In an effort to help wage the Holy War against UCE/SPAM, NMCI has announced that it will be partnering with IronPort Systems and Symantec. We applaud this effort and can only hope that NMCI will begin utilizing the excellent SpamCop real-time blacklist from IronPort Systems. NMCI press releases state that the new spam solution "will provide NMCI with advanced threat prevention, block SPAM, and enable effective DoN e-mail policy enforcement." This statement, of course, was written by a salesman or an accountant but by applying the nonsense filter, this appears to point in a hopeful direction.
One disturbing statement addresses the proposed method of identifying spam. "...the DoN and EDS have agreed to a set of business rules designed to identify specific words or phrases that are contained in SPAM messages." We can only hope that they do not actually intend to waste Government time and money on building a word/phrase list to identify SPAM. Such a sophomoric attempt at tagging spam might have worked ten years ago but "bad" word lists would be lucky to catch 5% of SPAM today. Bayesian filtering applies a statistically weighted version of a word list but needs to be customized for each application and the filter must "learn" from actual user E-mail for it to be effective. Spammers use dozens of methods to defeat simple word filters and even Bayesian filters. Certainly companies like Symantec and IronPort know this already. It is curious that NMCI would even mention such a useless task.
An intranet article referenced in the announcement explains that spam will be kept in a type of escrow account where the user will be able to review suspected spam and move it to their inbox or delete it (confirming that it is spam).
All of this, with the notable exception of word lists, sounds like an excellent but long-overdue treatment of spam on the NMCI network. Kudos to NMCI for the effort but we make the following suggestions:
1. Use real-time DNS blacklists at the mail gateway to block SMTP connections before they even connect to the server. Spamcop.net (an Ironport Systems project now) and Spamhaus.org (SBL-XBL) are two excellent choices if anyone is listening....
2. Abandon the use of "word and phrase lists" as they are completely ineffective and a waste of resources. The high number of false positives will cause user distrust and the use of pure word lists, as opposed to pattern matching, has been ineffective for the past several years. Smart matching from programs like Spam Assassin are an excellent alternative but come at the cost of processor loading.
3. Utilize a Bayesian database for each user to help build a statistical perspective that is surprisingly effective even with extensive Bayes poisoning campaigns now being waged by spammers.
