Abaca: The World's Most Effective Spam Filter

Next Generation Protection

Against a Dangerous

New Generation of Spam

Abaca The world’s most effective spam filter

Agenda

Traditional spam defenses suffer Abaca Corporation Next-generation technology Abaca Products

A History of Flawed Anti-spam Approaches

Blacklists Slow and insufficientPunishes the innocent

Rules-based Slow and labor intensive

Content inspection Relies on end users reportingConsumes much memory

Decoys and Honeypots Relies on slow humans to write rules, Trouble differentiating similar messages

Collaborative checksum Reactive — damage already doneChecksums can be defeated

Greylisting Unacceptable delay easy for a spammer to defeat

Accuracy Claims have been Greatly Exaggerated

Vendors trade false positives for accuracy

About Abaca

Abaca: A Steve Kirsch Company Mouse Systems – 1st Optical Mouse Frame Technology – Desktop Publishing (Adobe) Infoseek – Internet Search Engine (Disney)

Founded during 2005 in San Jose, California Next-generation anti-spam with unsurpassed accuracy Battle-tested at Yahoo!Mail – a juicy spam target Over 350 million email accounts under contract

Abaca Delivers Critical Component Of Messaging Security

Effectiveness /Accuracy

Ease of Administration

Messaging Security : Large and Growing Market

IDC: worldwide messaging security market

11.5% CAGR

Customer Successes

“Abaca offers superior e-mail security capabilities and has built a reputation for reducing unsolicited e-mail within mailboxes. We believe that by deploying Abaca’s solution with our anti-spam toolkit, we will offer Yahoo! Mail users not only added email security, but an enhanced user experience as well.”

John Kremer

Vice President of Yahoo! Mail

“Their remarkable performance, combined with Abaca's scalability and flexibility guaranteed the performance we were looking for.”

Marco SchillingDirector of Technology, Terra Latin America

Next Generation Anti-spam Technology

Real-time, crowd-sourced

Abaca © 2010, All rights reserved 8

Abaca Works Because Spam Obeys Some Laws

Defined by relationship between sender and receiver,

not the content RCPT TO is the only familiar item Must be sent in high volume Spammers must send to people who collectively

receive more spam than average Recipient’s ham:spam mix is relatively constant

From:

To:

Envelope Contains the Key not the message

Receiver Reputation:A Unique and Protected Algorithm

Receiver reputation precisely differentiate spam from legitimate messages

Characterize (by passive observation) each protected user based on the % of spam they receive (receiver reputations)

Message ratings are based on each user's overall legitimate/spam ratio

Automatically learns and improves accuracy with real time legitimate/spam statistics for each protected user

90% Spam 75% Spam 50% Spam 25% Spam 10% Spam

Recipient Spam % = Receiver ReputationRecipient Spam % = Receiver Reputation

ReceiverNet™ Receiver Reputation

Legitimate EmailLegitimate Email

LegitimateLegitimateEmailEmail

Spam EmailSpam Email

SpamSpamEmailEmail



Based on the Reputation of the Recipients Based on the Reputation of the Recipients this Message is Spamthis Message is Spam


SpamSpamEmailEmailSpamSpamEmailEmail

SpamSpamEmailEmail


Based on the Reputation of the Recipients Based on the Reputation of the Recipients this Message is Legitimatethis Message is Legitimate



SpamSpamEmailEmail



ABACA PRODUCTSDesigned for hosted mail providers


CLX : Carrier Class Anti-spam Solution

CLX Outbound Spam Filter

CLX Outbound Spam Filter

CLX Spam Rating Engine CLX Spam Rating Engine

CLX SolutionCLX Solution

CLX Spam QuarantineCLX Spam Quarantine

* Optionally deployed in-line as supplemental filter

*

Simple Integration, Rapid Deployment

Simple programming interface Standard SMTP filtering protocols including milter

Seamless integration with messaging infrastructure Leverages existing feedback mechanisms Tag, block, quarantine or deliver messages to easily

conform to existing user behavior

Self contained, no need to open ports to outside

Reduces Anti-spam Expenses

Accurate, zero hour protection Automatic real-time reputation updates

• No waiting for new rules • No updating signatures

Reduces the burden on IT resources Green requires one tenth the CPU cycles of

conventional content-based filtering


Abaca CLX Inbound Solution Components

The Abaca CLX Anti-spam Solution includes the following components: abacam Client, available as a milter(Note the abacam client is run on a standard MTA)

CLX Inbound Rating Server CLX Feedback Server CLX Admin CLX Quarantine (optional)

Individual hardware servers are not required for all components The following slide illustrates the architecture of a typical

inbound deployment

Scalable CLX InboundArchitecture

CLX ServerCLX Server

Internet

MTA

abacamMTA

abacamMTAabacam

QuarantineQuarantine

Email ServerEmail

Server

CLX Server

Email Server

Message rating

CLX Admin

Inbound

Outbound

SPAM

CLX Outbound Solution Components

Abacam Client, available as a milter for Milter plugs into SendMail, PostFix and Zimbra

CLX Outbound Rating Server CLX Administrator Console CLX Outbound Quarantine

Components can share hardware servers

* Note the abacam client is run on a standard MTA)

Outbound Spam Filter Deployment

MTA

abacamMTA

abacamMTAMTAabacamabacam

CLX CLX Outbound Outbound QuarantineQuarantine

Email ServerEmail

Server

CLX CLX Outbound Outbound

ServerServer

Inbound training information

Email Server

AdminAdmin Rate request

Outbound

MTA

abacamabacam


ServerServer


ServerServer

CLX CLX Outbound Outbound QuarantineQuarantine

Rate response

Feedback

Outbound

Outbound

SPAM

Abaca CLX Clustering

Redundant component deployment

On the MTAs Abacam requests ratings from multiple seversReputation data is synchronized and shared

If CLX Server hardware fails Abacam routes requests to the remaining servers

User preferences are preserved Message flow is not interrupted Accuracy is maintained

When the hardware is serviced and is back online CLX Server will be included in rating requests

CLX Rating Cluster

Abaca CLX Cluster Architecture

Client Client (abacam)(abacam)

…Client Client (abacam)(abacam)

Client Client (abacam)(abacam)

Incoming Request•Rate Inbound•Rate Outbound•Feedback

Load Balancer (abacam)

CLX Rating CLX Rating ServerServer

CLX Rating CLX Rating ServerServer Synchronization

•Outbound Messages•Feedback

Cluster Exploded View

> 50 million mailboxes - Mail flow partitioned between CLX servers

< 50 million mailboxes – Round-robin partitioning used

Blue fill indicates Abaca components

Abaca CLX Multi-site Support

Redundancy at the site level is supported though synchronization between each site

Servers synchronized and share reputation data Synchronization does not require significant bandwidth between

servers or sites Emails for a user can come into either site at any time and will be

processed with the same results When a site becomes unavailable, the remaining site will rate the

entire message flow User preferences are preserved Message flow is not interrupted Accuracy is maintained

Abaca Multi-site CLX Deployment


CLX ServerCLX Server CLX ServerCLX Server


Feedback and outbound

synchronization

FailoverRate

requests

Rate requests

Abaca Difference

Proactive Real-Time Defense Learns in real time so not playing catch up No Blacklists to update No content rules to maintain

Set and forget

Language-independent Encryption-independent Rated quarantine highlights useful mail

For more information


John JefferiesGeneral Manager and CMO

[email protected]

408.205.5320

mailto:[email protected]

ADDITIONAL SLIDES


Attack Prevention Technique

They could buy a box and pollute one global server Limit the # of daily contributions per unique user

They could use accounts within an ISP to create good reputations at that ISP to allow spammers to attack that ISP from the outside Yahoo could Use someone else’s global

Spammers buying good lists and using them exclusively Make any unsolicited emails being bad, regardless of

reputation of receiver. So anyone sending out mass mailings all of a sudden gets caught, regardless of list quality

Use logistic regression filter If spammers are using fixed IP range, block those Good list will eventually become bad (the weaker addresses)

When it Comes to Filtering Accuracy Matters

* For a 1,000 person entity whose employees receive 50 messages / day

>100 times faster than other approaches

The core algorithm is very simple currently rates at over 100,000 msgs/sec/core

A single quad core PC w/32G RAM can easily handle the ratings for 20M users with just 5% of the CPU capacity Cost is about $4,000

Accurate rating allows apersonalized greyzone

• One size doesn’t fit all: some hate FPs; others hate spam

• Each user controls the level of acceptable false positive and false negative rates

• At low user count, the “review zone” is less than 1 message out of 100

Accuracy increases over time

Each message is rated using the real-time data No time delay for push “updates”

Huge number of raters Every rcpto is a rater

Every rater is extremely accurate It is the user’s statistics that we use, not their human opinion (which

is far less accurate than their stats due to phish, operator error, etc) The raters work for us 24x7 (for free)

Other systems rely on human feedback which is sporadically available

Our raters “decide” instantly No time delay; messages are rated before the content is received

Who Uses Abaca?

Market Solution ProductEnterprise CLX

Hosted Solution

CLX SolutionCLX OutboundCloud Service (beta)

xSPs Complete SolutionAbaca Rating EngineOutbound Spam Filter

CLX SolutionCLX Engine OnlyCLX Outbound

VMware Customers

Virtual Appliance VPG

SMBs Hardware Appliance EPG

Education Hardware ApplianceVirtual ApplianceOutbound Spam Filter

EPGVPGOutbound Filter

Abaca: The World's Most Effective Spam Filter

Technology

Transcript of Abaca: The World's Most Effective Spam Filter