IronPort & Spam

I used to get irritated with spam, but no more. I became accustomed to it, just like I became accustomed to the obligatory but ineffectual security checks at airports. The security checks are a hollow ritual designed to convince the voter that precautions against terrorists are being taken. But, as I indicated in a previous blog, the only effective airport security I've experienced is in Israel. The price you pay is that it takes forever to get through the security check.

Spam blocking is not a hollow ritual. However it can be less than perfect. The spam blocker that I use, primarily, is the native Apple mail spam blocker. It does a good job of weeding out most spam but it also ejects valid emails sometimes—the dreaded false positive. So when I'm bored during the day I flit through the junk folder and check. The most irritating quirk that Apple Mail spam blocker has is that it will often classify vendor emails with briefing PowerPoints as junk. Unfortunately, it isn't a reliable indicator of the quality of the vendor's technology

I have several email accounts. I guess I'm no different to anyone else in that respect. My five active accounts are: for Hurwitz, for Bloor Research, for BaroudiBloor (an old account that yields 99% spam), a personal Gmail account and a personal Mac.com account. I use a Gmail account for archive (archiving all my emails to there means that I never lose any and it also becomes a file archive via attachment). It's also my emergency account in case my laptop gets stolen. I don't get any spam through Gmail, but that's because I never use the account to register for anything. It may be that Gmail has good spam blocking, but I cannot confirm it. Bloor Research uses Spam Assassin for spam blocking. It's OK but not wonderful. No other email service I use has spam protection and I access them all from my Apple.

Is 100 percent spam blocking possible? I recently ran into an article in InfoWorld (28th May issue), which compared IronPort's spam blocking appliance to that of Mirapoint. IronPort won this particular bake-off. It caught 93 percent of spam with only 1 false positive (in just under 10,000 emails) straight out-of-the-box. Also the false positive was a non-critical. I know IronPort reasonably well as it hired me as a speaker last year and I met with their technical people as a consequence. Blocking figures beyond 98% are possible because the spam engine learns, but actually from the productivity angle, it's the low false positive count that matters most. Once you've blocked 90 percent of spam, the extra percent or two doesn't deliver much to the user.

The spam blocking industry is doing very well, because automatic spam blocking pays for itself quite quickly. It reduces the need for disk storage and hence the cost. It cuts the workload for administrators. An incidental benefit is that it stops virus-bearing emails. It is a sub-industry that will prosper for quite a while yet—even after spam itself ceases to circulate much. This became clear from discussions with IronPort (and other vendors in this space). These vendors are not just about spam filtering, they are about message management—which for the moment means just email management. However, these vendors are well aware that in the end it's about all messages (IM, voice, video, and anything else the world invents).

IronPort's most recent product upgrade has been to add “compliance filters” which filter outbound email to ensure none of the content violates US regulations such as HIPAA and Graham-Leech-Bliley. Two-way filtering is just the next step in the growth of the message management market. Common message management frameworks are some way away.

AVID: The Fix Time

Imagine that your office is in an area where a sudden increase in the level of burglary is occurring. The thieves have found a way of getting into buildings that circumvents the primitive security alarms that everyone uses. Naturally, you phone your security adviser and provider, to whom you pay a handsome retainer, and he tells you, “Unfortunately, at the moment there aren't any security alarms that work for this kind of burglar. But don't you worry none, we have researchers with astronomic IQs working on the problem right now and when one of them comes up with something we'll be sure to send someone in to fit a better alarm.”

Pathetic, isn't it? That's anti-virus software for you.

The AVID (Anti-Virus Is Dysfunctional) campaign has the single goal of destroying (or at least seriously diminishing) the $3.7 billion AV industry. The point is that there is excellent technology, which completely prevents viruses, worms, Trojans and other malware, 100 percent, and it is available now from a clutch of vendors (Bit9, Securewave and AppSense). Some of the companies that have adopted such technology no longer deploy AV technology and none of them need to. The problem is cured. If this technology were adopted across the board it would significantly diminish digital crime.

While I'm writing this, Symantec is desperately trying to recover from a stack overflow vulnerability discovered by independent security firm eEye. Far be it from me to kick an AV vendor when it's down, or exaggerate a security threat. Truth to tell, this high profile stack overflow never became a zero-day threat. No virus writers got anything going to exploit the threat before it got fixed. However, it was a zero day PR threat, especially as Symantec is about to launch some new product or other (called Norton 360). Symantec responded at lightning speed issuing the PR news that it had issued a patch on Sunday. It issued the patch two days later, on Tuesday (according to TGDaily.com). This behaviour by Symantec echoes the subject of this week's AVID posting in spooky way.

A correspondent wrote to criticize my last few AVID postings, pointing out that I had missed a crucial point about the length of time you are at risk, if you are foolish enough to depend on AV software. My correspondent referred to this as the AV distribution problem. I 'fess up. He was right. He pointed out correctly that the fix times I published in the League of Shame only give the time that it takes the AV vendor to post the new AV signature for download. The truth of the matter is that the AV software actually has to download the new signature before the user has any protection.

Thus, if a fix is available, you don't actually get the fix until your AV software does an automatic download of it (unless you initiate the job manually). AV companies vary as to how frequently their software updates the AV signatures. With some products, automatic updates happen only once a week. Yes, hard to believe isn't it? The most frequent is Kaspersky Labs (8 times a day).

So get this; your AV vendor may take two days (i.e. pathetically long) to get a fix ready, but you could be exposed for a further 7 days to some horribly expensive (for you or your company) virus that the AV vendor was supposed to be protecting you against.

It's a racket isn't it? A lack-of-protection racket.