expected to rise to a volume of 100 billion per day or more. About 85% of all e-mail worldwide is "unwanted," a percentage that has been growing steadily over time. Unwanted e-mail includes spam, viruses, malware, Trojans, denial-of-service, and phishing attacks. Even more troublesome is that the volume of total unwanted e-mail is doubling every six to nine months.

Threats to corporate e-mail security can be grouped into four primary categories: spam, phishing, viruses, and zombies. Spam is broadly defined as any message that is unsolicited and unwanted, or "junk mail." Phishing is a scam in which fraudsters "fish" for personal information by pretending to be a legitimate company. Viruses come in many forms. Some are intended merely to cause a nuisance and block network traffic temporarily, while others, such as Trojans, contains or installs a malicious program or payload.

And zombies are the newest threat to enterprise network security. A zombie PC is one that has been taken over by a remote hacker through the use of Trojans, which are files that appear to be legitimate but instead are viruses that hijack a PC and use it to send spam, viruses, DoS attacks and phishing scams. These zombie machines are networked and used in conjunction with each other to send thousands of messages each, often targeting specific entities.

While each of these categories poses a unique threat to e-mail security, many attacks combine several elements to exploit multiple vulnerabilities simultaneously, adding to the problem.

Detecting Spam
Unwanted e-mail is also becoming more difficult to detect, mainly because attackers are professionals with the budget and technical prowess to develop spam, phishing attacks, viruses, and zombies that can get through existing filters. Gone are the days of lone hackers working late at night. Many of these hackers run teams of engineers with very sophisticated equipment and technology.

Fact is, professional hacking teams typically have all the same security software that corporations do, and will constantly test their strategies to see if they can outsmart the filters. One example of this is hash busting text, where spammers will have their zombie networks send out e-mails that are each unique and cannot be recognized with a hash. Another example is the increasing use of image-based spam, where all the text is in image format, and even the images can be made to vary uniquely (more hash busting). This makes it very difficult to detect e-mail based solely on the content of the e-mail.

The net result is that the reputation of the sender is becoming more and more important as a way to detect unwanted e-mail. Legitimate senders with good reputations will rarely send spam, and if their systems are ever compromised by a zombie, their reputation score will almost immediately reflect that and their e-mails can be flagged as unwanted until their systems and corresponding score returns to normal.

The Corporate Messaging Security Challenge
Every message that crosses the corporate gateway uses valuable bandwidth, which is already in short supply for most organizations. IT departments are being forced to add additional mail security gateways and mail servers to their infrastructure as the volume of mail outstrips the capacity of their existing machines.

Considering that the inbound mail volume at many companies is doubling every three to four months, mainly due to bad e-mails, it's easy to see that IT departments have a significant challenge on their hands trying to purchase, test, and install the components of their rapidly growing e-mail infrastructure.

IT departments are forced to manage these increasingly complex infrastructures, requiring valuable man-hours. In addition, administrators must learn the intricacies of several different programs and control ever-expanding racks full of servers - an expensive proposition for many organizations.

Common Solutions
So what are your options to solving this problem? Some companies simply wish to add hardware into their architecture, but considering the growth rate of inbound e-mail, to double or triple hardware and infrastructure costs every 6-9 months is simply not in the budget. To take a more proactive approach, many administrators are starting to use products or services that look at the sender's reputation. By doing so, they hope to eliminate bad e-mail at the connection (network or TCP/IP) level. While the intent is laudable, the issues with many of these reputation services are numerous.

For example, by deploying an e-mail gateway Message Transfer Agent (MTA), such as Sendmail, Postfix, or any other number of alternatives, administrators attempt to cut down the number of messages passing through. Unfortunately, each of these solutions requires additional levels of security in order to effectively reduce message volume to a tolerable level. For example, to cut down on spam volume, a Sendmail environment may rely on Spam Assassin to reduce spam, Panda Perimeter Scan for anti-virus protection, and several other products to address other individual threats.

The obvious weakness in this approach is that each of these products are designed as a stand-alone application; few, if any, are designed to interact with applications from other vendors, leaving a gaping hole in the correlative intelligence-gathering process necessary for effective overall security. Each message content filter is forced to download the message data from the previous gateway, eating up valuable bandwidth. In addition, each application loaded onto a box requires additional processing power (rackspace, power, admin effort), and must query multiple outside sources to obtain up-to-date information each time a sender tries to connect to the network.

A New Approach
Rather than trying to add more hardware and multiple new layers to the infrastructure, consider another approach. A typical (simplified) messaging architecture involves e-mail traversing the network edge, followed by the e-mail security gateway, and finally the e-mail server. The intelligence in these e-mail security gateway products employ multiple techniques, including anti-virus scanning, deep content inspection, filtering for keywords and heuristics, and custom rules.

More recently, the notion of a sender's reputation as a key factor in categorizing and managing inbound e-mail has emerged as a critical step in the process. To handle the e-mail volume, as well as for high availability and redundancy, most organizations virtualize multiple security gateways and mail servers behind an application delivery networking controller. Rather than continuing to add secure gateway hardware to this infrastructure to handle growing e-mail volumes, a better approach would be to add security intelligence at the network edge, cutting down the e-mail that passes on to the e-mail security gateways and servers for further inspection and processing.

One such system that's beginning to gain considerable attention is essentially a software module loaded on to application delivery networking device - a network-edge solution that adds security intelligence to manage and filter inbound e-mail traffic by considering the sender's reputation when making traffic management decisions. The device leverages a reputation system for information about every sender that attempts to connect to the protected enterprise's mail servers.

When the device receives an SMTP connection request, it will hold the response to the sender until the sender's reputation is checked against the reputation database. Neither the SMTP headers, nor any part of the message itself is downloaded until the sender's reputation is determined. What's cool about this is that the administrator has incredible flexibility in determining what to do with the e-mail based on that reputation, including partitioning e-mail traffic between various pools of e-mail gateways and servers for "fast-tracking" known good senders, redirecting senders with questionable reputations, and immediately dropping known bad sender connections with an error code telling them not to retry the connection, as it will only lead to another rejection.

By filtering out known spam senders with this device, administrators can eliminate the majority of their e-mail volume right at the network edge. This significantly cuts down on the bandwidth and expanding hardware costs required to deal with the remaining e-mail passed on to existing security gateways and mail servers, and helps maximize existing messaging security solutions already in place.

In summary, the load and risk imposed on your network by unwanted e-mail is growing. It's not just annoying your employees and burdening your IT staff, but it's dangerous as well. Historical single-layer deep inspection architectures for dealing with high volumes of spam are no longer adequate. Recently available architectures enable you to scale easily, avoid ongoing large investments in messaging security technology, and quickly ease the burden on your messaging systems. Best of all, these smart systems stop spam at the network edge, before they can burden your systems and your users' productivity - and patience.


About the Author
Charlie Cano is a Solutions Architect for Seattle-based F5 Networks, a leading provider of application delivery networking solutions. F5 offers a Message Security Module for its BIG-IP load balancer that is designed to stop spam at the network edge.

© Copyright 2007 Auerbach Publications.