|
By Don Hoyt
Heuristic Analysis: One of the most effective antispam technologies, Heuristic analysis (often associated with the SpamAssassin open source solution) scans messages for thousands of traits commonly found in spam messages. Each spam trait has a unique score or weight associated with it. Each message is then assigned a total score based on the total amount of spam traits and their associated scores. Mail server administrators are able to assign a threshold score to determine what score constitutes spam (e.g., a lower threshold will result in more messages labeled as spam, and higher thresholds result in fewer messages labeled as spam). This technology is difficult for spammers to bypass due to the combination of thousands of spam rules and traits; spammers may avoid some rules and traits, but will likely be caught by others. It also allows administrators to customize their tolerance of spam by assigning a threshold score that filters a higher or lower percentage of spam. The only downside to this technology is the amount of bandwidth and processing it requires scanning each message. In most cases the performance hit is negligible, but in high traffic environments it is a consideration.
Bayesian Filtering: A technology that statically calculates probabilities, Bayesian considers both the good and bad tendencies of messages to reach a percentage likelihood of messages being spam. Bayesian uses databases of spam messages and legitimate messages and their tendencies to learn what constitutes spam and legitimate mail. This is a time-tested technology that has grown less effective over time, but still filters enough spam to make it useful. Bayesian filtering is only as effective as its databases of spam and non-spam messages, so the more accurate and up to date the database, the higher rate of performance. Many mail administrators and/or users train Bayesian filters locally, while some email servers provide predetermined databases and automatic updates to keep Bayesian databases as current as possible.
Intrusion Prevention/Tarpitting: Tarpitting detects when mail is unsuccessfully sent to unknown users. If the number of unsuccessful attempts exceeds a specified limit the sender’s IP address is added to a black list where mail is rejected from this IP address for a specified period of time. Spammers commonly send to a wide variety of invalid user accounts on a domain in successive attempts, in hopes of landing a valid address. This technology detects these attempts and prevents them from continuing their invalid deliveries. Tarpitting targets an exact type of spam behavior and effectively blocks it. There is no known downside to tarpitting.
Razor/Community: Razor, or Vipul’s Razor, is a community-based technology that allows knowledgeable users to report new types of spam and prevent Razor users from receiving the same messages. Similar to antivirus security products, Razor ensures that known spam is rejected. When the Razor community of users detects a spam message a unique hash mark is assigned to the message. When Razor users receive messages with this same hash mark the message is rejected. This is a more recently developed technology that is expanding in use, and since it is user community based, its effectiveness is also increasing. While this is a recommended technology that detects a great amount of spam, it does suffer from the flaw of not being able to detect new spam messages not yet reported by Razor users. It also doesn’t allow organizations to determine their definition of spam, as messages reported by the Razor community as spam might be a legitimate message to you.
|
