RE: regarding spam...

["Jeff Brown" <jvbrown () gte net>]

There are very sophisticated email filters available out there.
http://www.group-technologies.com .wall is quite strong.
The challenge is that so many have opted for shareware fixes
for so long (RBL/others) that the value proposition on a solid
anti-spam solution is difficult to justify in the current economy.

On occasions where spam issues become a content filtering
concern ( IP leakage/porn ) the commercial/Enterprise world
acknowledges the value of an associated license fee.

AV companies need to stay focused on AV, and IDS firms
should maintain their focus as well. Some content filtering
solutions are able to handle these issues right now with
specialized and intuitive algorithms.

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Kalat, Andrew (ISS
Atlanta)
Sent: Monday, April 01, 2002 11:04 AM
To: 'Marcus J. Ranum'; firewall-wizards () nfr com
Subject: RE: [fw-wiz] regarding spam...


Note: Comments are my own, and not that of my employer, yadda, yadda...

Perhaps my comments are a bit naive here, but I'll risk the public scorn and
throw them out anyway.

Reading this thread, I wanted to comment from the standpoint of a business
user. As spam is now sent from multiple open relays, it seems domain
blocking is no longer becoming an effective defense. I seem to get the same
spam from 5 different sources in a day anyway. I've also seen open relays
get noted and used within 12 hours of being put on the net. With that in
mind, I've been kicking around why something similar to an anti-virus
product couldn't be used on border MX's to filter spam.

Dig if you will the concept:
An anti-virus company starts tracking spam. They build profiles of the most
common spam quickly. Let's say they use a 90% match to deal with slight
changes done by the spammers. Pattern files are updated hourly as new spam
is created and noted by their systems. These pattern files are made
available for auto-download to the anti-spam products perhaps on an hourly
basis.

Anyway, these products would then scan the email, similar to anti-virus
products, and divert those that match. Perhaps an alert with the first few
lines of the spam to a designated admin who could then note if it was a
false-positive and forward on the email. Further, the designated admin could
add spam examples to a user-based pattern file.

Perhaps this is being done, I'm not sure. The value I would see is that this
would probably take a big chunk out of spam to a whole company as they often
get the same spam over and over again.

To Marcus' point later in the thread, this doesn't really hurt the spammers,
and this would likely start the same type of arms race you see in the
anti-virus efforts, but it does help the business user population somewhat,
stopping the 80% or so of the less sophisticated spammers. Over time this
might fail, but I'm curious why no one has tried this approach. It would
seem the anti-virus companies have the infrastructure in place to do it.
Just my 2 cents...




---------------------------------------------------------
Andrew J. Kalat,                | Direct:(404)236-2713
IT Infrastructure Manager       | Main:  (404)236-2600
Internet Security Systems, Inc. | E-Mail: akalat () iss net
6303 Barfield Road                | <http://www.iss.net/>
Atlanta, GA 30328                         | PGP key available.



-----Original Message-----
From: Marcus J. Ranum [mailto:mjr () nfr com]
Sent: Friday, March 29, 2002 9:45 AM
To: firewall-wizards () nfr com
Subject: [fw-wiz] regarding spam...


Out of 30 messages in the input queue yesterday 30 were spam.
27 of those were korean or chinese.

I'm trying to think of ways to deal with spam E-mails and
have been kicking around a few ideas with some friends of
mine. Most of the truly effective ways we can imagine to
deal with spam rely on spam-knowledge propagation: in other
words a human being someplace in the mix says "this is spam"
and based on that determination causes the offending message
to disappear from all mailboxes.

So, a side effect of this approach is a 'web of trust' with
respect to noise email. :) Suppose I tell the mail system
"I trust Dodge Mumford's judgement regarding what is spam"
then my mail system will automatically move into my spam
folder all emails that Dodge moves into his spam folder.
We might choose to look out for eachother in a reflexive
relationship, or we might choose to additionally trust an
outside source, etc, etc.

It occurs to me that this would be pretty easy to implement,
with a bit of small extra kludgery. You could build it right
into an imap server by having it apply the extra processing
when someone moves a message into a folder called "spam" -
in fact this way _one_ person in an organization could keep
an up-to-date set of Eudora filters that would be leveraged
by everyone in that spam trust ring.

Does anyone know if this is already being done? Does anyone
see any really compelling reason it wouldn't work?

mjr.
---
Marcus J. Ranum          Chief Technology Officer, NFR Security, Inc.
Work:                    http://www.nfr.com
Personal:                http://www.ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards