Buying More Nines Worth of Protection
By Joe St Sauver
Today, virtually all sites have some sort of spam protection deployed – either a commercial anti-spam product or a free/open-source anti-spam product such as SpamAssassin. Those products typically do a good job of catching most spam.
The question then becomes, "We already have a spam solution, and it catches a lot of spam. Why should we bother buying something additional, like Farsight Security's Newly Observed Domains blocklist?"
Understanding that value proposition requires careful consideration of both costs and benefits.
Whenever you do filtering, the first broad/coarse cuts are easily and cheaply made. Let's arbitrarily assume for the sake of discussion that a typical anti-spam product or technique successfully blocks 90% of all the spam it examines. (In reality, the blocking success percentage might be higher, or lower).
Getting a more insightful solution that will perhaps take care of another 9%, taking you to 99% filtering coverage (while not also cranking up your rate of false positives), might prove to be just as hard/expensive as making that first coarse cut.
Dealing with some or all of the remaining 1% might in turn be still difficult and more expensive yet. The easy stuff was long ago stripped away, now you're dealing with the trickiest of the tricksters. Again, even though you're only working on filtering a residual 1% of the spam that's thrown at you, it likely won't be cheap.
That's the "cost" side.
On the benefit side, let's assume that 85% of your email is spam. If a small site does zero spam filtering and gets 50,000 emails a week, running without filtering means that 50,000 * 0.85 = 42,500 messages will be spam and 7,500 messages will be ham. Wow! You need to do something: that ratio is over 5.6 spam to 1 ham.
Assume your initial attempt at spam filtering blocks 90% of the spam. That means your mail flow will now look like 7,500 ham and 4,250 spam (10% of the original 42,500 spam are missed and get delivered). That's probably still "a lot" from the point of view of users, but substantially better than it was (just roughly one spam for every two ham).
So now the website adds a second filtering product, taking you to 99% coverage. Now you're down to 7,500 ham and 425 spam. That's nearly 18 ham for every one spam. Not too bad, but maybe your costs are now 2X (this is all hypothetical).
If you add a third product and manage to get 99.9% coverage, now you're down to 42 or 43 spam… This translates to 178 real messages (or so) for every 1 spam.
Getting the extra nines helps, but only asymptotically. Only you can decide where the economics of "chasing the tail of that curve" makes sense, right?
Put another way, if we're talking about tolerance for spam, what's N if we're talking about being able to live with 1 spam-in-every-N total messages? Does N=12? 100? 5,000?
How This Relates to Farsight Security's Newly Observed Domains (NOD) Product
Farsight doesn't expect you to try to use NOD as your "one and only" spam filtering product. It is meant to complement and enhance your existing anti-spam solution, not to replace it. Its coverage is focused, and unique.
NOD doesn't target the broad volumes of spam that get caught by things like standard anti-spam solutions. Rather, NOD targets what the other spam filters may miss. Specifically, NOD targets those spammers who have decided to employ what amounts to a "quick strike" or "no huddle" offense in an effort to get their spam through:
- The spammer creates a brand new domain name,
- The spammer then immediately begins sending spam using that domain name
- The spammer continues doing so for a short time (perhaps for just a few minutes or a few hours), and then, once they begin to get noticed (and blocked by conventional anti-spam solutions),
- The spammer iterates, repeating that process by creating yet another new domain, etc.
Spammers are confident that most sites quite simply won't be able to be as agile as they are. NOD is the game changing technology that crushes that spammer hope.
That said, every site's spam experience is different. You may see tons of spam of this sort, or virtually none. If you are troubled by this sort of "quick strike" spam, we hope you'll consider adding NOD to your spam filters. It has the potential to act as an effective tool in the fight against some particularly troublesome types of spam that may otherwise slip through your filtering and land in your inbox.
Getting More Information About NOD
For more information about subscribing to NOD, please contact the Farsight
Security Sales department at firstname.lastname@example.org or
or see https://www.farsightsecurity.com/solutions/threat-intelligence-team/newly-observed-domains/.
Joe St Sauver, Ph.D. is a Distributed System Scientist for Farsight Security, Inc.