Introduction
Today, virtually all sites have some sort of spam protection deployed —either a commercial anti-spam product or a free/open-source anti-spam productsuch as SpamAssassin. Those products typically do a good job of catching mostspam.
The question then becomes, “We already have a spam solution, and it catches alot of spam. Why should we bother buying something additional, like FarsightSecurity’s Newly Observed Domains blocklist?”
Understanding that value proposition requires careful consideration of bothcosts and benefits.
Costs
Whenever you do filtering, the first broad/coarse cuts are easily and cheaplymade. Let’s arbitrarily assume for the sake of discussion that a typicalanti-spam product or technique successfully blocks 90% of all the spam itexamines. (In reality, the blocking success percentage might be higher, orlower).
Getting a more insightful solution that will perhaps take care of another 9%,taking you to 99% filtering coverage (while not also cranking up your rate offalse positives), might prove to be just as hard/expensive as making that firstcoarse cut.
Dealing with some or all of the remaining 1% might in turn be stilldifficult and more expensive yet. The easy stuff was long ago stripped away,now you’re dealing with the trickiest of the tricksters. Again, even thoughyou’re only working on filtering a residual 1% of the spam that’s thrown atyou, it likely won’t be cheap.
That’s the “cost” side.
Benefits
On the benefit side, let’s assume that 85% of your email is spam. If a smallsite does zero spam filtering and gets 50,000 emails a week, running withoutfiltering means that 50,000 * 0.85 = 42,500 messages will be spam and 7,500messages will be ham. Wow! You need to do something: that ratio is over 5.6spam to 1 ham.
Assume your initial attempt at spam filtering blocks 90% of the spam. Thatmeans your mail flow will now look like 7,500 ham and 4,250 spam (10% ofthe original 42,500 spam are missed and get delivered). That’s probably still“a lot” from the point of view of users, but substantially better than it was(just roughly one spam for every two ham).
So now the website adds a second filtering product, taking you to 99% coverage.Now you’re down to 7,500 ham and 425 spam. That’s nearly 18 ham for everyone spam. Not too bad, but maybe your costs are now 2X (this is allhypothetical).
If you add a third product and manage to get 99.9% coverage, now you’re down to42 or 43 spam… This translates to 178 real messages (or so) for every 1spam.
Getting the extra nines helps, but only asymptotically. Only you can decidewhere the economics of “chasing the tail of that curve” makes sense, right?
Put another way, if we’re talking about tolerance for spam, what’s N if we’retalking about being able to live with 1 spam-in-every-N total messages?Does N=12? 100? 5,000?
How This Relates to Farsight Security’s Newly Observed Domains (NOD) Product
Farsight doesn’t expect you to try to use NOD as your “one and only” spamfiltering product. It is meant to complement and enhance your existinganti-spam solution, not to replace it. Its coverage is focused, and unique.
NOD doesn’t target the broad volumes of spam that get caught by things likestandard anti-spam solutions. Rather, NOD targets what the other spam filtersmay miss. Specifically, NOD targets those spammers who have decided to employwhat amounts to a “quick strike” or “no huddle” offense in an effort to gettheir spam through:
- The spammer creates a brand new domain name,
- The spammer then immediately begins sending spam using that domain name
- The spammer continues doing so for a short time (perhaps for just a fewminutes or a few hours), and then, once they begin to get noticed (andblocked by conventional anti-spam solutions),
- The spammer iterates, repeating that process by creating yet another newdomain, etc.
Spammers are confident that most sites quite simply won’t be able to be asagile as they are. NOD is the game changing technology that crushes thatspammer hope.
That said, every site’s spam experience is different. You may see tons of spamof this sort, or virtually none. If you are troubled by this sort of “quickstrike” spam, we hope you’ll consider adding NOD to your spam filters. It hasthe potential to act as an effective tool in the fight against someparticularly troublesome types of spam that may otherwise slip through yourfiltering and land in your inbox.
Getting More Information About NOD
For more information about subscribing to NOD, please contact the FarsightSecurity Sales department at [email protected],or see https://www.farsightsecurity.com/solutions/threat-intelligence-team/newly-observed-domains/.
Joe St Sauver, Ph.D. is a Distributed System Scientist for FarsightSecurity, Inc.
Heading
