Saturday, March 31, 2007
blocking vs filtering
A poster on Techrepublic boasted that his workstation security suite (for MS-Windows) "blocks" spam.
AVG Internet Security does a lot of good things. I recommend it to my customers who still use Windoze. We prefer it to Symantec or McAfee. But it doesn't block spam. Nor do its competitors.
If you're using the typical consumer setup where you download your email via POP3 from your ISP's mailbox server, your workstation doesn't see the spam until it's already been delivered.
AVG Internet Security and its competitors filter spam. That is, they analyze and sort it. One good optimization you can do with POP3 is pull all the message headers, analyze them, and delete the obvious spam from the mailbox before downloading the whole messages. I'd be surprised if they don't do that, at least as an option. But that's not available if you want to download all the spam into a local spam "folder" to look for false positives.
Only your email service provider can block spam. That's because blocking happens before the SMTP server (receiving system) has accepted the message. The SMTP server has to consider the source while the wanna-be SMTP client (sender) is waiting to connect, or analyze the message on the fly while the client is waiting for a response.There are two significant differences between blocking and filtering.
- Blocked spam from spamware just disappears. (Spamware is the specialized software criminal spammers use for sending. Most of it is installed on PCs the criminals have broken into, using trojans or rootkits or the like. A lot of it just connects and blasts away, without paying any attention to the responses from the SMTP server.) But blocked spam from a "legitimate" sender piles up in the sender's outbound queue or gets returned. That gives the sender feedback that he's sending unwanted mail and/or the address is bad. In the case of a legitimate sender exploited by a criminal spammer, it gives him feedback that his security is compromised. Filtered spam appears to the sender to have been delivered. The "legitimate" spammers (the minority who try to comply with CAN-SPAM et. al.) are deprived of the chance to clean bad addresses off their lists. Those criminal spammers who pay any attention to SMTP responses at all are told your address is deliverable, which makes it more valuable to sell to other spamemrs. In the end, filtering is a way of (partially) automating the process of "just hitting delete." It adds to the overall problem.
- Blocked spam doesn't cost the non-recipient anything to store or download. And blocking before body content analysis is a whole lot cheaper than filtering.