SPAM Overheads - Filtering Action
Once spam is identified the possible counter measures available depend on the filtering stage. One of the following actions is typically taken:
- Accept & Mark: Accept the mail, mark it as spam and let it go to the recipient mailbox. Spam may then be separated from ham by posting it to the Outlook Junk Mail folder, through insertion of subject prefixes or similar techniques.
- Accept & Delete: Accept the mail and delete it so as not to reach the recipient mailbox.
- Accept, Delete & Archive: Accept the mail, delete it and archive it to a central repository.
- Accept, Delete & NDR: Accept the mail, delete it, and send a non-delivery report to the sender.
- SMTP Reject: Reject the mail at SMTP Protocol level blocking the mail from being delivered.
The type of action taken determines how many extra overheads spam will manage to incur. Clearly SMTP Protocol rejection is only an option to filters integrating at the protocol level.
Action Type |
Resources Overheads |
Accept & Mark |
Highest Overheads. The action does not save us anything in terms of storage, bandwidth and processing power. Administrative resources are still wasted in server management but saved in end-user support. Although sorted, end-users still have access to spam and time is wasted in reviewing it.
|
Accept & Delete |
As the mail is accepted resources are consumed up to the point of deletion. Bandwidth and processing power hit the servers on the network perimeter where the filtering action is taken, but saved from back-end servers. Storage and administrative maintenance are saved. The end-recipient never sees the mail hence eliminating further loss in productivity.
|
Accept, Delete & Archive |
Same overheads as Accept & Delete plus some more due to archiving. Storage is still required but since the archive is centralized this does not affect the end-user mailbox.
Typically archiving only makes sense if a proper review procedure is in place. This introduces a new administrative burden but which should be much smaller than the total loss in productivity incurred when reviewing is left up to the end-user.
|
Accept, Delete & NDR |
Same overheads as Accept & Delete plus some more due to the NDR. Extra bandwidth and processing power is consumed in order to generate the NDR.
It is worth mentioning that this type of action although commonly available is worth avoiding. For example if a DoS attack is underway the NDRs will further stress the servers.
|
SMTP Reject |
Lowest Overheads. Rejecting at SMTP level gives the largest savings in terms of resources. The action leads to minimal bandwidth and processing power consumption.
|
Layered anti-spam protection
It is obvious that one cannot just look at overheads in isolation without considering the end-result. The key role of anti-spam remains that of catching the largest number of spam mail with minimal false positives. Also, most of these technologies can and should be adopted together. Certainly no one can count on adopting Access/Deny lists or SPF/Sender ID exclusively. These technologies are not even meant to be used in that context.
Many organizations today only perform 'Accept & Mark' filtering actions. This is in-line with the classic play-safe approach when handling spam. With the increase in spam load, a more aggressive attitude might be appropriate. Monitoring the overheads incurred by spam is the correct way to determine when new counter measures are appropriate.
'Accept & Mark' filtering actions are certainly a necessity. It is not always easy to tell if a mail is spam or ham. Hence in such cases human review is the ultimate technology available in our arsenal. Nevertheless today's filters are in a position to practically classify a good number of mails with 100% certainty. Let's look at a trivial example. If you work for an IT company and get a mail with this subject, would you have any doubt whether this is spam?
"PIAGET, ROLEX, CARTIER Replicas - Expensive Look, Not Expensive Price - LOUIS VUITTON, OMEGA, LONGINES"
It is also fair to expect that any serious content based anti-spam filter would have no doubts either (at least after enough time until the filter catches up with the latest spam trends). I gave an example based on mail content since it is easy for everyone to understand, but the same situation exists in SMTP protocol filtering.
Organizations finding 'Accept & Mark' not to be enough will have to move on and start getting rid of some of these mails. If a protocol filter classifies mail with very high certainty then its worth considering rejection. If the protocol filter is a bit uncertain mark it and let it through. In a layered setup other anti-spam filters are in place which will have their go at classifying the same mail. Again the action taken by the next filter should reflect the level of certainty.
So, layered anti-spam protection is composed of a number of filters. Protocol filters would be placed right at the edge of the network perimeter, possibly also followed by content filters. Each layer should give three types of result:
- SPAM high degree of certainty - Reject/Delete Mail
- SPAM certainty level not high enough - Mark Mail
- HAM
Putting such a system in place certainly requires a good evaluation and deployment procedure. The administrator has to be confident in the filters he is adopting because losing business because of spam is not an option. Rejection and deletion actions have to be applied gradually. Finally if your filter is classifying mails as spam with a high degree of certainty when they are not, look for alternative filters. There are certainly some good products that can do a better job.
References
Meng Wang Wong's SPF site:
http://spf.pobox.com/
Microsoft's Sender ID site:
http://www.microsoft.com/mscorp/twc/privacy/spam/senderid/default.mspx
Business Reputation Services SIQ Protocol internet draft:
http://www.ietf.org/internet-drafts/draft-irtf-asrg-iar-howe-siq-00.txt