Q&A: Why spammers are like dogs

IronPort’s Weiss talks acquisition by Cisco, e-mail security’s future, why spammers spam

In January, Cisco announced plans to acquire IronPort Systems, maker of communications security appliances, citing synergies between Cisco’s threat mitigation, communications, policy control, and management products and IronPort’s messaging and Web protection products. This acquisition won’t be like most of the ones Cisco makes, says Scott Weiss, the founder and CEO of IronPort, because IronPort won’t be integrated into the networking giant but operated instead as a separate unit.

Weiss says Cisco is treading carefully into the messaging security space because it’s a new area for the company, but IronPort has been in business since 2000, selling Web and e-mail security appliances to organizations. Network World Senior Editor Cara Garretson recently spoke with Weiss about the $830 million Cisco acquisition – expected to close next month, where e-mail security is going and yes, why spammers are so much like dogs.


The complete interview with Scott Weiss can be heard here.


How do you see Cisco and IronPort’s products fitting together?

Strangely enough, the plans are not to integrate the two companies: We’re one of three out of Cisco’s [approximately] 130 acquisitions that will not be integrated into the mother ship. And I think that bodes well for our customers, at least in the short term. Cisco is walking slowly in this market, mainly because it’s a bit different from some of the other security markets . . . it's not just a piece of network gear, we’re selling services on top of the boxes we sell. Cisco’s plans, which have been publicly disclosed, are that IronPort is not going to be just another product line of Cisco. Cisco [intends to] 'build a center of gravity’ around IronPort, so we’ll keep operating as an independent business unit, and the plan is potentially to bring in more acquisitions and products under the IronPort moniker.

So what does the acquisition mean for enterprise customers?

Cisco is very strong in the firewall/VPN area, and the firewall as a device does a really good job of locking all the doors. That said, there are two doors left wide open for communications, Port 80 and Port 25. I look at IronPort as saying 'The doors are open, but now we’ve put a layer of airport security there – we’ve got a scanner, and we’re only letting in and out what’s needed.’ So on the Web port and e-mail port, that fills a more granular level of security for those communication holes.

A few acquisitions of messaging security companies have been made in the past year in addition to this one. Does that say something about where is the function of e-mail security headed? Is it meant to be integrated with other products and not a stand-alone product?

I do think e-mail and Web security may merge, or become different facets of a similar category. When you’re protecting against threats in your organization, whether they be viruses or spyware, they can come through either protocol. So, as the people putting these threats together become more sophisticated and start blending those threats, I think the defenses also need to be blended.

[Vendors] just doing e-mail will need to get into the Web business. When you [secure] what’s coming into the building and what’s leaving the building, the competencies you need are for both [Web and e-mail], so I think there are a lot of synergies there to be leveraged.

But you can take from the fact that Cisco wanted to keep us separate that we’re not going to be part of a switch or router or firewall per se, it’s just a different class of solution.

We’ve been hearing a lot lately about the importance of data-leak prevention; do you view the internal threat to be more dangerous to an enterprise than the external threat?

It differs by industry, just how threatening it is. If an employee really wants to take data, they can print it out, they can do it in [different] ways, and there’s just no way that you could stop them. To think you’re going to come up with a foolproof solution to a [determined] employee who wants to get data out of your company, I think that’s almost impossible.

But taking some prudent steps and looking at what’s leaving via e-mail or the Web is important, and increasingly being demanded by customers, especially in various segments such as financial. I don’t think it’s an industry-toppling problem, I think it’s more 'I’d like to check that box and say we’re monitoring it.’ Not to say there aren’t instances . . . of intellectual property leaving the building.

After years of spam volumes declining, 2006 saw a significant increase in the amount of junk headed for in-boxes. What’s going on?

The rise in volume . . . is because more people are getting into the business, and the people that are in the business realize spam’s a money-maker. People have a profit motive to get into that business; it’s not just for fun, now you can really make some money. It’s a team-on-team sport, we [antispam vendors] try to field the best team and come up with defenses but . . .  the reality is these guys have test accounts on every major ISP; they’re like a dog with a zap collar, they keep trying the fence until they find a weakness and pound it unmercifully.

The weakness last year was image spam, which was really a difficult problem to solve. These guys figured out they could send an image and by randomizing a pixel they could make it through traditional spam filters. But it’s like airport security -- we weren’t having people take their shoes off until [Richard] Reid tried to blow one of his shoes up. We didn’t have to check our water, then someone figures out you can combine two liquids and make a bomb out of that, too. [Spammers] are innovative, and we’ve got to stay on top of them. When we see something new or different, we’ve got to plug that hole immediately. Things like [when] spammers figured out this past year that many spam filters rely on humans to write rules, and humans have to sleep and don’t typically work on Sunday nights, so they send all their spam between 2 and 4 AM, in a very short window, and it just zipped past all these folks. We see innovation [with the spammers] and we have to innovate as well.

What is the next set of features that communications-security vendors must add to their products to remain competitive and keep up with enterprises’ needs?

We just bought PostX; encryption by and large hasn’t been rolled out in e-mail, it seems absurd since for every important Web transaction we immediately go to a secure pipe, but everything in e-mail flies over the Internet in free text. I think authentication [for e-mail] is something people are starting to take seriously.

Image analysis is becoming increasingly interesting, watching what’s coming in and going out via images, since most images now are sent via e-mail.

You’ve been tracking spam for a long time. What’s your favorite spammer trick?

Every one is a little amusing. [For example] putting fake text in [a message] from books that might be Homer’s Odyssey. Antispam engines put a score on how spammy each e-mail is, if it has capital letters, if it has a link, there are many different vectors when trying to determine [spam]. One of my favorites is when the spammers put things [into messages] to improve their scores . . . to hoodwink the filters. It’s like dressing up in a disguise to get through airport security: 'If I’m dressed as a police officer, maybe they won’t shake me down so much.’

Learn more about this topic

IronPort to buy PostX11/01/06RSA '07: IronPort reinforces appliances02/07/07Antispam’s assimilation: As vendors are snapped up, e-mail security gets integrated01/11/07IronPort claims image-spam filters produce high catch rates11/15/06

UPDATE--Cisco and IronPort discuss merger plans

01/04/07
From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies