History of Anti-Spam Appliances

During the mid-1990s, Dave Rand and Paul Vixie – two software engineers who had major roles to play in the development of the Domain Name System –created the first type of anti-spam appliance. At first no more than a list of IP addresses from which spam had originated, Rand and Vixie shared the list with network managers via a DNS-based distribution system.

The distribution method was then automated and developed into a Border Gateway Protocol, which later became the spine of the “Mail Abuse Prevention System”. The list was referred to as the “Real-Time Blackhole List” and, more than twenty years later, it is still the primary mechanism for detecting spam emails in most standard anti-spam appliances.

Real-Time Blackhole Lists have gone through some changes in the past twenty years. RBL agencies can now assign Reputation Scores to IP addresses, which are added to the scores assigned by Content Analysis Tools to calculate the “spam score” of incoming emails. If a spam score is more than the anti-spam appliance´s “Spam Acceptance Threshold”, the email is quarantined, flagged or rejected.

Also over the past twenty years, the amount of spam email has increased and spammers´ techniques for avoiding detection have become more complex. Anti spam appliances have kept pace with the rise in traffic and sophistication, and now include front-end tests such as Recipient Verification Protocols and Sender Policy Frameworks.

These two front end tests check recipient addresses to ensure they are genuine, and reject emails from senders that have hidden their true identity behind a “spoofed” email address. By blocking suspect emails before they are checked by a Real-Time Blackhole List and are given a spam score, anti-spam appliances reduce the strain on the mail server.

Regardless, some spam emails still evade detection. Although a small percentage in the overall scheme of things, the spam emails that avoid detection are likely to be those that are most sophisticated and pose the greatest threat. It is possible to counter threats by increasing the appliance´s “Spam Acceptance Threshold”, but this can result in genuine emails being classified as spam and rejected.

The most recent generation of spam filter appliances have more front end tests and more spam detection mechanisms than standard anti spam appliances. Depending on how they are configured, the newest generation of spam filter appliances can detect up to 99.97% of spam emails, compared to a normal spam detection rate of 97%-98% for standard anti spam appliances.

The key to achieving such a good detection rate is a process known as “Greylisting”. In the Greylisting process, every incoming email is sent back to the mail server from which it originated with a request for the email to be resent. Hackers´ servers are usually too busy sending spam emails to reply to the request, and the spam email is never sent again.

This process has both benefits and drawbacks. The main advantage is that the delivery of spam emails from “not-previously-known-sources” is stopped as well as the delivery of spam emails from “previously-known-sources” as identified by the Real-Time Blackhole List. A second advantage is that Greylisting is a front end test and therefore additionally reduces the strain on the mail server.

The main disadvantage of Greylisting is that it can delay the delivery of business-critical inbound emails. Although it is possible to “whitelist” specific senders in order to circumnavigate the Greylisting and filtering processes, whitelisting can be a gateway for hackers who have compromised a trusted email account or who are using botnets to send spam from sources with good IP reputations.

Other features in new-gen spam filter appliances not only help score higher spam detection rates and address the risk from email borne threats, but also help with the administration of the appliance in order to reduce the maintenance overhead for system administrators and IT departments. These features include:

  • SMTP Controls that can be set to authenticate the sources of incoming emails.
  • SURBL and URIBL filters that spot links to phishing and compromised websites.
  • Antivirus software can spot malware hidden in email attachments.
  • Automated software updates, RBL updates and SURBL/URIBL updates.
  • Links up with backend management software such as AD and LDAP.

This last feature is particularly helpful for applying different “Acceptable Spam Thresholds” for different departments. For instance, you may want to apply a higher threshold for your Finance Department than your Sales Department in order to provide a higher level of protection for your Finance Department without blocking potential leads being sent to your Sales Department.

Inasmuch as scanning incoming emails is important to stop spam and mitigate the risk from email borne threats, the importance of scanning outgoing emails should not be disregarded. If an outgoing email is thought of as a Content Analysis Tool to contain spam, it will reflect badly on your business´s IP address. If this scenario happens too often, your IP address could be blacklisted by RBL agencies.

The consequences of having your company’s IP address blacklisted will not only impact your email communications. If your website uses the same IP address as your mail server, Internet filters may stop visitors accessing the website. Although a problem with an IP address can be rectified within a couple of days, the damage to your business reputation may take longer to fix.

Scanning outgoing emails provides three functions. It can identify emails that have inadvertently been composed with too much content thought of as spammy (not a good idea in any business communication), identify email accounts infiltrated by botnets (which can also be used to launch DDoS attacks) and identify viruses and other infections your regular antivirus software may not yet have found.

The three different categories of anti-spam appliances are hardware, software and cloud-based – a cloud-based anti-spam appliance often being referred to as an anti-spam virtual appliance. They each have a place in the market depending on the size of your company, the manner of your business and the volume of traffic passing through your network.

A hardware anti-spam appliance generally is good for very small businesses that uses alternative methods for the exchange of confidential information. Although a capital expense rather than an operating expense, you may still find you need a service contract for software updates to make sure you secure computer systems from the most recent malware, ransomware and phishing attacks.

A software anti-spam appliance is most suitable for businesses maintaining confidential information who want to avoid confidential information travelling through the cloud. These appliances are normally downloaded as Gateway appliances between the firewall and the mail server and updated automatically by the service supplier.

An anti spam virtual appliance is a perfect solution for business with lots of network traffic, as the filtering processes are performed “off-network”. All that is required to implement an anti-spam virtual appliance is a redirection of the MX server record, making it the simplest type of anti-spam appliance to deploy. As anti-spam virtual appliances are multi-tenanted, they are also ideal solutions for MSPs.