SOPHOS ANTI-SPAM ASIA 2004 SEMINAR
Held on 20th April 2004 at Grand Hyatt Hotel, the seminar detailed the complexity of 3rd generation spam techniques and explained why simple content filtering and “tag and pass” techniques are no longer effective against the latest spam.
Keynote speakers includes Dr John Graham-Cumming, Research Director, Sophos Anti-Spam Task Force; Mr Tan Ming Liang, Advocate and Solicitor, Rajah & Tann; Mr Wong Loke Yew, Security Evangelist, Trusecure Corp; Professor Lawrence Law, Director, Information Technology Services Center, Hong Kong University of Science and Technology. Mr Ng Hak Beng, Technical Support, Sophos Asia, also presented a short product tour on Sophos PureMessage explaining the anti-spam features, ease of use, flexibility and scalability of Sophos PureMessage solution. Of particular interest is the detailed case study presentation by Professor Lawrence Law on how Hong Kong University of Science and Technology conquered spam with Sophos PureMessage anti-spam solution. If you did not manage to make a trip there, or were opted-out of the mailing list, here is what you actually missed.
Spam is increasing rapidly and now accounts for an estimated 50 per cent of all Internet traffic. And the spam threat is getting worse as explained by Charles Cousins, Managing Director, Sophos Asia.
Content filtering may not be effective in certain environments. For example, email that comes in with Viagra or something that comes in with certain reproductive organs wording may have a legitimate medical application in a hospital or research environments.
Dr John Graham-Cumming, in the recorded video presentation, mentioned how spammers disguise their emails as non-delivery reports (NDR) which is faked, and thus fooled the user to open the attachment which is a spam. Spammers are also using increasingly sophisticated means to get their messages past adaptive spam filters such as hiding messages in innocent text and adding certain words in the message to turn the spam into a ham. You can read the detail in the white papers listed in Sophos website.
Sophos PureMessage, which is a 3rd generation anti-spam solution, uses advanced email filtering techniques to detect these spam messages at the email gateway, preventing users being disrupted by unsolicited commercial email.
Mr Tan Ming Liang presented a legal perspective on anti-spam, how effective are the recently enacted CAN-SPAM Act of 2003 (United States Federal Laws) and European Coalition Against Unsolicited Commercial Email (EuroCAUCE – European Union) against spam. Opt-in (pro-consumer, EuroCAUCE) versus Opt-out (pro-business, CAN-SPAM) approach to anti-spam law legislation. In the Opt-in approach, the party interested in sending out bulk email must put in some effort up front, to acquire and maintain a list of potential customers. In the Opt-out scheme, the recipient is expected to answer with a "remove" request. Even if the bulk email sender may honor a “remove” request, it might pass the address onwards to another sender as a “confirmed live” address, thus the recipient ends up with more spam.
Professor Lawrence Law outlined the criteria for selecting Sophos PureMessage for spam control. In the beginning, they implemented DNSBL (DNS based black list) or RBL (Realtime Blackhole List) on their email gateways, rejecting or blocking mail based on the block list. This requires constant reporting to DNSBL either to list or de-list certain sites. Much effort is required in order to reduce the spam level.
Hong Kong University of Science & Technology (HKUST) then investigated SpamAssassin™ and Sophos PureMessage.
Quotes from the SpamAssassin™ website, http://www.spamassassin.org :
SpamAssassin ™ is a mail filter to identify spam.
Using its rule base, it uses a wide range of heuristic tests on mail headers and body text to identify "spam", also known as unsolicited commercial email.SpamAssassin™ does help to reduce spam, but the number of false positive is quite high, leading to legitimate email being tagged and passed as spam.
PureMessage provides the flexibility to cater for different groups of users. Heavy internet users might need better spam control than office clerks. PureMessage allows users to set their own spam defaults, based on the probability of messages being spam, at a level they feel comfortable with. For example, a spam probability of 100%-80% means blocked or rejected emails, 80%-50% means the email is quarantined, and anything below 50% is tagged and passed to the clients where further rules can be applied. In the case of quarantine messages, a digest is sent to the user, so that user still has accessed to the quarantined messages.
Furthermore, PureMessage provides end users with the ability to add items to their personal whitelists or blacklists using the end-user web interface.
Currently, two dual-CPU Xeon servers handle more than 250,000 mails from the Internet daily, protecting more than 10,000 email users. The users at HKUST are very happy with PureMessage solution. In fact, the recent fraudulent emails that appears to be coming from certain banks but which are, in fact, sent out by imposters requesting personal information have been classified as spam. Those emails did not even arrive at the HKUST users Inbox as it contains “Invisible Ink” and “Camouflage” tricks in the HTML message.
Further reading:
The two whitepapers, “Spam and the non-delivery report” and “Fooling and poisoning adaptive spam filters”, are available at Sophos website at http://www.sophos.com/spaminfo/whitepapers . Registration is required in order to have access to all the white papers on the Sophos website.