Bayesian Filters

Named after Thomas Bayes, an English mathematician, Bayesian Logic is used in decision making and inferential statistics. Bayesian Filers maintain a database of known spam and ham, or legitimate e-mail. Once database is large enough, system ranks words according to probability they will appear in a spam message.

Words more likely to appear in spam are given a high score (between 51 and 100), and words likely to appear in legitimate e-mail are given a low score (between 1 and 50). For example, words “free” and “sex” generally have values between 95 and 98, whereas words “emphasis” or “disadvantage” may have a score between 1 and 4.

Commonly used words such as “the” and “that”, and words new to Bayesian filters are given a neutral score between 40 and 50 and would not be used in system’s algorithm.

When system receives an e-mail, it breaks message down into tokens, or words with values assigned to them. The system utilizes tokens with scores on high and low end of range and develops a score for e-mail as a whole. If e-mail has more spam tokens than ham tokens, e-mail will have a high spam score. The e-mail administrator determines a threshold score system uses to allow e-mail to pass through to users.

Bayesian filters are effective at filtering spam and minimizing false positives. Because they adapt and learn based on user feedback, Bayesian Filers produce better results as they are used within an organization over time.

Bayesian filters are not, however, foolproof. Spammers have learned which words Bayesian Filters consider spammy and have developed ways to insert non-spammy words into e-mails to lower message’s overall spam score. By adding in paragraphs of text from novels or news stories, spammers can dilute effects of high-ranking words. Text insertion has also caused normally legitimate words that are found in novels or news stories to have an inflated spam score. This may potentially render Bayesian filters less effective over time.

Another approach spammers use to fool Bayesian filters is to create less spammy e-mails. For example, a spammer may send an e-mail containing only phrase, “Here’s link…”. This approach can neutralize spam score and entice users to click on a link to a Web site containing spammer’s message. To block this type of spam, filter would have to be designed to follow link and scan content of Web site users are asked to visit. This type of filtering is not currently employed by Bayesian filters because it would be prohibitively expensive in terms of server resources and could potentially be used as a method of launching denial of service attacks against commercial servers.

As with all single-method spam filtering methodologies, Bayesian filters are effective against certain techniques spammers use to fool spam filters, but are not a magic bullet to solving spam problem. Bayesian filters are most effective when combined with other methods of spam detection.

The Solution

When used alone, each anti-spam technique has been systematically overcome by spammers. Grandiose plans to rid world of spam, such as like charging a penny for each e-mail received or forcing servers to solve mathematical problems before delivering e-mail, have been proposed with few results. These schemes are not realistic and would require a large percentage of population to adopt same spam eradication method in order to be effective.

Working alone, each individual spam-blocking technique works with varying degrees of effectiveness and is susceptible to a certain number of false positives. Fortunately, solution is already at hand. IronMail®, secure e-mail gateway appliance from CipherTrust®, provides a highly accurate solution by correlating results of single-detection techniques with its industry-leading correlation engine, Spam Profiler™.

Learn more about stopping spam by requesting CipherTrust’s free whitepaper, “Controlling Spam: The IronMail Way”.

The core of IronMail’s spam capabilities, Spam Profiler analyzes, inspects and scores e-mail on over one thousand different message characteristics. Each method is weighed based on historical accuracy rates and analysis by CipherTrust’s experienced research team.

Optimizing Spam Profiler requires precise calibration and testing thousands of combinations of values associated with various message characteristics. To automate this process, CipherTrust developed Genetic Optimization™, an advanced analysis technique that replicates cutting-edge DNA matching models. Genetic Optimization identifies best possible combination of values for all characteristics examined by Spam Profiler and automatically tunes IronMail appliance, reducing administrator intervention and assuring optimum protection against spam and spam-born threats.

Take The Next Step

Learn more about how IronMail can secure enterprise e-mail systems by visiting www.ciphertrust.com or requesting CipherTrust’s free whitepaper, “Controlling Spam: The IronMail Way”. This resource will provide information you need to make an informed decision about eliminating spam and securing your e-mail systems.

Computer Virus Risks

Recent attacks from various types of computer viruses and worms have had profound effects on computer systems around world. Enterprises have been brought to their knees and forced to spend billions of dollars cleaning up mess and rebuilding their infrastructures. While increased IT costs are clear, there are other risks corporations face with regard to e-mail borne viruses.

System Downtime

E-mail has evolved to be primary communication tool for most organizations and loss of e-mail due to attack can severely affect enterprise operations. Beyond immediate expenses involved in restoring network, an attack on your enterprise e-mail system can also result in lost hours and days for employees who have come to rely on it to accomplish their daily tasks.

Resource Depletion

The costs of cleaning up after an attack are significant. IT teams are forced to spend considerable time and money repairing virus damage. The damage, however, is rarely contained to network servers. Once inside network, viruses can quickly infect large numbers of relatively exposed client machines - all of which must be individually cleaned, patched and repaired.

Administration

In past, when a new vulnerability was discovered, network administrators scrambled to apply security patches from makers of their anti-virus software and manually reviewed quarantine lists for virus-infected messages. Software manufacturers release patches so frequently that network administrators cannot reasonably be expected to keep up with them all. As stated by Gartner Research, “Enterprises will never be able to patch quickly enough. After all, attackers have nothing else to do.” The staggering damage caused by recent computer viruses and malware attacks is clear evidence that manual intervention to institute emergency measures or review quarantined messages is rarely effective against rapidly propagating threats.

Compliance and Liability

Recent Federal regulations such as Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley Act (SoX), require enterprises to protect data residing in mail servers and other internal systems. Security breaches violate these regulations, exposing sensitive data and opening door to serious sanctions and costly litigation.

Credibility

Falling victim to a virus attack can also result in lost trust from business partners and customers. According to Gartner, “Enterprises that spread viruses, worms, spam and denial-of-service attacks will find not only that malicious software can hinder their profitability, but also that other businesses will disconnect from them if they are considered to be risky.” While an attack may not be your fault, it is most certainly your problem.

The Solution

Although signature-based anti-virus systems are inadequate to preventing virus attacks in first few hours or days of an outbreak, it is possible to identify outbreaks before they infiltrate your organization’s network and become a problem. In fact, doing so successfully requires tight integration of several different technologies designed to analyze mail based on many different characteristics. One of most innovative and important technologies for meeting these threats is known as Anomaly Detection.

Large-scale virus outbreaks create anomalies in mail flow which are identifiable by message content, source, volume, attachment or any of a number of other indicators. When a particular message appears to be a part of a sudden surge of anomalous messages moving across internet, message can be quarantined until virus definitions can be developed to address new threat.

Anomaly Detection

CipherTrust’s IronMail utilizes a unique Anomaly Detection Engine (ADE), which dynamically identifies and responds to abnormal behavior in mail flow. By monitoring “normal” e-mail traffic rates across Internet, ADE allows IronMail to identify spikes in traffic that are often first signal of a malicious attack. Once these spikes are recognized, IronMail units take appropriate action to prevent infiltration of network.