[an error occurred while processing this directive]


SPAM Protection @Novell
GroupWise Cool Solutions Article
by Tay Kratzer

Posted: 18 Mar 2004

So often I am asked "well how do you do this at Novell". That question has inspired this article. Novellís IS&T permitted me to spend some time with Steve Whitehouse, Chief GroupWise System Architect at Novell. Steve gave me a quick tour of Novellís SPAM solution. As a GroupWise user at Novell I can attest to how effective Novellís SPAM solution is; I maybe get three pieces of SPAM a week.
Tay Kratzer
GroupWiseís Built-In SPAM Solutions

First let me quickly explain what GroupWise can do with regards to SPAM out of the box. I'll hasten to add though, that Novell relies on additional layers of SPAM protection than those built into GroupWise.

The GWIA can use RBLs (Real-time Blackhole Lists), to try and identify hosts that are known to SPAM or allow open SMTP relaying. Although RBLs can be a help, as part of a SPAM protection solution, they do not provide sufficient SPAM protection in and of themselves.

The GroupWise Junk Mail feature supports the notion of protection that is often referred to as a "white list". Namely, the Junk Mail feature of GroupWise allows a user to configure their mailbox so that if an Internet message gets to the userís mailbox, but the sender is not in the userís personal address book(s), then the message is considered Junk Mail. This feature can be enabled in the GroupWise client by selecting Tools|Junk Mail Handling|Enable Junk Mail using personal address books. From a user standpoint this method works, but it sure is restrictive. Novellís IS&T did not want to rely on this method of SPAM protection for a couple of reasons. First, the SPAM had to traverse Novellís network - for no good reason. Secondly, users have the choice to retain messages they have Junked, so effectively resources for storage and backup are being used for SPAM. And lastly, having the SPAM hit the mailbox causes the POA to have to look through the white lists, which robs resources from a POA running against some rather large GroupWise post offices.

The Junk Mail feature also supports the notion of a black list, namely, when a user gets a message from a sender that they do not want messages from, they can flag the message to be junked. Here's the problem with this model though. It has all of the negative system -level impacts of the "white list", plus the user has to interact with the SPAM message in some manner, which is a waste of the user's time.

The SPAM Protection Solution @Novell

Novellís IS&T does not rely upon RBL lists on the GWIA, nor are users encouraged to create white or black lists. Novellís line of defense against SPAM runs on three different network appliances running GWGuardian from the folks at www.messagingarchitects.com.

Let me explain from a low-level standpoint how GWGuardian is configured at Novell. The GWGuardian appliance sits at Novell's SMTP entry point. As shown in Figure 1.


Figure 1 - A Telnet Session with the GWGuardian Appliance

Once a session is initiated with the GWGuardian appliance, GWGuardian uses several layers for SPAM control, many of which are customizable.

In addition to its advanced SCA (Sequential Content Analyzer) Anti-Spam algorithms, GWGuardian provides several additional layers of security to protect GroupWise from abuse by spammers. These include Protocol Filtering, Anti-Relaying, Scan Attack Blocking and Dynamic SMTP Connection Limits.

One of the most interesting is the Protocol Filtering option which is used extensively at Novell during Virus Storms (such as the recent MyDoom attack) to block and drop up to 90% of all SMTP connection requests. The Protocol Filter is really Novell's first layer of defense and as such it directly monitors all SMTP transactions in real time and can determine if a connection request is indeed for a valid email message or if it is rather a known virus header (like "I Love You") which should be instantly dropped without chewing up any further server or bandwidth resources.

Once GWGuardian has cleared a message for delivery it passes the message back to one of Novell's GroupWise Internet Agents (GWIAs) used for inbound SMTP messages, within Novellís GroupWise system. From the GWIA on into Novellís GroupWise system itís just standard GroupWise delivery processes, and the Internet message is routed to the recipientís mailbox.

Novellís IS&T has enabled GWGuardianís spam quarantine feature. Each evening every user at Novell that has received SPAM gets a message in their in-box with a report of the SPAM that is in the quarantine. Whatís fun is that when I received my first quarantine report I used the Junk Mail feature of GroupWise to have the GroupWise POA move the message to my Junk Mail folder. So if ever I want to go and see my SPAM reports, they are all in my Junk Mail folder. Figure 2 shows a SPAM quarantine report delivered to my mailbox. In my own personal report for tkratzer@novell.com I typically have 40 to 50 messages that are quarantined each day as SPAM.


Figure 2 - Quarantined SPAM Report

SPAM Statistics for Novell

Hereís some statistics that may seem startling. At Novell over 80% of the inbound Internet mail is blocked because it either contains SPAM or a virus. In the month of December of 2003, Novell received around 15 million Internet messages. Almost 13 million of those messages were filtered out because of SPAM and viruses. Figure 3 below shows a bar graph showing the percentages of SPAM and virus messages that came into Novell in the last 6 months of 2003.


Figure 3 - Percentage of Internet Messages that contain SPAM or viruses

Perhaps the most important thing that I would like you to derive from this article is that SPAM is a problem. Novellís approach of creating a barrier/border solution to SPAM keeps the whole infrastructure that supports GroupWise free to store and move legitimate messages quickly. What I like most about Novellís SPAM solution is that the personal time savings I have gained from not having to deal with SPAM.

Tay Kratzer
www.taykratzer.com

more Kratzer's Hot Docs

See other articles written by Tay Kratzer at "Kratzer's Hot Docs": http://www.novell.com/coolsolutions/gwmag/trenches/kratzer.html

books to read