Not your typical spam fighters

 

Connecting state and local government leaders

Keyword filtering wasn't the answer to FDA's spam problems, so the agency found a solution that did much more.

The Food and Drug Administration is like many other federal agencies: It's a complex organization with eight operating divisions and 14,000 end users, each with a different set of IT needs. And like most agencies, it has long been the target of e-mail spammers.'We didn't have a way to measure it quantitatively,' said FDA's chief information security officer Kevin Stine. 'But from the user frustration we knew there was a problem.'That problem not only wasted workers' time, but it also pulled IT staff off more critical work. Plus it was a growing security threat, as over time spam morphed into a distribution channel for malicious code.But blocking unwanted e-mail at FDA is actually more complicated than at many other agencies. To FDA workers, some spam looks like regular daily correspondence. As a result, Stine and his group needed more than your average filter.'A lot of the products FDA regulates are the subjects of spam e-mails. A lot of the key words you see in spam are words that FDA uses on a regular basis,' Stine said. Specifically, words like 'Viagra' and 'Cialis' often need to get through, so the most commonly used techniques for filtering spam won't work well at FDA.'But we didn't have any automated solution,' Stine said. There were filters at the server level to block files and deny executable attachments, but they didn't adequately address the spam problem. 'It wasn't uncommon for users to get 20 or 30 spam e-mails a day in their mailboxes.'With that in mind, the agency started researching the anti-spam market in the summer of 2004. Stine said he wanted spam reduction, but with a low false-positive rate, meaning the solution shouldn't incorrectly block too many legitimate messages.After evaluating several vendors, FDA chose systems from IronPort Systems Inc. of San Bruno, Calif. IronPort makes security appliances that use a sender-reputation filter as a first line of defense, eliminating the need to rely on keyword filtering. In other words, the technology looks more closely at who sent the message than what the message says.'We liked the idea of reputation scoring,' Stine said. 'That significantly reduced the risk of getting false positives.'FDA now has a pair of IronPort C600 appliances that examine and filter as many as 150,000 in-bound e-mails a day, blocking about 40,000 of them. The good Viagra messages are getting through, while the bad ones are being blocked.'We haven't identified any false positives' in more than a year of operation, Stine said. The C600 is IronPort's enterprise model, designed for service providers and enterprises with more than 10,000 users, capable of filtering up to 500,000 messages an hour. The distinguishing feature of the C-series appliances is the reputation filter, which lets users block traffic from known or suspected spammers without having to inspect content.The filter uses IronPort's SenderBase monitoring service, which gathers data on traffic from 100,000 organizations using the company's e-mail appliances. It evaluates 110 attributes on an estimated 30 percent of the world's e-mails, including:'Every single piece of information we can gather,' said Thomas R. Topping, IronPort's federal sales manager.Based on the patterns identified in this data, each source IP address is scored on a 200-point scale, ranging from 10 for the best reputations to negative-10 for the worst.Users can set filter policies to deal with each message based on the score of the source address. Each address can be allowed through, blocked, quarantined or sent on for further inspection, as appropriate.The reputation filter can stop up to 80 percent of spam based on scores alone.'Reputation filter was a big piece for the FDA,' Topping said. 'This was important to the FDA because they never have to look at it. They have already established it's from a bad guy and they block it.'In addition to the reputation filter, the appliance incorporates Brightmail anti-spam technology from Symantec Corp. of Cupertino, Calif. Symantec uses a system of honeypots to trap and identify spam. Brightmail can block known spam using this data, without relying on keyword scans.That said, the IronPort appliance does have a content scanning engine that can enforce regulatory and acceptable use policies, as well as an antivirus filter from Sophos AntiVirus Inc. of Wakefield, Mass. It also provides tools for central monitoring and management of e-mail traffic.FDA is able to manage its e-mail stream with a single C600 box, using the second appliance for redundancy.'How many you use is partly a function of mail volume, and partly a function of network architecture,' Topping said.Other factors include the number of filters being used and the amount of scanning required.'The more you look at it, the more CPU cycles you need,' Topping said.According to Stine, FDA began a phased deployment of IronPort's capabilities in August 2004. 'As we gained more confidence, we geared up to rolling out to the whole agency.'Each appliance can handle multiple filtering policies for different divisions within the organization. It also integrates with directories to create rules and exceptions for individual users.Before deployment, the CISO explained to end uses exactly what was being done and why. This, and the evaluation done prior to rollout, resulted in a smooth deployment.'We did a lot of our homework up front, so we had a level of confidence going into the physical rollout,' Stine said. 'The way the tool is deployed is transparent.'The results, however, have been highly visible. Computer users are happier and spend time deleting spam; the IT staff devotes more of its time to more important issues; and there have been fewer infections and outbreaks of malicious code within the agency.'We've blocked about 11 million unwanted e-mails in the last year,' Stine said. 'And we've realized other benefits.'

Inside the Project: Anti-Spam

Challenge: The Food and Drug Administration had a unique spam problem: Many unwanted messages looked a lot like legitimate e-mail. The agency needed a way, for instance, of keeping out frivolous Viagra offers while letting through genuine Viagra correspondence.


Solution: Traditional keyword-based spam filtering didn't fit the bill for FDA. So the agency found a spam technology from IronPort Systems that relies heavily on filtering mail based on the people or groups who sent it.
Mission Benefit: In its first year using the IronPort anti-spam appliances, FDA had exactly zero false positives (legitimate message erroneously flagged as spam). The system examines as many as 150,000 e-mails a day and blocks about 40,000 of them. Workers don't have to waste time handling spam, IT workers can concentrate on other projects and the FDA network is more secure because potentially malicious messages are kept away.
Lessons learned: FDA's IT security shop was careful to lay the groundwork for the implementation, paying attention both to the needs of its IT users and the technology it selected to protect e-mail. 'We were sensitive to the fact that we wanted to bring this in gradually,' said CISO Kevin Stine.
Stine's advice to other agencies taking a fresh look at their anti-spam programs:
  • 'Really understand your mission and the information you are trying to protect.' Each agency has unique needs. Unlike many other agencies, FDA actually wants to get e-mail with words like 'Viagra' in the subject line.

  • Listen to the user community. Knowing what their headaches are can help ease your own. Each call to the help desk drains resources that are needed elsewhere.

  • Do your homework and understand the technology you're considering. Contact references who can give you their real-world experiences in rolling out a product in a production environment.

'William Jackson

FDA security officer Kevin Stine chose IronPort C600 appliances that examine and filter as many as 150,000 in-bound e-mails a day, blocking about 40,000 of them. As a result, the "good" Viagra messages are getting through, while the "bad" ones are being blocked.










The good Viagra gets through




  • The volume and pattern of mail from the sender

  • Complaints of spamming made against the sender

  • Whether the IP address of the sender matches the domain of the sender's URL.












Rolling out across offices






X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.