Tuesday, December 5, 2006

Turntide Still Working Away: Not perfect but pretty close

"Not perfect but pretty close" is what this Computerworld article concluded about the anti-spam technology I helped create a few years ago.

It was maybe early 2001 when I was sitting around a table in a basement in Pennsylvania with a couple of friends discussing ways of fighting spam. Back then there were not many people who believed spam would become a huge problem. Many dismissed it as a mere nuisance. Boy, were they wrong.

Anyway, we had been focusing on a way of certifying email as legitimate, so only legitimate email would be allowed to get through to your inbox. This was the inverse of attempts to stop spam by allowing all email in unless it came from a known bad source. Early anti-spam products were emerging that followed the allow-all-but-known-bad model, including some attempts to filter messages on a case-by-case basis according to their content. But a couple of us were skeptical about this approach. It seemed to be based on an anti-virus scanning model (and we all knew how well that was working--not!). Furthermore, when these filter systems produced false-positives that meant valuable messages might be delayed or lost.

So we analyzed spam from the spammers perspective. What was the motive? What would be a dis-incentive? Virus writers were not being deterred by legal penalties and so we doubted that approach would dissuade spammers. But we realized spammers are different from your classic virus writers: spammers are in it for the money.

So we followed the money. What we found was a fairly simple formula. If a spammer can't get X number of messages into network N within Y period of time, the spammer will move on to the next network, N1, and so on. This is because the spammer makes money off such a tiny percentage of responses. To be cost-effective there have to be huge numbers of messages delivered on target within the relatively short period of time that exists before a particular spam site is shut down.

Aha! we said. If only there was a way to slow down messages from spammers. One of us, David Brussin, realized that there was a TCP/IP mechanism for slowing down network response, and we figured out how we could couple that to a spam detector mechanism. The result was a device that sat on the edge of a network, or at an ISP, and slowed down network connections if they appeared to be delivering spam. The first test results were amazing. The device, dubbed "SpamSquelcher" after those knobs on ship radios which tune out noise, literally saved a regional ISP from being overwhelmed by spam.

Selling this idea to end-users was a tough one. The device worked best on larger networks. This was not something you could give away to end-users for free and hope that big companies would pay for licenses. Eventually the product was re-launched as TurnTide and acquired by Symantec which incoporated it into their product line. Today there are a lot of corporate and academic networks using this technology to save bandwidth and protect their networks. If a lot more of them would do the same, particularly ISPs, then the net voume of spam might actually go down.

No comments:

Post a Comment

Thanks for commenting! Why not check out my main blog?