Postini: Anti-spam Update February 2008
It should be no secret by now that we are currently in the midst of migrating all of our customers over to a new anti-spam platform that we have been developing in conjunction with Postini. Spam has been a very hot topic in our forums of late and our Customer Support Centre have also reported large increases in the number of customers who are getting in touch to report spam related problems. A lot of customers have already been moved to Postini, but the work is a multi-stage project and some customers have been unsure what to expect after migration. Many may not know that they're on the new platform yet, whilst others will be curious as to when their accounts will be getting migrated. This blog post is intended to clear up a lot of this confusion, answer some of the more commonly asked questions and provide an overall update regarding the progress of the project...
- The trouble with spam
- The story so far
- Is it working?
- How can I tell if I have been migrated?
- I haven't been migrated yet. When will this happen?
- What should I expect once my account has been migrated?
- Interpreting headers
- Understanding spam scoring
- False Positives
- Postini's not tagging emails properly
- Can I switch Postini off?
- What's next?
- Further Reading
Spam is on the rise. Year on year it gets progressively worse and historically, the Christmas period has always been particularly nasty. Last year was no different.
Tis the season to be jolly, but this month’s spam levels brought little cheer to anti-spam analysts." - Symantec's December 2007 State of Spam Report.
Spam is one of the biggest challenges facing Internet consumers, corporations, and service providers today. It can be very expensive to deal with, consumes a lot of time and resource, and most importantly causes a massive inconvenience to the customer who's left to trawl through it all in search of their genuine email.
In just the same way that traditional anti-virus countermeasures can be targeted during an outbreak, by the time the anti-spam vendor has obtained a sample and produced a signature, the attack is already over." - MessageLabs Annual Security Report 2007.
In their November 2007 Threat Advisory, Postini stated that they were blocking approximately 23 spam messages for every one valid email message sent through their systems. This figure has almost doubled since 2006 when only 12 in every 13 messages were being blocked (Source - 2007 Postini Communications Intelligence Report). According to Postini, the average unprotected user during 2007 would have received 32,000 spam messages. This is compared with 20,000 spams the year previous and results in an overall 60% year over year increase.
Bill Gates’ 2004 prediction of spam being eradicated within two years definitely missed the mark. But no one could have predicted the dramatic resurgence of spam in 2007... - Symantec's December 2007 State of Spam Report.
During the latter part of last year we began trialling a number of third party spam filtering solutions on our internal and external mail platforms. It was following these trials that we went on to sign an agreement with Google-owned security experts Postini. Since then, we have been working hard alongside our new partners to help improve the level of spam protection we currently offer to customers. So far we have migrated just over 330,000 user accounts to the new Postini platform. This includes but is not limited to:
- All Free Online customers.
- All Force9 customers.
- All Metronet customers.
- Approximately a third of PlusNet customers.
We have also migrated 8 batches of customers who have pro-actively asked to be moved across to the new platform ahead of their planned migration date. There are an estimated 130,000 user accounts that are yet to be migrated. These comprise mainly of PlusNet and PlusNet UK accounts. All migrations are currently scheduled to complete by the second week of February.
Yes. Before the implementation of Postini our old mail filters would block approximately 45%-65% of all email as spam. Thanks to Postini, this figure is now consistently above 90%. It's hardly surprising to hear therefore, that customers on the new platform have been reporting significant reductions in the volume of spam email sent to their addresses since being migrated to the new service. NB: Blocked Account Messages do not account for emails that are tagged as suspected spam and delivered to the customer. Not only does these mean less spam for customers, it also means that our mail delivery servers have considerably less work to do. When under sustained load, the mail delivery servers are less efficient at processing incoming messages and this has the potential to cause email delays and other problems for our customers. Here you can see the effect the migration of Force9 customers to Postini had on our platform: The following shows the current state of the mail queues. Notice the scale on the vertical axis of the graph! This is a remarkable step in the right direction, even more so when you consider that we still have 130,000 customers who are yet to be migrated!
There are a number of ways you can tell whether or not you've already been moved to Postini. One method is to check the headers of some of your received email. The headers of an email show the route a particular message has taken across the Internet. Below we can see that the email has been passed from the sender (1) to Postini (2), and then onto our mail delivery servers (3). You can also see the spam scoring headers (4) added by the Postini systems when the message is filtered. Any reference to Postini in the headers of your email is a strong indication that you have already been migrated. For further information on how to view the headers of an email, take a look at the support article on our website here. Another method, is to perform a DNS Lookup to see what servers are responsible for handling email for your username or domain. This can be done using the DIG command in Unix or the NSLookup command in Windows. You can also do this using an online DNS lookup service like the one here. Under Domain Name enter the bit after the '@' sign of your email address. Select Mail Exchange (MX) from the drop-down below and click Perform Query. What you are looking for are the names of the servers that are handling your email. If you haven't been migrated yet then these will be our mx.core and mx.last servers and the output will look something like this: This is what the output looks like for a customer who has been migrated to Postini: Any additional domains you have hosted on your account (e.g. co.uk addresses) will return slightly different DIG results. It's also worth bearing in mind that it can take longer for your hosted domain records to update as explained here.
Whilst we're unable to provide customers with specific migrations dates, we estimate that all customers will have been transferred to the new anti-spam platform by the second week of February. Most of these migrations are scheduled to take place early next week and will be announced in advance via our Service Status feed.
Because the migration to Postini involves what's known as a DNS update it can take up to a week before the full benefits of the improved spam filtering are seen. It helps to think of the migration of users as a three stage process, with each stage introducing further layers of spam protection.
- Add the domain to Postini. This is the physical addition of your email address to Postini's spam filtering systems. Postini need to know about the addresses they have to provide filtering for. If they don't then your email will be refused when it tries to pass through the Postini's spam filters.
- Update the DNS records The second step is to update the DNS records for your domain. DNS records are what tell other mail servers where to send the email that's addressed to you. Instead of pointing your DNS records to our servers, we first send it to the Postini system so that it can be spam filtered. It takes 24-48 hours for the rest of the Internet to recognise this change. During this time there will be a gradual decrease in the volume of spam emails sent to your mailbox. You should also start to see some emails being marked as [-SPAM-] by Postini (assuming you have this option enabled in the Member Centre). You can tell if this step has been completed by performing a DNS Lookup on your domain. NB - It can take up to a week to update the DNS records for any additional domains you have hosted on your account. This includes things like .co.uk and .com domain names.
- Block attempts to bypass Postini's spam filtering. Even after your DNS records have been updated, some email may still be getting sent to you via the old anti-spam platform. This is a trick used by spammers and it results in emails bypassing the Postini systems. To prevent this happening we put a block on all email that has not been sent through the new spam filters. This block is applied roughly 7 days after the DNS update and brings with it a further reduction in spam and improved detection levels.
The Postini system adds a number of spam scoring headers before passing messages to our mail servers for delivery. It's these headers that are used to decide whether or not an email is or isn't spam. Based on this decision the message is then either rejected, delivered or delivered with [-SPAM-] in the subject title. The official Postini documentation regarding the various headers can be found here. Also available is a tool in to which the headers for any email which has gone through the Postini servers can be posted. This tool can be found here and gives a detailed analysis as to why an email was or wasn't considered to be spam. It's worth bearing in mind that due to refinements with our implementation of Postini this tool can return inaccurate results so should be used as a guide only. Further discussion regarding the interpretation of headers can be seen over in the forums here.
We've made a number of changes to our spam scoring heuristics since we started the migration of customers to the new platform. Whilst the following information is accurate at the time of writing, it is subject to change as we continue to refine the accuracy of the filters. Most customers will probably want to skip this section unless they are interested in the finer technicalities of the scanning heuristics. Where an email is detected as possible spam, we insert a header of our own (x-pn-pstn). This header is then assigned a score between 1 (more likely to be spam) and 5 (less likely to be spam). At the moment we're only spam tagging emails with an x-pn-pstn score of 1. Emails that have little or no spam characteristics do not contain the x-pn-pstn header at all. The x-pn-pstn score is derived from the X-pstn-levels Postini header, in particular the value highlighted in bold: X-pstn-levels: (S:41.96081/99.90000 R:95.9108 P:95.9108 M:95.5423 C:98.6951 ) The closer to zero this value is, the more likely it is that an email is spam. The category values in the X-pstn-levels header can also influence the spam score we assign an email. These values are highlighted in bold below. if any of these fall below 85.0 then the message is automatically assigned an x-pn-pstn score of 1 and tagged as [-SPAM-]. X-pstn-levels: (S:41.96081/99.90000 R:95.9108 P:95.9108 M:95.5423 C:98.6951 ) *Please note that since this article was originally published, the category value spam scoring has been withdrawn.* Another important Postini header is X-pstn-neptune: qtine. This header further increases the likelihood of a message being spam and therefore increases the scoring by a level e.g. from x-pn-pstn: Spam 3 to x-pn-pstn: Spam 2. NB - Customers should be aware that there are some circumstances that can override the rules above, one example includes trusted senders that have been white-listed in the system.
As with any piece of work of this scale, it would be unreasonable for us not to have expected a few snags along the way. You'll find the details regarding most of these issues over on our Service Status feed and in our Community Site forums. Fortunately, we've been able to resolve most problems quickly and efficiently with minimum interruption to the customer. Feedback from customers on the new platform has been largely positive, with many reporting significant improvements in the accuracy of the spam filter.
A number of customers have reported that some of their legitimate email is being incorrectly identified as spam since being moved to the Postini platform. This tends to affects bulk emails and mailing list traffic which contains a lot of the common spam characteristics that the Postini's filtering mechanisms look for. Whilst it's unrealistic to expect a junk email filter to be 100% accurate, we are continually looking at ways to further improve the accuracy of the filter. Any feedback you may have about this over on our Community Site discussion forums.
A false positive is any legitimate message that has been mistakenly marked as [-SPAM-] by the system. The opposite of this is a false negative where a spam email arrives undetected in your inbox. Examples of both of these can be forwarded to us for analysis. Whilst this may not result in immediate improvements, it will help us and Postini to further refine the accuracy of the spam filters. We do expect messages from some mailing lists and bulk mailers to be incorrectly identified as spam due to some of the characteristics they exhibit. In many cases the best way to deal with these will be to add the originating addresses to your approved-sender white-list (See 'What's Next?'). Legitimate messages that have been mistakenly marked as [-SPAM-] should be forwarded as an attachment to email@example.com. Spam messages that have not been marked as [-SPAM-] should be forwarded as an attachment to firstname.lastname@example.org. Alternatively, if you use Webmail you can use the Spam and Not Spam buttons which cuts out most of the hard work for you. NB - Multiple attachments can be forwarded in a single email. For further details regarding the forwarding of emails as attachments please see our online Help & Support article
We strongly recommend that all customers enable anti-spam filtering on their accounts. Whilst we will be making it possible to switch Postini off via the Member Centre, this is not something we suggest that customers do. We will eventually be switching our old spam filters off and when we do, turning off Postini will leave you with absolutely no spam protection whatsoever. Customers who wish to receive a completely unfiltered email feed are instead advised to consider the use of SMTP for the delivery of their email. If you would still like to request the removal of your account from the Postini platform, then you should raise a ticket citing your reasons by following the instructions provided here.
Next week we will continue with the migration of the remaining 130,000 accounts to the Postini platform. Once complete, we will then focus on making available additional spam controls under the Manage My Mail area of the Member Centre. This will include, but is not limited to, the ability to white-list and black-list your own email addresses or domains. These white-lists/black-lists will only apply to your account and will ensure that the emails you want to receive are never incorrectly identified as [-SPAM-]. This work is currently scheduled to be completed by the end of March and further details will be posted to our Service Status feed nearer the time.
Spam filtering isn't the only thing you can do to help cut down on the volume of unsolicited mail you receive. There are a number of tricks and tips for optimising your email using the Manage My Mail tool in the Member Centre.
- Symantec's December State of Spam Report
- MessageLabs Annual Security Report 2007
- Postini Threat Advisory November 2007
- Commtouch Q4 2007 Email Threats Report
Bob Pullen PlusNet Comms Team
You must be a registered user to add a comment here. If you've already registered, please log in. If you haven't registered yet, please register and log in.