Spam & Virus Filtering
WVNET – Your First Line of Defense
A generally accepted estimate is that about 99.8% of all computer virus infections come from e-mail. Our experience indicates that between one and two percent of all e-mail is infected.
The computer industry has developed two approaches to virus filtering: one at the PC level and one at the enterprise level.
PC-level protection requires that you install and maintain virus prevention software on every PC. The advantage of this solution is that it not only protects against e-mail infection but also infection from floppy disks, FTP files, etc. However, this approach can also be expensive and very difficult to maintain. The problem is keeping every PC updated. A user may opt to buy virus protection software but end up not keeping it up to date with the latest “signature files,” which describe new viruses.
The second approach is to install an enterprise e-mail filter, which looks at all of the e-mail going to one or more e-mail servers. WVNET is currently running this type of virus filtering. The way virus filtering is done on an enterprise server is that each message is broken apart (decoded); the individual files are scanned and removed if infected (or disinfected, if possible); and the message is re-created and sent on its way.
WVNET filters all e-mail coming to any of our e-mail domains (currently about 20). WVNET is also filtering e-mail for the Department of Education, West Liberty State College, Glenville State College, and Bluefield State College, West Virginia Treasurer’s Office, and AEL.
We have discovered that by the time the press is discussing a virus or we get a warning from the state, we have already been filtering the virus.
The enterprise e-mail filter provided by WVNET protects an institution/agency from external virus infection. It does not protect against infection of one internal user by another internal user. To protect against this type of problem requires the redirecting of internal mail to WVNET for filtering. If you are interested in this additional level of protection, WVNET staff can discuss the pros and cons with you.In the case of the Department of Education, we are filtering e-mail for about 800 K-12 schools. An enterprise e-mail filter has the advantage that it can be maintained at one location, and it protects against the source of approximately 99.8% of all viruses. The virus filtering software we use has been recognized as one of the best available. We get updated virus signatures for any new viruses every hour. Since we started running this product, we have discovered that by the time the press is discussing a virus or we get a warning from the state, we have already been filtering the virus.There is nothing wrong with using both approaches (i.e., both desktop and enterprise filtering). In fact, many experts recommend that you do this for those administrative PCs over which you have greater control.
WVNET has discovered that more than half of all e-mail coming to our e-mail server is unsolicited advertising called “SPAM.” This flood of unwanted e-mail is not just annoying for the user — it also places a heavy burden on e-mail servers, which handle all of the mail. By putting in place SPAM filters, WVNET has cut the traffic to our e-mail server in half.
One problem with SPAM filtering is that although most users love to have you remove SPAM, there are a few users who want to receive some SPAM. One person’s SPAM is another person’s favorite e-mail. WVNET does maintain a list of “good” SPAM sites. For example, the Powerball Lottery can e-mail you the latest winning numbers. This was originally flagged by our filter as being SPAM. As soon as we were told that users wanted this e-mail, that they had signed up to receive it, and that the Lottery e-mail server wasn’t being used for other SPAM, we exempted the lottery site from the SPAM filter. We are always willing to look at particular e-mail servers and exempt them, as long as they are not being used to flood SPAM to the majority of users.
Three Approaches to SPAM Filtering
There are three approaches to SPAM filtering, and WVNET is using all three.
The first approach is the oldest, and it is used by about 90% of the Internet. A number of databases have been created, which identify e-mail servers that are known to have an “open relay” or other characteristics that make them vulnerable to SPAMmers. For example, an e-mail server with an open relay will accept e-mail from anyone and pass it on. SPAMmers exploit these sites to hide their true location while flooding the Internet with messages. The maintainers of these “open relay” databases send e-mail to the postmaster of the site that is being put on the list and tell the postmaster to fix the problem. When the postmaster gets the open relay fixed, he can ask for the site to be re-evaluated immediately and removed from the database. WVNET uses the open relay databases to refuse e-mail from any server that runs an open relay or that is known to have similar vulnerabilities to exploitation by SPAMmers.
The second approach is to run SPAM filter software that examines every e-mail and compares it to a set of rules. Each message is heuristically analyzed for content and a final score is assigned. Everything in the body of the message that is consistent with known SPAM characteristics is assigned a point value and this value is added to a total score for that message. Some point values are positive and others, which are associated with characteristics not usually associated with SPAM, are negative.
After the entire message is scanned, the final score is compared to a numerical value that is set by the receiving site as the threshold for rejecting a message as SPAM. This threshold approach reflects that there is no infallible test for SPAM and there is always a balance between the possibility of rejecting some valid mail as SPAM and letting some SPAM through because it appears legitimate.
If the final score exceeds the threshold set for that enterprise, the e-mail is bounced to the sender. WVNET currently uses this SPAM filter software, and we are constantly tuning our settings to optimize this threshold. Our customers all establish their own thresholds individually.
The third approach is the newest. A database has been created based on scanning e-mail servers to determine what percentage of the e-mail they send is SPAM. If the percentage is high enough, the server is added to the database and flagged as a source of SPAM. The postmaster of the e-mail server is notified of the problem and is asked to fix it. The use of this new type of database is being adopted by more and more people on the Internet.
Some commercial e-mail providers make money by allowing SPAMmers to use their e-mail servers. Suddenly these operators are finding that many other servers will no longer accept their e-mail, causing them to lose business until they resolve the problem. This is the same process that happened when the open relay databases were originally created. Many postmasters are working now to address the flow of SPAM from their mail servers. WVNET is using this new type of database to further reduce SPAM.
- Enjoy professional management of an enterprise-wide filtering solution for SPAM and viruses. This includes constantly updated virus signatures and dynamic access to multiple major SPAM-source databases — all for one low budgeted cost and with no additional load on your staff. We can do some customization of the SPAM filter depending on your needs.
- Save approximately half of your mail server’s capacity by preventing SPAM from ever reaching your server. This avoids unnecessary e-mail server upgrades and reduces the size of mail systems backups.
- Improve user productivity by reducing or eliminating the time spent every day separating the useful correspondence from the useless clutter.
- Create a more wholesome educational environment through the reduction or elimination of salacious solicitations.
- Close the source of as much as 99.8% of the viruses in your organization’s computers. This reduces the load on your support services, improves user productivity, protects your intellectual property and administrative resources, and facilitates secure collaboration and information sharing within your campus communities.
- WVNET uses MRTG — a tool to monitor the traffic load on network-links — to report on all aspects of the Virus and SPAM filtering we do for you. This software collects information every five minutes and dynamically updates graphs showing the traffic to your destination, the amount of virus-infected messages, the percentage of SPAM, etc. This information is always available to you via a Web page. Since the information is updated every five minutes, you can see what is going on at the present time and in the past. The graphs reflect the current day, the last week, and the last month.
WVNET uses a commercial virus scanning engine, which updates the virus signature tables every hour. This software runs on RedHat Linux on an IBM x-Series machines with dual CPUs and raid/mirrored disk drives. The hardware was chosen for its reliability; since it is important to have 24x7x365 availability.
WVNET tests all software upgrades on a separate test machine and, after testing, migrates to new software levels on our production servers in the early morning hours or on weekends. Downtime for upgrades is minimal and generally in the 15-30 minute range. WVNET also maintains a spare server readily available in the event of a serious hardware failure.
Our standard pricing for this service is $1500 base price per year and one dollar per account per-year. For sites with fewer than 200 accounts WVNET will charge $1,000 per year. For sites with more than 8,000 accounts, WVNET will negotiate a fair price depending on the number of messages per day, the size of the average message, and the number of e-mail accounts involved.
For more information, please contact Phil Snitz at (304) 293-5192 x258 or firstname.lastname@example.org.