How do you fight spam if words such as Viagra or sex are part of legitimate e-mail? If you're James Brady, e-mail administrator at Cedars-Sinai, a Los Angeles hospital, you turn to reputation services. The latest anti-spam weapon, reputation services analyze sender behavior, not e-mail content, to determine spam.

"Healthcare has a lot of terminology that might be considered spam - and no tolerance for false positives," he says, adding that the hospital's previous spam-fighting tool caused so many false positives that administrators yanked it out and just dealt with the junk mail.

Brady now uses IronPort Systems' reputation-services appliance at the network's edge, as well as the Symantec BrightMail anti-spam add-on module. That gets him a second layer of reputation-services analysis plus traditional content filtering. With this three-layer approach, Cedars-Sinai catches more than 90% of 55,000-plus spam messages it receives daily, Brady says. The gateway appliance alone detects most of the spam with low false positives, at about one per 1 million, he says.

Reputation-services technology is powerful because it does what no other anti-spam offering can - drop the spam at the gateway before it clogs up servers and WAN links. At Cedars-Sinai, one-third of spam sent its way never gains entry to the network and e-mail server.

None the wiser

Vendors vary in their approaches, but in general reputation services profile the sender's behavior and thereby determine the likelihood that a message is legitimate or spam. For instance, if a high volume of messages come from the same IP address, the IP address doesn't accept mail in return, the country of origin is one where a lot of spammers operate and the sender began using the IP address that morning, the reputation service will smell a rat, says Tom Gillis, senior vice president for IronPort.

When the reputation service determines a message has a high likelihood of being spam, the device can respond in a couple of ways. If configured aggressively, it will drop the mail, and the e-mail server is none the wiser. Mark Fitzgerald, messaging and groupware operations manager at Key Corp., a financial-services company in Cleveland loves that option.

After some tweaking of his IronPort appliance, he found that "it has the ability to take a large chunk of the spam away at the perimeter," he says. Like Brady, Fitzgerald says a layered approach works best. With the BrightMail enterprise content-filtering system included on the device, he's stopping 98% of about 14 million spam messages received monthly. Fitzgerald now rarely touches the device. "We don't have to manage the reputation part of it all that much. Because of the way we have our rules set, and because our users have a zero-tolerance for false positives, we're fairly lenient. We'd rather let some questionable stuff through the perimeter and then let BrightMail deal with it," he says.

Even if the sender's reputation is not clearly good or bad, these appliances can help. The IronPort device for example, throttles down the volume of messages it allows to pass to the e-mail server, Gillis says. If a sender is trying to send 100 messages and a sender's reputation is questionable, the IronPort device can be set to accept, say, 10 messages, returning a busy server error for the rest. Legitimate mail servers will attempt to resend the mail, while a spammer's zombie typically will not. In this way, the mortgage spam is blocked, but the mortgage newsletter lands in the subscriber's in-box.

Pure junk

Even without an extremely aggressive configuration, reputation-service devices detect 60% to 75% of the spam at the gateway, dropping 30% to 40% of it outright, says Charlie Gautreaux, server administrator for Charlotte Pipe and Foundry in Charlotte, N.C.

Before letting CipherTrust's IronMail gateway appliance loose to kill spam, Gautreaux examined all the suspicious mail it quarantined then looked at the mail that was later forwarded. This helped him determine what reputation rating would generate the least false positives. It also gave him confidence that the mail with a high spam rating was junk and could be deleted.

CipherTrust "combines data from billions of messages per month and analyzes behavior attributes such as traffic data, whitelists, blacklists and network characteristics to determine each sender's reputation," Gautreaux says. "Reputation services is certainly a more intelligent way of fighting spam and one that will supercede standard dictionary and content-based filtering," he concludes. "This is particularly true as the volumes increase and the attack mechanisms become more sophisticated."