How to Implement a Reputation-Based, Network Edge eMail Security System

American Internet Services, which provides data center and co-location services, manages more than 14,000 unique email boxes for our customers and our own internal email, using 11 email servers.

Our problem was spam and all kinds of other email junk like phish mail and viruses that were slowing down email delivery, sometimes by as much as an hour. Customers were complaining and some were leaving us, so the issue had become business critical.

Of course, each of our email servers had the latest spam filters and antivirus software packages. But what comes with all that is a lot of extra overhead, as it takes time to check each email coming through our servers no matter how powerful their processors.

The other thing in the back of our minds was knowing that even though we keep our servers updated with the latest preventative measures, the bad guys are likely PhD-level engineers who hack for a living and are just as up-to-date on all those preventative measures. So too much spam was still getting through, which also bothered our customers because our job is to block it.

Changing the Model

One solution was to add more hardware and software, but that was like building our protective ramparts higher and higher while spammers would just make their catapults more and more powerful.

Instead we learned of another approach that took a whole different direction. Its basic idea is to add security intelligence on the very edge of the network that takes into account the email sender's reputation as a key factor in categorizing and managing inbound email.

This "first cut" would theoretically reduce the email that passes on for further inspection and processing by our email servers. By dropping known spam before it reaches our email servers, we'd save their processing power for the trickier malware, which is a much better use of their capabilities.

Sender Reputation Is Key

We got our IT engineering team together to brainstorm other possible alternatives, but decided that the reputation-based, network-edge email security system really had no peer. We chose the BIG-IP^® Message Security Module ^? (MSM) from F5 Networks, as we already had F5's BIG-IP^® Local Traffic Manager ^? to help us manage our network.

MSM operates by managing and distributing an incoming SMTP email connection according to the sender's reputation. Using Secure Computing's TrustedSource ^? IP reputation-scoring database, it combines traffic data, whitelists, blacklists, and outbreak detection in one package. The database is the only reputation engine able to provide numerical scoring for every IP address across the Internet and updated in real time, so it's extremely accurate and has virtually no false positives.

Because MSM relies on the sender's real-time reputation, it can deny the SMTP connection rather than taking the time to inspect the message content itself. By doing so, the message doesn't even get sent, so MSM can process millions of email connections an hour.

This takes a huge load off our email servers. In fact, when we set up MSM, we saw an immediate 60 percent drop in our incoming email volume. Even better, our customers noticed, too. Some even called to thank us. And we have seen a noticeable drop in customer complaints.

Implementation Recommendations

Deployment of MSM was straightforward and took just a day, but the steps leading up to its deployment and immediately after are important to note:

1. Determine the scoring parameters-from questionable to most trusted-for email for which MSM does allow SMTP connections. Your email servers can then allow email from the most trusted sources to pass through with minimal spam, phishing, and antivirus processing, while servers can subject more questionable email to greater (and more time-consuming) scrutiny.
2. Set thresholds in MSM to reflect those parameters using advanced scripting capabilities. MSM uses F5's unique iRules scripting capabilities, which are based on TCL (Tool Command Language), so my engineering team members can create and customize policies that incorporate those parameters.
3. Examine the thresholds and refine them immediately after deployment and periodically thereafter. This way you can synchronize your MSM parameters with the malware-recognition capabilities of your email servers. For example, if you're finding too much questionable email is getting through, then you can tighten the SMTP connection-denial parameters of MSM. Two obvious ways to gain the necessary feedback to tweak the parameters is to assess the relative mail-processing volumes over time as well as to measure the complaints of your email recipients, both internal and external. (Of course, you'd want to keep that latter metric to a minimum.)

Summary

One definition of insanity is to do the same thing over and over but expect a different result each time. Taking the totally different approach of a reputation-based, network edge email security system has kept us sane here at AIS, and has helped make our customers much happier by stopping two-thirds of their spam before it even gets sent to our servers.

About the Author

As AIS' Chief Technology Officer, Richard Sears manages all technology aspects of AIS' data centers. His responsibilities include supervising network engineers, programmers and the technical support department, as well as identifying and implementing the latest technologies to keep AIS on the cutting-edge of data communications and Internet technology. His work ensures AIS clients receive maximum uptime, reliability and network speed. In addition, Sears manages AIS' internal voice and data networks and assists the CEO in evaluating acquisitions from an engineering and technical standpoint. Sears founded WebCC, an Internet Service Provider, in 1994 and was the President of the company until it was purchased by ACC in 2000.