A great reputation

Early users are wowed by how well reputation services keep spam off the network.

How do you fight spam if words such as Viagra or sex are part of legitimate e-mail? If you're James Brady, e-mail administrator at Cedars-Sinai, a Los Angeles hospital, you turn to reputation services. The latest anti-spam weapon, reputation services analyze sender behavior, not e-mail content, to determine spam.

"Healthcare has a lot of terminology that might be considered spam - and no tolerance for false positives," he says, adding that the hospital's previous spam-fighting tool caused so many false positives that administrators yanked it out and just dealt with the junk mail.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

How do you fight spam if words such as Viagra or sex are part of legitimate e-mail? If you're James Brady, e-mail administrator at Cedars-Sinai, a Los Angeles hospital, you turn to reputation services. The latest anti-spam weapon, reputation services analyze sender behavior, not e-mail content, to determine spam.

"Healthcare has a lot of terminology that might be considered spam - and no tolerance for false positives," he says, adding that the hospital's previous spam-fighting tool caused so many false positives that administrators yanked it out and just dealt with the junk mail.

Brady now uses IronPort Systems' reputation-services appliance at the network's edge, as well as the Symantec BrightMail anti-spam add-on module. That gets him a second layer of reputation-services analysis plus traditional content filtering. With this three-layer approach, Cedars-Sinai catches more than 90% of 55,000-plus spam messages it receives daily, Brady says. The gateway appliance alone detects most of the spam with low false positives, at about one per 1 million, he says.

Reputation-services technology is powerful because it does what no other anti-spam offering can - drop the spam at the gateway before it clogs up servers and WAN links. At Cedars-Sinai, one-third of spam sent its way never gains entry to the network and e-mail server.

None the wiser

Vendors vary in their approaches, but in general reputation services profile the sender's behavior and thereby determine the likelihood that a message is legitimate or spam. For instance, if a high volume of messages come from the same IP address, the IP address doesn't accept mail in return, the country of origin is one where a lot of spammers operate and the sender began using the IP address that morning, the reputation service will smell a rat, says Tom Gillis, senior vice president for IronPort.

When the reputation service determines a message has a high likelihood of being spam, the device can respond in a couple of ways. If configured aggressively, it will drop the mail, and the e-mail server is none the wiser. Mark Fitzgerald, messaging and groupware operations manager at Key Corp., a financial-services company in Cleveland loves that option.

After some tweaking of his IronPort appliance, he found that "it has the ability to take a large chunk of the spam away at the perimeter," he says. Like Brady, Fitzgerald says a layered approach works best. With the BrightMail enterprise content-filtering system included on the device, he's stopping 98% of about 14 million spam messages received monthly. Fitzgerald now rarely touches the device. "We don't have to manage the reputation part of it all that much. Because of the way we have our rules set, and because our users have a zero-tolerance for false positives, we're fairly lenient. We'd rather let some questionable stuff through the perimeter and then let BrightMail deal with it," he says.