Wednesday 9 April 2008

BorderWare claim: Amazing Reputation Filtering (RSA)

BorderWare is making a very interesting claim. It seems to be blocking an enormous proportion of its customers' inbound spam simply using IP reputation.

While most anti-spam vendors these days talk about blocking roughly 75% of the spam using IP reputation (basically a fancy word for DNSBLs), BorderWare's quoted statistic is 98.3%. Wow, that's a lot -- especially considering that the law of diminishing returns almost certainly applies.

This is a good thing because the more spam one can identify and block by reputation, the less spam content one has to examine using techniques such as Bayesian analysis, which are computationally "expensive".

But how does the company achieve such a high figure? By slashing the time taken for new entries to be added to its centralized reputation database (BSN, or "BorderWare Security Network" -- soon to be rebranded as "Reputation Authority").

These days, new zombie spam sources don't hang around to be detected, they get sending as soon and as fast as they can -- the botmasters have realized that a fresh, undetected spam source is far more effective than an old, known source. Minutes count; in fact in the spameconomy, time is money.


tzink said...

98% is high... though not inconceivable depending on your mail stream.

At our place of business, IP-based blocks account for 90% of mail during the week, and higher than that on weekends. Getting an additional 8% might be tough but again, depending on your email stream it may be possible.

My gut feeling is that this is an exaggeration or selective data mining.

Unknown said...

We block between 92% to 97% on a given day (weekends tend to be closer to the 97%).

Going beyond that is hard, and tzink gets a lot more mail than we do.

At Outblaze, the blocking numbers were in the same range, so the people doing 75% blocking are probably doing badly (or get spam from whitelisted servers).

Ken Simpson said...

Wow, BorderWare's claim is impressive -- perhaps if they had admitted that the numbers came from one specific customer, they would be more believable.

Here is how things looks for one of our customers on a recent day:

- 90% blocked by RBLs (Spamhaus, etc)
- 6% rejected by traffic shaping
- 2% rejected by content filtering

The last 2% is almost 100% legitimate, as judged by another high-end commercial content filter downstream.

In our experience, it's very difficult to get blocking better than 93% without doing some risky guesswork. Blocking 93% of connections might sound great, but with 150 billion spams a day flowing around the Internet, that last 7% can be very painful.

It's also difficult to just put a number out there -- like 98%. Spam volumes fluctuate wildly, as do the nature of spam sources.


Post a Comment