Problem solve Get help with specific problems with your technologies, process and projects.

Phishers and spambots -- appliances that fight back

Most email security appliances are designed to deflect unsolicited inbound SMTP traffic. In this edition of our Security Spotlight Lisa Phifer examines the benefits of deploying an email security appliance and addresses what specifically to look for in an appliance for your network.


Spam nearly doubled in 2006, consuming 819 terabytes of bandwidth per day. To evade IP filters, spam is increasingly sent by "botnets" -- tens of thousands of trojaned hosts. One in three messages now carries images that bypass text filters while wasting 70% more resources. Spam reconnaissance activities such as Directory Harvest Attacks are draining email server capacity. As spam grows more invasive and elusive, network operators are being forced to find new strategies. Email security appliances can help you battle spam more efficiently, reclaiming lost user, server and network productivity.

Why deploy an email security appliance?
Email security appliances, including spam firewalls and email filtering appliances, are purpose-built devices that inspect email traffic to stem the flow of undesirable messages and/or enforce corporate policies. By discarding, throttling or quarantining email, these appliances try to stop spam -- about 85% of all email traffic -- from reaching workgroup servers or user inboxes. Potential benefits include a lighter load on your LAN, email and storage servers; improved workforce productivity; and reduction in the number of virus, spyware and phishing attacks that result in asset damage or identity theft.

Most email security appliances are designed to deflect unsolicited inbound SMTP traffic. Some also filter outbound email to address liability concerns, confidentiality risks, and compliance requirements. For example, analysts estimate that 8% of U.S. firms have been involved in lawsuits involving email or Internet abuse; appliances are one way to manage this risk by blocking porn or other illegal content. Similar techniques can prevent accidental or intentional disclosure of design documents, marketing plans and valuable intellectual property. Some email security appliances now offer features to help you comply with such regulations as HIPAA, GLBA and CA SB 1386, which require not only that you safeguard customer data but demonstrate that you have done so.

Adding an email security appliance to your network
Most email security appliances are designed to drop into business networks, sandwiched between a perimeter firewall and one or more email servers. If your email server is deployed on your firewall's DMZ, the email security appliance should be inserted between the DMZ and the email server. If you have a load-balanced cluster of email servers, deploy the email security appliance in front of the cluster. If you have regional email servers, extend that architecture by placing an email security appliance by each region's email server.

For appliances that route email, change your domain's MX record to the email security appliance's public IP. Alternatively, some email security appliances can operate in transparent mode, bridging to/from email servers without affecting MX records. If you expect the appliance to enforce outbound policy, configure servers, routers and switches inside your LAN to force all outbound email protocols through the appliance.

Depending on the appliance and how you use it, further integration may be required. For example, appliances can treat everyone the same way or apply different rules to configured groups and users. In the latter case, consider integrating your email security appliance with ActiveDirectory, binding new email attributes to existing group and user objects. Appliances that quarantine spam may let recipients review suspicious messages. If so, decide whether and how users should interact with your appliance -- for example, through a Web portal or Microsoft Outlook or Lotus Notes client plug-ins.

What to look for in an email security appliance
Email security appliances are specialists that inspect one type of traffic as quickly and efficiently as possible. Whether your workforce is small or large, performance will matter A LOT. Select an appropriately sized appliance, considering processing power (for high-volume scanning), connection capacity (for many simultaneous connections), I/O capacity (for efficient email queuing), on-board storage (for quarantine), and high-availability features.

Email security appliances must be hardened against attacks such as malformed headers and email bounce flood attacks. For example, a spammer may try to "harvest" valid usernames by sending email to a long/random list @yourdomain; those that do not bounce may be deemed valid and used in future spam. Appliances should be able to thwart this attack without disclosing usernames or succumbing to overload.

Next, appliances must quickly drop bad email from known spammers, pass good email from trustworthy sources, and scrutinize the rest. Source filtering methods may include reputation filters (e.g., SenderBase), public blacklists (e.g., DNSRBL), local blacklists and whitelists, sender authentication (e.g., SPF, DomainKeys), and rate controls. Content analysis methods may include text pattern and dictionary filters, rule-based scoring, Bayesian analysis, intention analysis, spam fingerprinting, OCR filters, and recurrent pattern detection. For example, SPF tries to verify the source MTA's identity, making whitelists more effective. OCR tries to spot spam that uses images to elude Bayesian analysis, while fingerprinting tries to detect animated or segmented images that slip by OCR. As spam continues to evolve, so must these layered defenses. To learn about recent trends and countermeasures, see this Barracuda primer (PDF).

Email security appliances can also play a role in virus defense. Some include more than one antivirus technique -- for example, burst analysis to quickly quarantine suspicious messages in the early hours of a new outbreak, complemented by one or more signature-based scan engines. Factors to consider include signature update frequency, scan engine performance, message disposition controls (e.g., redirect, deliver, tag, quarantine, strip, discard), and the ability to throttle the volume of messages to be scanned.

Appliances that filter outbound messages can enforce email content policies for a wide variety of business reasons. Pattern filters may spot "banned words" carried by non-business email that violates acceptable use policies. Attachment filters may deter proprietary document and spreadsheet transmission beyond your own domain, based on file type or content analysis. Predefined compliance dictionaries may automatically quarantine messages containing social security numbers, credit card numbers, HIPAA-protected health information, GLBA personal financial information, and so on. When these sensitive messages are transmitted to a trusted destination, some appliances can automatically encrypt them to ensure privacy without relying on end users or client software.

Management, monitoring and reporting features are another important consideration. For example, do you want whitelist and Bayesian scores maintained on a per-user basis? Do you need to apply different attachment policies to finance and engineering? When the appliance is under the gun during a virus outbreak, will you have ready access to reports and alerts? Do you really want users logging into the appliance to manage their own quarantine queue? These are just a few of the many questions to consider when choosing the right appliance for your environment.

Finding an email security appliance
Many email security solutions are available today, from managed security services (e.g., Postini) to do-it-yourself software (e.g., BrightEmail). Some companies prefer to outsource part or all of their email security needs, while others choose to control and monitor their own in-house email defenses. Email security appliances offer a middle ground: a turnkey box that should prove easier to manage than roll-your-own software, without requiring you to send all your email through a third-party server.

Today, many Unified Threat Management firewalls (e.g., Fortinet) include such features as spam filters and virus scanning. UTM devices can form a useful part of your perimeter email defense, but they do not focus on email-specific threats and policies to the same degree that dedicated email security appliances do. Hardware appliances designed specifically to stop spam, foil phishers, and enforce email security policies include:

About the author
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to and

This was last published in December 2006

Dig Deeper on Network Management Software, Tools and Utilities

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.