Post on 09-May-2015
description
Next Generation Protection
Against a Dangerous
New Generation of Spam
Abaca The world’s most effective spam filter
Agenda
Traditional spam defenses suffer Abaca Corporation Next-generation technology Abaca Products
A History of Flawed Anti-spam Approaches
Blacklists Slow and insufficientPunishes the innocent
Rules-based Slow and labor intensive
Content inspection Relies on end users reportingConsumes much memory
Decoys and Honeypots Relies on slow humans to write rules, Trouble differentiating similar messages
Collaborative checksum Reactive — damage already doneChecksums can be defeated
Greylisting Unacceptable delay easy for a spammer to defeat
Accuracy Claims have been Greatly Exaggerated
Vendors trade false positives for accuracy
About Abaca
Abaca: A Steve Kirsch Company Mouse Systems – 1st Optical Mouse Frame Technology – Desktop Publishing (Adobe) Infoseek – Internet Search Engine (Disney)
Founded during 2005 in San Jose, California Next-generation anti-spam with unsurpassed accuracy Battle-tested at Yahoo!Mail – a juicy spam target Over 350 million email accounts under contract
Abaca Delivers Critical Component Of Messaging Security
Effectiveness /Accuracy
Ease of Administration
Messaging Security : Large and Growing Market
IDC: worldwide messaging security market
11.5% CAGR
Customer Successes
“Abaca offers superior e-mail security capabilities and has built a reputation for reducing unsolicited e-mail within mailboxes. We believe that by deploying Abaca’s solution with our anti-spam toolkit, we will offer Yahoo! Mail users not only added email security, but an enhanced user experience as well.”
John Kremer
Vice President of Yahoo! Mail
“Their remarkable performance, combined with Abaca's scalability and flexibility guaranteed the performance we were looking for.”
Marco SchillingDirector of Technology, Terra Latin America
Next Generation Anti-spam Technology
Real-time, crowd-sourced
Abaca © 2010, All rights reserved 8
Abaca Works Because Spam Obeys Some Laws
Defined by relationship between sender and receiver,
not the content RCPT TO is the only familiar item Must be sent in high volume Spammers must send to people who collectively
receive more spam than average Recipient’s ham:spam mix is relatively constant
From:
To:
Envelope Contains the Key not the message
Receiver Reputation:A Unique and Protected Algorithm
Receiver reputation precisely differentiate spam from legitimate messages
Characterize (by passive observation) each protected user based on the % of spam they receive (receiver reputations)
Message ratings are based on each user's overall legitimate/spam ratio
Automatically learns and improves accuracy with real time legitimate/spam statistics for each protected user
90% Spam 75% Spam 50% Spam 25% Spam 10% Spam
Recipient Spam % = Receiver ReputationRecipient Spam % = Receiver Reputation
ReceiverNet™ Receiver Reputation
Legitimate EmailLegitimate Email
LegitimateLegitimateEmailEmail
Spam EmailSpam Email
SpamSpamEmailEmail
90% Spam 75% Spam 50% Spam 25% Spam 10% Spam
LegitimateLegitimateEmailEmail
Based on the Reputation of the Recipients Based on the Reputation of the Recipients this Message is Spamthis Message is Spam
ReceiverNet™ Receiver Reputation
SpamSpamEmailEmailSpamSpamEmailEmail
SpamSpamEmailEmail
90% Spam 75% Spam 50% Spam 25% Spam 10% Spam
Based on the Reputation of the Recipients Based on the Reputation of the Recipients this Message is Legitimatethis Message is Legitimate
ReceiverNet™ Receiver Reputation
LegitimateLegitimateEmailEmail
SpamSpamEmailEmail
LegitimateLegitimateEmailEmail
LegitimateLegitimateEmailEmail
ABACA PRODUCTSDesigned for hosted mail providers
Abaca © 2010, All rights reserved 14
CLX : Carrier Class Anti-spam Solution
CLX Outbound Spam Filter
CLX Outbound Spam Filter
CLX Spam Rating Engine CLX Spam Rating Engine
CLX SolutionCLX Solution
CLX Spam QuarantineCLX Spam Quarantine
* Optionally deployed in-line as supplemental filter
*
Simple Integration, Rapid Deployment
Simple programming interface Standard SMTP filtering protocols including milter
Seamless integration with messaging infrastructure Leverages existing feedback mechanisms Tag, block, quarantine or deliver messages to easily
conform to existing user behavior
Self contained, no need to open ports to outside
Reduces Anti-spam Expenses
Accurate, zero hour protection Automatic real-time reputation updates
• No waiting for new rules • No updating signatures
Reduces the burden on IT resources Green requires one tenth the CPU cycles of
conventional content-based filtering
Abaca © 2010, All rights reserved 17
Abaca CLX Inbound Solution Components
The Abaca CLX Anti-spam Solution includes the following components: abacam Client, available as a milter(Note the abacam client is run on a standard MTA)
CLX Inbound Rating Server CLX Feedback Server CLX Admin CLX Quarantine (optional)
Individual hardware servers are not required for all components The following slide illustrates the architecture of a typical
inbound deployment
Scalable CLX InboundArchitecture
CLX ServerCLX Server
Internet
MTA
abacamMTA
abacamMTAabacam
QuarantineQuarantine
Email ServerEmail
Server
CLX Server
Email Server
Message rating
CLX Admin
Inbound
Outbound
SPAM
CLX Outbound Solution Components
Abacam Client, available as a milter for Milter plugs into SendMail, PostFix and Zimbra
CLX Outbound Rating Server CLX Administrator Console CLX Outbound Quarantine
Components can share hardware servers
* Note the abacam client is run on a standard MTA)
Outbound Spam Filter Deployment
MTA
abacamMTA
abacamMTAMTAabacamabacam
CLX CLX Outbound Outbound QuarantineQuarantine
Email ServerEmail
Server
CLX CLX Outbound Outbound
ServerServer
Inbound training information
Email Server
AdminAdmin Rate request
Outbound
MTA
abacamabacam
CLX CLX Outbound Outbound
ServerServer
CLX CLX Outbound Outbound
ServerServer
CLX CLX Outbound Outbound QuarantineQuarantine
Rate response
Feedback
Outbound
Outbound
SPAM
Abaca CLX Clustering
Redundant component deployment
On the MTAs Abacam requests ratings from multiple seversReputation data is synchronized and shared
If CLX Server hardware fails Abacam routes requests to the remaining servers
User preferences are preserved Message flow is not interrupted Accuracy is maintained
When the hardware is serviced and is back online CLX Server will be included in rating requests
CLX Rating Cluster
Abaca CLX Cluster Architecture
Client Client (abacam)(abacam)
…Client Client (abacam)(abacam)
Client Client (abacam)(abacam)
Incoming Request•Rate Inbound•Rate Outbound•Feedback
Load Balancer (abacam)
CLX Rating CLX Rating ServerServer
CLX Rating CLX Rating ServerServer Synchronization
•Outbound Messages•Feedback
Cluster Exploded View
> 50 million mailboxes - Mail flow partitioned between CLX servers
< 50 million mailboxes – Round-robin partitioning used
Blue fill indicates Abaca components
Abaca CLX Multi-site Support
Redundancy at the site level is supported though synchronization between each site
Servers synchronized and share reputation data Synchronization does not require significant bandwidth between
servers or sites Emails for a user can come into either site at any time and will be
processed with the same results When a site becomes unavailable, the remaining site will rate the
entire message flow User preferences are preserved Message flow is not interrupted Accuracy is maintained
Abaca Multi-site CLX Deployment
CLX ServerCLX Server
CLX ServerCLX Server CLX ServerCLX Server
CLX ServerCLX Server
Feedback and outbound
synchronization
FailoverRate
requests
Rate requests
Abaca Difference
Proactive Real-Time Defense Learns in real time so not playing catch up No Blacklists to update No content rules to maintain
Set and forget
Language-independent Encryption-independent Rated quarantine highlights useful mail
For more information
Abaca © 2010, All rights reserved 27
John JefferiesGeneral Manager and CMO
JJ@Abaca.com
408.205.5320
ADDITIONAL SLIDES
Abaca © 2010, All rights reserved 28
Attack Prevention Technique
They could buy a box and pollute one global server Limit the # of daily contributions per unique user
They could use accounts within an ISP to create good reputations at that ISP to allow spammers to attack that ISP from the outside Yahoo could Use someone else’s global
Spammers buying good lists and using them exclusively Make any unsolicited emails being bad, regardless of
reputation of receiver. So anyone sending out mass mailings all of a sudden gets caught, regardless of list quality
Use logistic regression filter If spammers are using fixed IP range, block those Good list will eventually become bad (the weaker addresses)
When it Comes to Filtering Accuracy Matters
* For a 1,000 person entity whose employees receive 50 messages / day
>100 times faster than other approaches
The core algorithm is very simple currently rates at over 100,000 msgs/sec/core
A single quad core PC w/32G RAM can easily handle the ratings for 20M users with just 5% of the CPU capacity Cost is about $4,000
Accurate rating allows apersonalized greyzone
• One size doesn’t fit all: some hate FPs; others hate spam
• Each user controls the level of acceptable false positive and false negative rates
• At low user count, the “review zone” is less than 1 message out of 100
Accuracy increases over time
Each message is rated using the real-time data No time delay for push “updates”
Huge number of raters Every rcpto is a rater
Every rater is extremely accurate It is the user’s statistics that we use, not their human opinion (which
is far less accurate than their stats due to phish, operator error, etc) The raters work for us 24x7 (for free)
Other systems rely on human feedback which is sporadically available
Our raters “decide” instantly No time delay; messages are rated before the content is received
Who Uses Abaca?
Market Solution ProductEnterprise CLX
Hosted Solution
CLX SolutionCLX OutboundCloud Service (beta)
xSPs Complete SolutionAbaca Rating EngineOutbound Spam Filter
CLX SolutionCLX Engine OnlyCLX Outbound
VMware Customers
Virtual Appliance VPG
SMBs Hardware Appliance EPG
Education Hardware ApplianceVirtual ApplianceOutbound Spam Filter
EPGVPGOutbound Filter