This article is based on Notes form a Web Cast that was presented by Jeff Coveney, Product Manager for Intellireach. Further supporting information from NetworkWorldfFusion's article entitled "Appliances ease anti-spam administration" found at:http://www.nwfusion.com/news/2004/072604spamappliance.html

Within this article I have provided some additional comments and information which can prove useful for those organizations reviewing security and compliance applications or appliances. There has been much debate over appliance-type solutions versus installed application solutions. I don't plan to resolve those conflicts, but cannot avoid touching upon some of those topics within this summary.

The focus of the Web Cast was related to Security and Compliance and how to help users manage unwanted and inappropriate content, as well as, providing additional features such as email encryption and virus protection. These solutions are intended to help protect the GroupWise system from having to manage, store, backup and purge thousands of unwanted items that are targeted at mail systems across the Internet. While no product on the market today comes close to offering a solution designed to capture 100% of spam and virus-laden messages, the products available will significantly reduce the impact of spam on a messaging system in the area of 80-90 percent.

Recent research shows that almost all organizations have an Anti-virus solution (95% of organizations), anti-virus (70% of organizations). These are typically first-generation defenses that were put in place to fill a need within a short period of time and are left unmanaged. Many of these solutions are not as effective as they should be based on newer technology and changes in the way that spammers have adapted to the older systems.

The same theory that is applied to spam increases also holds true for viruses and malicious code as well. Over the past 2 - 3 years we've seen three major trends emerge in relation to viruses. The first trend is related to simply launching frivolous email messages to all addresses found within a particular PC. This type of virus generally is intended to overload mail servers within corporations to the point of failure. The second trend that has emerged is a denial of service-type attack against specified organizations and their corporate identities. Finally the third trend are an abundance of phishing scams. This type of scam is a spoof of a known entity such as a bank, creditor or other financial institution where the recipient is asked to click on a link and update their account information. The link of course is a forgery and direct the un-suspecting user a web site that will gather the private data for exploitation.

Given these three emerging trends it's easy to see why two of them combined can provide the basis for the increase of spam worldwide. The volume of spam has doubled since 2002, currently 70% of all incoming email is SPAM. Of that 70% of SPAM, 20% of that is pornographic material.

Next generation spam architecture: Appliance vs. software

Appliance technology has been emerging over the past couple years and with it has created a small rift within the industry. Technology traditionalists prefer to have complete control over software and the way it impacts the hardware device that it runs on. With appliance technology this ability along with the concern has been taken out of the hands of the customer/consumer and replace by soothing words from the vendor.. "trust me".

Appliances have come a long way with hardened versions of operating systems, offline control features, call home functionality, enhanced filtering and screening techniques have all become completely integrated into one "unknown platform". Because these devices are built and managed solely by the appliance vendor, the technology is less pervasive and relatively unknown to spammers, potentially providing better security by making it more difficult for spammers and viruses to bypassing the device. The level of protection can be considered more effective because the appliance is typically located on the perimeter of the network, thus increasing security as data is not transmitted into the network and onto servers.

Intellireach provides a device (MessageScreen) that can be implemented and functional within a short amount time . This device is considered a "firewall" for filtering spam, viruses and other malicious content. The appliance is built upon hardware that can handle a large amount of traffic, coupled with a software solution that requires low administration. The device receives automatic updates from Intellireach for signature relating to SPAM (updated daily) and Anti-Virus which further reduces the administration requirements. This type of automated system can give some administrators an uneasy feeling but when looking at the technology from a "high-level" or organizational view a software/server-type solution can be less reliable. This view is based upon a both the server and software requiring updates, often with a scheduled downtime of some sort.

For organizations that wish to implement a solution such as this in a more cautious manner Intellireach has provided a test mode. This mode allows the administrator to monitor traffic allowing all messages to go through and review the items that may be blocked to avoid false-positives. This is generally not practical based on the overall percentages of messages that are spam related, but it is available. However MessageScreen provides many reports built-in that range from usage statistics to overall load.

MessageScreen passes the devices through multiple layers of validation before allowing the item to pass into the messaging system. These layers include:

White lists
Real Time Block List
Sender Server Verification
Sophos anti-virus
Base Header body adult content
Custom Header body adult content
VIMA Image analysis
Also: Disclaimers can be added onto messages, this can be incoming or outgoing message disclaimers.

Messages are flagged based on a point value system. The point threshold can then be set for actions based on the score. For example; an item scoring over 10,000 could be way over the value set for passing a message. You can also let messages pass yet modify the subject for users with the word SPAM and let users handle the items. This really isn't a good practice and viruses and spam will get into the system which bypasses many of the reasons for deploying such a solution. The point value system can be managed in a way that terminology can be modified to make sure items can get through. For example, a pharmaceutical company may always wan the word viagra to pass so they could change the value of that to a negative 100,000 to reduce the score, causing the message to pass. MessageScreen also provides flexibility for attachments of specific type of parameters, this includes sizes and types that are known to be malicious. In situations where files cannot be scanned, they are zipped, encrypted, password protected, etc. the administrator can specify certain actions in dealing with these files.

If a message has been determined to be "suspect", it is flagged as unwanted will not go to the messaging servers. Two options are available to the administrator, the first process can drop the item entirely, the second item allows users to self-manage their items. In the self-managed approach the item(s) is held on the appliance in quarantine where uses can be granted permission to review their own personal quarantine area and retrieve mail that was falsely trapped as a malicious or unwanted item.

Quarantine Options:

Each of the options available have both a local workstation-based installation and a web-based way to manage the quarantine queue. The Quarantine Administrator Client can be installed on Admin workstation for powerful searches, indexing and sorting. Administrators also have a web-based interface to perform the same functions. Also provided is an "IntelliClient" which is also local client installation that allows end-user controls. This client has both GroupWise and Outlook plug ins. users access via a browser or through the native client and manage their own quarantine queue. Finally the users have the ability to receive a "spam summary email". This allows users to opt-in and schedule a list of items that have been quarantined to be emailed to them. This summary email contains the Sender, Subject, Date, Size Score and reason for quarantine of the item of all mail that has been held for the specific user. This removes the user's requirement to visit the quarantine daily and helps manage false-positives as they can be easily identified as users have an easy access to their personal quarantine queue.

Base on my experience, allowing users to manage their own spam can often be confusing to the typical end-user. Supporting over 18,000 users I think on a weekly basis with the application used within my organization just a small amount maybe 1 o2 items per month are falsely quarantined causing administrative response on behalf of the user. If users had to manage or could manage these functions I can only imagine the more questions and issues.

For more information on Intellireach's MessageScreen see:

www.intellireach.com