Two Heads Fight Spam Better Than One

Independent security organization Virus Bulletin has called for makers of email security products to collaborate in the fight against spam.

Virus Bulletin conducted a test of 14 anti-spam products using 200,000 emails made up of both spam and legitimate content.  They found that this both increased the rate of detection as well as decreasing the likelihood of false positives.

Although the increased detection rate compared to typical rates from popular anti-spam products was only a minor percentage this can account for many thousands of additional spam messages blocked in larger business environments.

Combining multiple email security engines into a single product is not a new concept.  Antivirus products have been doing this for several years now, with major antivirus companies licensing their engines as optional plugin components to an email security product.  It is not unusual to find email systems protected by 3 to 5 different antivirus engines.

In the fight against spam, collaboration could make significant improvements for businesses.   Primarily this would occur in the content filtering engine component of anti-spam products.  Different vendors produce different content filtering databases that are more effective against some spam threats than others.

But the collaboration would not work, or would not even be necessary at other levels of an anti-spam system.  For example DNS block lists from different providers are already easily plugged in to most email security systems and can be used in combination with each other.

Bayesian filtering would also not benefit from collaboration because of the way it works.  What a Bayesian filter learns about one organization’s email patterns would not always translate well to other organizations, so the sharing of this data would be pointless (and potentially a security risk in itself).

As a downside to this idea hardware resources for anti-spam servers would likely need to be increased.  Content filtering is a resource intensive process and so inspecting an email with multiple engines will require many times more hardware power than a single-engine filter would require.

One positive side to this idea is that it allows developers of content filtering engines to focus on improving the quality and performance of the engine itself, which they can then license to anti-spam vendors.  The vendors are then free to focus more on important features that businesses consider when choosing an anti-spam product, such as reporting capabilities, end user self-service, and ease of administration.

Finally, some may rightly see this idea as adding complexity to an already complex product.  Experienced email administrators have probably already encountered at least one problem in the past with multi-engine antivirus products when changes are made to one of the engines by the developers.  However this type of perceived complexity can be resolved by considering hosted anti-spam solutions instead, which will likely be one of the earliest available offerings of a multi-engine spam filter.