IBM’s approach to blocking spam

* Analysis of IBM’s FairUCE anti-spam filter

Last week, IBM introduced an anti-spam filter that it calls Fair Use of Unsolicited Commercial E-mail, or FairUCE.

The technology compares the address of an e-mail message with the domain and IP address from which the e-mail was supposedly sent. If these do not match up - which will occur if an e-mail address is spoofed or sent from a zombie computer, for example - the e-mail will be treated as suspect.

Suspect e-mail will then be sent a reply using a challenge/response system. Potentially valid e-mail will be processed through conventional whitelists and blacklists and the sending domain’s reputation will be checked using a WHOIS lookup that will determine how long a domain had been active on the date it first sent e-mail to a recipient. IBM indicates that a future iteration of FairUCE will incorporate a more refined domain reputation system. Future versions of FairUCE will also incorporate a sender identification system, possibly Sender Policy Framework (SPF), and e-mail from SPF-enabled domains would not be challenged.

Currently, FairUCE runs only on Postfix on Linux servers, although Sendmail and QMail are also being considered for future versions of the filter.

FairUCE is designed to prevent spoofing (a common spammer technique) and phishing. The filter is being marketed as a more efficient method of blocking spam, since by verifying sender identity, spam filtering can more efficiently performed, less bandwidth can be consumed and less processing is required than for spam filtering techniques that scan message content.

As I see it, FairUCE will be useful in reducing the amount of spam that reaches messaging users. However, there are three problems with the approach.

First, challenge/response systems are not for everyone - legitimate senders who receive a challenge (which, admittedly, will be a relatively small percentage of legitimate senders) might not respond. For customer-facing organizations that receive orders, inquiries and the like via e-mail, not receiving these customer communications simply because the sender doesn’t like a challenge poses a serious risk. Second, the current domain reputation system simply looks up a domain’s age at the point it first sends e-mail to a recipient - while many spammers sign up for a domain and then immediately blast e-mails from it, older domains can do the same thing, making this form of domain reputation analysis less than optimal. Third, if e-mail comes from a zombie, it will receive challenges, resulting in lots of e-mail being sent back to the unwitting victims of the Trojan horse that made their computers zombies in the first place.

Overall, FairUCE should be a useful tool, but the enhancements that IBM is planning - such as support for a wider variety of message transfer agents and better domain reputation analysis - will make FairUCE more useful.

Learn more about this topic

IBM releases FairUCE anti-spam technology

IDG News Service, 03/22/05

Copyright © 2005 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022