The End of Content

1
The End of Content

• And the Rise of IP Analysis

Inbox Event San Jose June 3, 2004 Andrew
Lochart Director of Product Marketing
2
The Trends

• The spam war is changing from a content filtering
  battle to a real time SMTP connection battle
• Content checking is still important, but not the
  first or best defense
• The key to defending against spam is to move up
  the SMTP connection, closer to the spammer

3
The Game Continues

• Spammers aggressively modify their messages to
  defeat content analysis
• Hash busting
• Bayesian poisoning
• These are relatively easy to spot and program
  around
• Spammers becoming still more covert

4
A Disturbing Trend

• Spam is becoming personalized and unique

5
Worse Yet.

• Reduced content means reduced context

6
The Logical End Point

• The empty message
• But is this spam?
• Residue from Directory Harvest Attack

7
Not Just a Content War
An 83 increase in Directory Harvest Attacks in
the last 6 months
But in that time, weve tracked a 26 reduction
in Recipient Address Lookups per attack
8
That Isnt Good News

• DHAs hit hard and fast

9,270 Recipient Address Lookups
9
Coordinated Across Many IPs
472 Unique IPs. A 4x increase in minute 1
10
IP Transience

• Spammers are much more aggressive about moving
  through IPs
• Ex post facto log analysis is futile
• Moving across compromised machines
• 36 of Postini Threat Identification Network
  (PTIN) blocks resolve to cable modems and DSL
  lines, which should not be relaying SMTP directly
• Shows the effectiveness of the spam zombie trojan
  horses like bagle, netsky, etc.

11
In Just Six Months
188 million inbound SMTP connections handled that
day
401 million inbound SMTP connections handled that
day
Postini turned on shared Postini Threat
Identification Network (PTIN) connection blocks
in October, 2003.
In other words, Postini currently blocks more
than 50 of all connections without looking at
the message.
12
Conclusion

• Cant just rely on message content
• IP-based intervention is required, but standard
  methods are inadequate
• Not accurate
• Too static
• The key is to get as close as possible to the
  spammer
• We cannot get behind their firewalls, so the best
  thing we can do is watch their behavior at the
  connection layer and shut them down before they
  do any harm

13
Conclusions

• Need to instrument and cross-correlate SMTP
  behavior across numerous source / destination
  pairs
• In real time
• With automated blocks and releases
• Real-time Postini Threat Identification Network
  is uniquely able to respond to this changing
  landscape
• Based on more than 400 Million SMTP connections
  per day

14
Can Your Solution Do That?
Postinis Managed Service Internally Deployed Solution
Provides Real-time IP Analysis Blocks Yes No
Network Effect Yes No
Keeps Threats Completely Off Network Yes No
Immediate Deployment Protection For All Users, Regardless of Location Yes No
Flexible Scalability (small price step function) Yes No
Email volume not a cost driver Yes No
Fully Redundant Yes No
No Maintenance, No Patches, No Forklift Upgrades Yes No
Easy to Try (simple mx redirect) Yes No
15
Postini At a Glance

• We operate the worlds largest and most advanced
  email security management system
• Patented technology has been in commercial use
  for 4 years
• Currently processing more than 1.3 billion email
  messages per week for more than 3,300 companies
  and 5 million users worldwide
• Fourth largest email system in the world behind
  AOL, Yahoo!, and Microsoft (MSN/Hotmail)
• Our managed service model works better,
  implements faster, and delivers more value than
  any alternative on the market today

16
Postini Perimeter Manager
Customers Existing Email Infrastructure
Workgroup A
Gateway Server
Workgroup B
Postini Identifies and Stops Email Attacks BEFORE
They Reach The Corporate Network
Workgroup A
Gateway Server
Workgroup B
17
Analyst Validation
Enterprises should consider outsourcing email
boundary services as a means to gain email
security and management without having to
relinquish control of the email message store.
many large enterprises prefer to use a service
than to do it themselves a service can provide
a very high level of expertise focused on this
important area for an affordable cost
Because Postinis data centers sit outside the
corporate firewall, they offer a level of
security that was not before possible.
PC Magazine Editors Choice Corporate Spam Solution
Network World Blue Ribbon Winner Spam Vendor
Evaluation
1 Rating Spam Vendor Evaluation
18
Enterprise Customer Success
The results are great.
Our users have been very satisfied and are able
to focus on growing our business rather than
sorting through their email inboxes.
The Postini service has been easy to deploy and
has required virtually no administration on our
part.

• Postini Customer Stats
• 3,300 customers
• 5 million end users
• Average implementation time 3 days
• Average payback period 2 months

Nearly 99 of our unsolicited email messages
stopped immediately. We have taken back control
of our time and our systems
19
Thank You

• http//www.postini.com