Antispam Configuration Issues Decisional Brief Followup

1
Antispam Configuration IssuesDecisional
BriefFollowup

• Don Holtzer
• NOAA Office of the CIO
• Messaging Operations Center
• October 17, 2006

2
Outline

• Purpose
• Alternatives
• Alternative 1 - Status Quo
• Alternative 2 - Offsite Quarantine
• Alternative 3 - Junk Folder
• Alternative 4 - Centralized Quarantine Service
• Alternative 5 - Hybrid Option
• Recommendation

3
Purpose

• This is a followup decisional briefing
• Need to deal with growing amount of spam From
  whitelisted (_at_noaa.gov!) addresses
  
• The MOC is tasked with dealing with false
  positives in coordination with NOAA email
  administrators and helpdesks in the field.
  

4
Purpose (continued)

• The MOC is currently reviewing and interpreting
  messages quarantined as spam to look for false
  positives, or incorrectly marked legitimate
  messages
• With the growing volume of spam, there is a
  growing volume of messages to search through and
  a growing volume of false positives
  
• Important messages can get overlooked or
  misinterpreted as spam and never make it to the
  recipient
  
• Alternatives 2 through 5 address this issue

5
Alternatives

• Status Quo - One central admin to review
  quarantine in MOC
  
• Offsite Quarantine Vendor hosted user
  quarantine folders
  
• Junk Folder Quarantine in user mailbox
• Centralized Quarantine Service Multiple central
  quarantine reviewers
  
• Hybrid Option Combination of Junk Folders or
  user quarantines and centralized quarantines

6
Alternative 1 Status Quo

• Current solution
• All spam is quarantined in MOC
• Quarantine is reviewed by MOC engineer
• Costs currently high level engineer (166K) is
  being redirected from other technical projects,
  would need to hire less costly person (75K),
  plus support for quarantine server (5K per
  year)
• Gartner
• Considered wasteful
• For the same money, one could buy a better
  antispam solution
  
• It should not be up to IT to decide what is spam
  and what is ham
  

7
Alternative 1 Status Quo

• Pros
• No change for users
• No change to messaging infrastructure
• 70,000-100,000 spam messages filtered out per
  day
  
• Cons
• Need full time person to review 10-20K msg/day
• Additional helpdesk time for false positive
  resolution
  
• Potential delay/non-delivery of messages
• DOC PTO also uses this method, and is
  considering moving.
  

8
Alternative 2 Offsite Quarantine

• Low-scoring spam and false positives stored in
  quarantines at antispam vendor site
  
• Individual quarantines for users
• Accessed and managed by users
• Costs offered at no extra cost by antispam
  vendor
  
• Hidden costs? Vendor resources redirected from
  other work
  
• Gartner
• Considered Industry best practice
• Saves Quarantine away from Infrastructure
• Allows users to manage personal
  whitelists/blacklists

9
Alternative 2 Offsite Quarantine

• Pros
• No central resources to review quarantine
• Most widely used in private industry and
  government (most popular in DOC OSEC, NIST,
  ITA)
  
• No additional cost with our current antispam
  vendor
  
• Saves helpdesk/MOC time dealing with false
  positives, whitelisting and blacklisting
  
• Allows elimination of _at_noaa.gov whitelisting
• Users will not be sent egregious spam

10
Alternative 2 Offsite Quarantine

• Cons
• Capability tied to provider
• User training required
• Could be considerable - very visible change to
  users
  
• Interface involved
• IT Security risk of exposed URLs in notification
  message
  
• User control of whitelist/blacklist may lead to
  inadvertent problems
  
• Provider distracted from primary antispam
  mission
  
• User-reviewed quarantine (Average of 1-5 messages
  per week)
  

11
Alternative 3 Junk Folder

• Low-scoring spam and false positives stored by
  server in junk folders in user mailboxes
  
• Users can look in junk folder for missing
  messages
  
• Costs - one week of 1.5 persons total (will
  actually be multiple persons across multiple
  servers) - 4.8K
  
• Write plan
• Write documentation for helpdesks
• Write filters for servers
• Write installation instructions
• Install
• Gartner
• Considered a good practice
• Requires sufficient infrastructure to handle load
  of additional inbound messages

12
Alternative 3 Junk Folder

• Pros
• No Delay of messages to users
• User ability to identify false positives
• No Centralized resources for reviewing
  quarantine
  
• Saves helpdesk/MOC time dealing with false
  positives, whitelisting and blacklisting
  
• Allows elimination of _at_noaa.gov whitelisting
• Users familiar with solution in use by ISPs
• Users will not be sent high-scoring spam (moved
  aside to specialized server)
  
• Cons
• - User-reviewed quarantine (Avg1-5 msgs per
  week)
  
• User training required
• Minimal not a major visible change for users
• Infrastructure modification required (8 hours by
  MOC)

13
Alternative 4 - Centralized Quarantine Service

• All spam goes to MOC
• Multiple persons scan the quarantine
• Option one with more resources devoted to effort
• Costs 75K per reviewer does not require high
  level engineer. Absolutely need at least two for
  increased level of service (150K). Still need
  engineering support to manage quarantine server
  (additional 5K per year fraction of engineer)
• Costs paid for by direct bill
• Gartner
• Not recommended
• Same reasons as Option 1
• Expensive (Too expensive?)

14
Alternative 4 - Centralized Quarantine Service

• Pros
• Same as Alternative 1 with more resources
• May improve false positive forwarding
• Not using system engineer time to review
  quarantine
  
• Use two less skilled employees
• Cons
• Higher costs
• Decisions made by quarantine miners
• Still need system engineering to run/manage
  quarantine server
  

15
Alternative 5 - Hybrid Option

• Combination of Junk Folders or user quarantines
  and centralized quarantines
  
• Subset of users could opt-out
• Costs dependent on scope
• Very small (5-8K per year) if option two or
  three is chosen and there is a short arbitrary
  list of users who would still relay on
  centralized quarantine, still requiring server
  support and some quarantine scanning in MOC.
• Costs rise as opt-out list grows or if interface
  is created to allow users to opt-in/opt-out
  themselves. (Note, self-opt-in/out is not
  available with option 2)
• Gartner
• Adds complexity
• May be worth doing if managed properly

16
Alternative 5 - Hybrid Option

• Pros
• Obvious flexibility for management of users who
  absolutely insist on not having junk folders or
  their own quarantines
  
• Combined pros of other options
• Cons
• Resources still needed for central reviewing
• Requires process and system design/implementation
  for opt-in/opt-out
  
• Requires some infrastructure change
• May require directory schema change
• Installation or modification of interface
  servers
  
• Costs and resources needed depend on the scope

17
Recommendation

• The EMC recommends alternative 3.
• OAR Jeremy Warren Option 3
• NOS Tom Murphy Option 3
• NESDIS Charly MacFarland Option 3
• OCIO/Staff Offices Tonya Banks, Trena Simon
  Option 3
  
• NMAO Greg Bass Option 3
• Fisheries Bill Bradley Option 3
• NWS Mike Jackson Option 3