Not your typical spam fighters

The Food and Drug Administration is like many other federal agencies: It's a complex organization with eight operating divisions and 14,000 end users, each with a different set of IT needs. And like most agencies, it has long been the target of e-mail spammers.'We didn't have a way to measure it quantitatively,' said FDA's chief information security officer Kevin Stine. 'But from the user frustration we knew there was a problem.'That problem not only wasted workers' time, but it also pulled IT staff off more critical work. Plus it was a growing security threat, as over time spam morphed into a distribution channel for malicious code.But blocking unwanted e-mail at FDA is actually more complicated than at many other agencies. To FDA workers, some spam looks like regular daily correspondence. As a result, Stine and his group needed more than your average filter.'A lot of the products FDA regulates are the subjects of spam e-mails. A lot of the key words you see in spam are words that FDA uses on a regular basis,' Stine said. Specifically, words like 'Viagra' and 'Cialis' often need to get through, so the most commonly used techniques for filtering spam won't work well at FDA.'But we didn't have any automated solution,' Stine said. There were filters at the server level to block files and deny executable attachments, but they didn't adequately address the spam problem. 'It wasn't uncommon for users to get 20 or 30 spam e-mails a day in their mailboxes.'With that in mind, the agency started researching the anti-spam market in the summer of 2004. Stine said he wanted spam reduction, but with a low false-positive rate, meaning the solution shouldn't incorrectly block too many legitimate messages.After evaluating several vendors, FDA chose systems from IronPort Systems Inc. of San Bruno, Calif. IronPort makes security appliances that use a sender-reputation filter as a first line of defense, eliminating the need to rely on keyword filtering. In other words, the technology looks more closely at who sent the message than what the message says.'We liked the idea of reputation scoring,' Stine said. 'That significantly reduced the risk of getting false positives.'FDA now has a pair of IronPort C600 appliances that examine and filter as many as 150,000 in-bound e-mails a day, blocking about 40,000 of them. The good Viagra messages are getting through, while the bad ones are being blocked.'We haven't identified any false positives' in more than a year of operation, Stine said. The C600 is IronPort's enterprise model, designed for service providers and enterprises with more than 10,000 users, capable of filtering up to 500,000 messages an hour. The distinguishing feature of the C-series appliances is the reputation filter, which lets users block traffic from known or suspected spammers without having to inspect content.The filter uses IronPort's SenderBase monitoring service, which gathers data on traffic from 100,000 organizations using the company's e-mail appliances. It evaluates 110 attributes on an estimated 30 percent of the world's e-mails, including:'Every single piece of information we can gather,' said Thomas R. Topping, IronPort's federal sales manager.Based on the patterns identified in this data, each source IP address is scored on a 200-point scale, ranging from 10 for the best reputations to negative-10 for the worst.Users can set filter policies to deal with each message based on the score of the source address. Each address can be allowed through, blocked, quarantined or sent on for further inspection, as appropriate.The reputation filter can stop up to 80 percent of spam based on scores alone.'Reputation filter was a big piece for the FDA,' Topping said. 'This was important to the FDA because they never have to look at it. They have already established it's from a bad guy and they block it.'In addition to the reputation filter, the appliance incorporates Brightmail anti-spam technology from Symantec Corp. of Cupertino, Calif. Symantec uses a system of honeypots to trap and identify spam. Brightmail can block known spam using this data, without relying on keyword scans.That said, the IronPort appliance does have a content scanning engine that can enforce regulatory and acceptable use policies, as well as an antivirus filter from Sophos AntiVirus Inc. of Wakefield, Mass. It also provides tools for central monitoring and management of e-mail traffic.FDA is able to manage its e-mail stream with a single C600 box, using the second appliance for redundancy.'How many you use is partly a function of mail volume, and partly a function of network architecture,' Topping said.Other factors include the number of filters being used and the amount of scanning required.'The more you look at it, the more CPU cycles you need,' Topping said.According to Stine, FDA began a phased deployment of IronPort's capabilities in August 2004. 'As we gained more confidence, we geared up to rolling out to the whole agency.'Each appliance can handle multiple filtering policies for different divisions within the organization. It also integrates with directories to create rules and exceptions for individual users.Before deployment, the CISO explained to end uses exactly what was being done and why. This, and the evaluation done prior to rollout, resulted in a smooth deployment.'We did a lot of our homework up front, so we had a level of confidence going into the physical rollout,' Stine said. 'The way the tool is deployed is transparent.'The results, however, have been highly visible. Computer users are happier and spend time deleting spam; the IT staff devotes more of its time to more important issues; and there have been fewer infections and outbreaks of malicious code within the agency.'We've blocked about 11 million unwanted e-mails in the last year,' Stine said. 'And we've realized other benefits.'