Changing Face of SPAM Filtering

ExchangeDefender
Comments Off on Changing Face of SPAM Filtering

August was a hard month for ExchangeDefender with a lot of long planned changes being moved up the timeline to address what I believe will be the end of unmanaged mail servers. Allow me to explain. Assuming you can deal with a mild annoyance and have an extremely powerful server you can pretty much set up your choice of a mail server software and leave it alone. As in Windows NT/2000 leave it alone – configuration OK, system up, job done.

Over the past few years the above case has only shifted slightly. Those that cared for productivity and efficiency of their resources bought SPAM filtering software, outsourced SPAM filtering, hired MSPs and ASPs to handle their mail but for the most part there was no big “threat” just a huge “annoyance” impacting productivity and server efficiency. For example, you can install an SBS box and leave it up and running on Exchange 2003 SP1 or SP2 without a care. Sure, it may take a minute or two to open up the server manager, you might be eating up the storage quota on the server by storing all sorts of junk, you could even have an infected system from time to time.. but the life goes on, IMF may help along a little bit, for the most part there is no need to watch over the server 24/7/365 and given a good backup and some failure tollerance you’re good to go.

I believe the good times are over.

I started ExchangeDefender years ago in order to protect our Exchange and Sendmail servers. Not really to make money but to save money from expensive Exchange AV solutions that  also ended up trashing our resources. Over the years I’ve seen the product evolve beyond the wall into a managed piece of network intelligence, business continuity with LiveArchive, compliance and regulatory tool and a heck of a lot more. But in the end, it will always be a central network that we use to isolate the threats before they get to the pieces that we cannot manage – users and servers.

Last month saw an interesting change in the way problems escalate out of proportion, almost one after another. First, we continue to see the increases in the amount of SPAM being relayed through. Nothing new there but the volume is important because it tasks the resources much harder making fewer cycles available for the more detailed policy enforcement, such as that of filtering image spam. You see, where most SPAM used to come in little tiny text messages that could easilly be filtered out with the lowest power appliance, the new SPAM comes in as a PDF, a zip file, an image file, etc. We are now not dealing with 1–2KB files, we’re now dealing with documents and images that are several hundred times on the order of magnitude. And as we lose more and more cycles to the garbage that seems to only be annoying us, we are letting more and more really dangerous stuff slip through.

Namely, over 25% of the computers on the Internet are pwn3d in a number of ways. They may have a rootkit, virus, trojan or even a part of a botnet. That is a huge part of the network that is really going to waste and it’s only going to get worse. For example, the issue with the latest botnet code that was likely inadvertently messed up. Instead of delivering SPAM it would open the connection and leave it hanging after issuing RCPT TO: command. The result is that thousands upon thousands of connections were left open, bringing the server down to its knees. Imagine 25% of the Internet doing something “weird” for a day or two.

It is easy to see how little issues like this can take down companies quite easilly. I believe the days of set it and forget it are now firmly over. It, in part, is why we pushed up so many security features because we don’t want to have to solve the “problems” that haven’t appeared yet when it becomes a little too late.