Readers respond on Deep Six spamwall

By Brian Livingston

Our tests of antispam appliances in the Jan. 26 newsletter made a definite impression on our readers. The article received a reader rating of 4.15 out of a possible 5, our highest-rated article so far (well, in all two of the issues that’ve supported reader ratings to date). And several subscribers sent us their own results from testing the least-expensive appliance in our review: the Deep Six Technologies DS200 Spamwall, which we found to be highly effective.

Deep six ds200 spamwall This device, our tests showed, prevented almost all spam servers from even connecting to our test mail server. No quarantine folder of "possible spam," therefore, is needed. This means there’s no morass of junk mail to examine for misdirected legitimate messages. Quarantine folders not only waste your users’ time, but also expose them to phishing scams and all the other bad stuff that spam usually contains.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

Windows 8 Hacks: Tips & Tools for Unlocking the Power of Tablets and Desktops

Subscribe and get our monthly bonuses - free!

Want to hack the new Start screen and tiles for your Win8 Device, the new Lock screen, the new tile-based apps, or the automatic notification information? Yes, you can do that. How about running other operating systems inside Windows 8, running Windows 8 on a Mac, or hacking SkyDrive and social media? We'll show you how to do that as well. Get this excerpt and other 5 bonuses if you subscribe now!



The DS200 ($999 list) produced no false positives in our tests but allowed into our inboxes only 0.09% of the thousands of unwanted messages that spammers attempted to send. This performance compares very favorably with competing SMB antispam appliances that list for $3,000 to $7,200, plus ongoing license fees. (Many of the alternatives, however, also offer antivirus and firewall protection that the Deep Six invention does not.)

Despite its low cost, simplicity, and effectiveness, the Deep Six device has never been reviewed by any major computer magazine. The DS200 uses “connection scoring,” which ranks incoming mail connections using a “decision tree” involving several dozen real-time block lists. Test labs cannot review this approach by merely sending a corpus of known spam and not-spam from one test server to another. It can only be reviewed using a live mail server and a live stream of SMTP (Simple Mail Transport Protocol) connections. I repeat my call for better-funded research labs to commit the resources necessary to really torture-test the DS200.

As a result of my article, many of our readers learned about Deep Six for the first time. To be sure, the DS200 is useful only to companies that operate their own mail servers. But this represents a large portion of our subscribers. I believe the principles at work in the Deep Six device can eventually relieve individual computer users of spam as the Spamwall’s methodologies are licensed (or imitated) by ISPs and others.

Decision tree reduces mail-server demands

Many of our readers who tested the device for themselves reported that it succeeded in its major benefit: reducing the CPU time and storage space that their mail servers previously consumed calculating spam scores for incoming messages
. Reader Alex Davidson writes:
  • “We currently use GFI’s Mail Essentials software installed on a server. In January 2006, it reported that we received an average of 18,662 messages a day. Of those, 99% were identified as spam by GFI.

    “On Friday, Feb. 3rd, I set up our new DS200 (purchase based solely on your review), put it on the LAN, then switched the firewall to point to it (all during business hours and no problems were experienced).

    “Yesterday, the number of messages hitting GFI dropped by 82% to 3,317, with 90% of those being identified as spam by GFI.

    “We currently have the spam threshold on the DS200 set to 15, but plan on reducing this one point every week or so until we get to our goal of 10, unless it causes too many false positives.

    “So far we’re very pleased, and hope to improve things even further.”
My own office has five mail users on a Microsoft Exchange Server. We’ve gradually reduced the permissable "spamminess" connection score from 20 to 15 to 10 (out of a possible 100) on the test DS200 unit we purchased. We still haven’t received a single report of a false positive (a legitimate sender whose message bounced). We’ve been filtering our live mail stream through the DS200 now for approximately 45 calendar days. If any newsletter readers received any bounce errors, at least one of them would have informed us through our Web comment form or voicemail service, our alternate contact methods that are specified in the error notice.

What do to when you have no spam

Other testers also noticed an immediate reduction in the load on their mail servers after installing a DS200. Reader Mike Winfrey writes:
  • “I have a small IT consulting company and I have an e-mail server that was getting hammered with spam, just like everyone else. Unfortunately, I didn’t know how badly it was getting hammered.

    “I installed the DS200 on Friday, Feb. 10, at about 10:30 a.m. My server breathed an immediate sigh of relief. In about 30 hours, the DS200 processed approximately 34,000 emails with a rejection rate of 82%.

    “Unfortunately, I had to reboot the DS200 because of a configuration change and didn’t think to write down the statistics beforehand. So, at about 3:30 on Saturday, Feb. 11, my counters started over. Since then, the DS200 has processed 14,741 emails with a rejection rate of 86%. Now for the outstanding part. My personal inbox hasn’t received any spam.

    "I’ve seen a lot of new products over the last 20 years and I don’t normally get excited about them, but I am excited about this. It’s fun to watch all those little pests die a horrible death. I sit and watch the real-time process as it reports, ‘Done blocking server.’ Yeah!!!!

    “That’s outstanding. After the ‘new’ wears off, I’ll continue with the rest of my life.”
Considering its effectiveness, the Deep Six technology is surprisingly simple. It has no moving parts and, after an initial configuration period, it’s a set-it-and-forget-it device.

That leaves little for you to do but watch a scrolling window showing spam server after spam server that’s being denied an SMTP connection. This is admittedly a tempting pastime. But I strongly advise everyone who installs this little device to tear yourself away from the window and get some real work done!

Connection algorithm beats block lists alone

Subscribers who had previously depended on the binary use of yes-no block lists also found benefits from the DS200. As explained last issue, the device uses a sophisticated mathematical model to gauge the interaction between various block-list recommendations rather than defaulting to any single yes-no judgments. The device also asks some mail servers to re-send a given connection attempt. This almost always uncloaks spam servers, which value nothing but speed and are programmed to ignore such hand-shaking.

Reader Rich Wills writes:
  • “Thanks for your review of the Deep Six device. Our 300-seat firm was having very mixed results using RBLs (Spamhaus and SpamCop amongst them). We got so very tired of the whining, both about the amount of spam [not] being caught and the very small amount of false positives we were experiencing.

    “E-mail volume here is high (4,000-6,000 per day) and the whining was growing. We purchased the Deep Six device last week and have seen an amazing drop in spam getting though.

    “Today was a milestone — not one spam e-mail upon arrival this morning. I was accustomed to over 40 per day. Great device, inexpensive, and I had to restrain myself from buying it a Valentine, I love it so much. Thanks for reviewing the device.”
One serious criticism of real-time block lists is that they sometimes ban innocent parties. the Deep Six approach, which assembles a matrix of dozens of block-list ratings, appears to work around such mistakes.

Watch out for friendly-server forwarding

I don’t want to give the impression that Deep Six’s results are perfect, by any means. One of the "gotchas" that testers found is a case in which users forward e-mail to company accounts from other addresses.

Reader Greg Shaffer describes his findings as follows:
  • “The main attraction for me is that connections are dropped before the message is accepted. We run SpamAssassin on our mail server, and the resources it was taking were a growing concern for me. However, not knowing anything more than the IP address of the dropped connection and the score is a little disconcerting. I am hoping I will find the syslog reporting is a little more detailed. …

    “If you have any users auto-forwarding messages from a spam-ridden account at a legitimate server, this box will score the legitimate server as clean and pass them right through. We are currently running the DS200 in front of SpamAssassin and, not surprisingly, it is filtering out these messages without any difficulty.”
If you can’t talk users out of this kind of forwarding, at least the DS200 device can substantially reduce the amount of mail on which your server has to perform CPU-intensive content filtering. Best of all would be to talk those users into changing their outside addresses that have become saturated with spam. Be sure to "spam-proof" the new addresses; my recently revised e-book on the subject explains a few easy steps to do this.

Verizon can’t configure mail servers properly

Shaffer
uncovered a serious problem with the way Verizon, the large New York-based ISP and telephone conglomerate, handles its mail servers.

In my Datamation columns of Jan. 3 and Jan. 24, I explained that companies using both an antispam appliance and a mail server should direct all mail to the appliance. To do this, you set up what’s called an MX (Mail Exchanger) record. This tells outside mail servers what IP address any messages to your domain name should be sent to. Your mail server should then be configured to deny all SMTP connections, except from the appliance itself. This prevents spam servers from simply connecting to your mail server’s IP address or its subdomain name, which is a common trick of big-time spam software.

Shaffer continued his comments to me on the DS200 by explaining the error he found in Verizon’s mail servers:
  • “The recommended procedure is to remove the MX record for your mail server after you have fully tested the DS200. After I did that, I started accumulating [outgoing] mail for Verizon.net in my mail queue. I eventually discovered that Verizon’s antispam measures require both an MX record for the sending server and the ability for them to make a delivery attempt for the sending address at that server. The clearest description I have found of this is in the December 2nd blog entry at this site: Jeff.Squyres.com.

    “DS200 implications aside, I think the Verizon issue is very interesting. Their method of protecting their users/servers from spam costs me (a legitimate sender) extra CPU cycles and bandwidth.

    “In addition to the Verizon problem, some spammers have been sending directly to our mail server, even when there wasn’t an MX record. Even the engineer at Tyrnstone reported the same problem.

    However, there seems to be a very workable solution. As you suggest, a layered approach is very effective. Since all legitimate mail should be going through the DS200, I am now able to be very aggressive with RBL checks and access control lists on our mail server. This has effectively blocked nearly all of the messages being sent directly to the mail server, is not as resource intensive as having those messages running through SpamAssassin, and doesn’t seem to cause any problems with Verizon (at least as far as I can tell right now).

    “I believe the DS200 will be a welcome addition to my network. It is doing a good job of discarding a large percentage of spam before it hits our server. However, the DS200 passes more than a little spam from hosts which aren’t flagged by enough of the RBLs that the DS200 checks. I’ve been checking, and generally these hosts are getting scored as 0′s or 5′s, so this isn’t simply a tuning issue. More than likely, they are just the latest hosts being exploited by spammers and have not yet been listed.

    Given that, and the need to keep port 25 open on the mail host (because of the Verizon issue), I would strongly recommend using the DS200 in conjunction with SpamAssassin or some other content-based anti-spam measure.”
Verizon.net is clearly wrong in requiring that an outbound-only mail server must also have an MX record and accept incoming messages. Most large companies, as well as many educational institutions, maintain separate outgoing and incoming mail servers to handle the load. In addition, security appliances must be located on a separate IP address from the mail servers they protect. The Internet’s mail protocols clearly state that every sending mail server must check the recipient company’s MX record to see which IP addresses are designated to receive incoming messages.

Fortunately, this kind of misconfiguration is easy to work around. As Shaffer reported, simply filtering out most messages that are sent directly to the wrong IP address (but accepting those from Verizon.net) allows legitimate mail to be transferred while avoiding the usual spammers’ tricks.

In my experience with the DS200, it’s true that a few pieces of spam are received each week from distant servers that boast a clean spamminess score of 0. I assume that these are newly hacked, "desktop servers," also known as zombie PCs. These zombies are likely to be added in short order to one or more of the numerous real-time block lists that Deep Six bases its algorithms on.

But it’s also important to remember that no antispam appliance can eliminate every single suspected piece of spam. Most companies consider avoiding false positives (legitimate messages that are filtered out)to be a far more important goal.

For this reason, you should always tune any antispam defense, whether it be hardware or software, to allow a little spam but eliminate false positives. Since the decision tree of the DS200 seems to reject more than 99.9% of spammy connections, it appears to be a very cost-effective way for companies to reduce the load on their incoming mail servers.

For more information on the DS200, contact the SMB marketing unit for the device, Tyrnstone Systems. For details on the patent-pending techniques that are involved, visit the Web site of Deep Six Technologies. (The name is a play on "you can deep-six your spam.")

To send us more information about antispam appliances, or to send us a tip on any other subject, visit WindowsSecrets.com/contact.

Readers Davidson, Winfrey, Wills, and Shaffer will receive gift certificates for a book, CD, or DVD of their choice for sending me comments that I printed.
Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.
 
= Paid content

All Windows Secrets articles posted on 2006-02-16: