Jump to content

SSL Encryption & Bayesian Spam Filters


cppgenius
 Share

Recommended Posts

I've been testing the spam filter of a specific security suite an noticed that it did not filter any spam e-mails downloaded from my GMail account, but is very good at filtering e-mails downloaded from my Yahoo account. I also noticed the same thing happening with the Thunderbird spam filter.

The only reason I can think of is the SSL encryption making it impossible for the spam filter to read the contents of the e-mail, so the spam filter is therefore unable to analyse the e-mail. What I don't understand is why the filter tries to analyse the e-mail during a secure session, why not apply the filtering once the e-mail has been downloaded and delivered, you have to download the e-mail anyway.

Stand-alone spam filters are sold to the public, security suites include spam filters, which you have to pay for when you buy the security suite, but they are useless if you are using GMail (or any other e-mail service that requires SSL encryption). Software security companies never warn their customers about this, so they basically sell them useless software and the user thinks he/she has a great spam filter. Some people don't even realise the spam filter can't work, they only think the spammers got better at bypassing the filter, they are under the false impression that further training will solve the problem.

Lets don't argue about it, some of these spam filters are quite good, but they are useless if they can't analyse the e-mails, it's like waging war with the best and most deadly guns in the world, but your army is blind.

Is there anyone who shares this view, or is there something I'm missing here?

Link to comment
Share on other sites

  • 2 weeks later...
Is there anyone who shares this view, or is there something I'm missing here?

I'm not sure what you actually want. To me, you are complaining about the age-old issue that some software/tool developer works on code only using his/her computer, then releaseing it to the world .. having no idea just how screwed up his/her system really was in contrast to the millions of differently configured systems out there in the real world. Some silly examples;

hard-coding everything to be installed on the C:/ drive.

hard-coded to only recognise a stand-alone computer

hard-coding to work around a hardware issue on his/her development system

hard-coding to only recognize a certain audio/video/etc. card/chipset/etc.

Your unnamed security tool was apparently developed with yet another set of blinders on, focusing only on a specific configuration and usage ... perhaps developer had no clue about other security things like SSL, or even made the decision that no one actually used it, based on the fact that he/she and no one he/she knows uses it, beta testers never brought it up, on and on ....maybe it was the performance hit that ruled it out ???

It seems to me that your complaint / energy would be better raised / expended with that developer

Link to comment
Share on other sites

  • 1 month later...
I'm not sure what you actually want.

Sorry for not being clear enough in my initial post.

The problem is, I'm experiencing this with several spam filters, most spam filters analyse POP traffic right? They normally act as a proxy between the POP server and the e-mail client, but if the POP traffic is encrypted, what's the use? I don't see any anti-spam vendors mentioning this to their prospective clients. If you are using GMail for instance, it is useless to use a 3rd party spam filter as well. Remember this stuff is sold to the public who knows nothing about SSL. So they are buying something without realising that it won't work with a e-mail service using secure connections.

Yes, yes I know it is silly to use an additional spam filter if GMail is doing a good job at filtering spam already, but I am merely using GMail as an example of an e-mail service using secure connections.

Like I said earlier, I encountered the same problem with Mozilla Thunderbird. As a built-in spam filter it should be able to filter spam regardless of the encryption, it downloads the spam e-mail anyway, so what is the use of analysing the POP traffic before delivery, it can just as well analyse the e-mail after it has been downloaded and then decide whether it is spam or not.

The Thunderbird spam filter is not filtering any mail from my GMail accounts and I wanted to know if anyone else experienced the same issues or is there the possibility of something being misconfigured on my system?

Link to comment
Share on other sites

The problem is, I'm experiencing this with several spam filters, most spam filters analyse POP traffic right? They normally act as a proxy between the POP server and the e-mail client, but if the POP traffic is encrypted, what's the use?
End user filters, maybe... All filters I have used are implemented during the SMTP process.
Link to comment
Share on other sites

You might need to do some more investigation to find out how your spam tool integrates to the mail client and how it connects to the mail server. It could be a deficiency in the spam tool or just a mis-configuration of the tool. It's hard to tell without knowing more about the tool.

I wouldn't be too surprised that the spam tool is deficient. As Wazoo says, there's a lot of deficient software sold to the unsuspecting.

There are several ways to integrate with purchased software packages (like mail clients). Some add-on tools treat mail clients like black boxes and they interface themselves to that "black box" by sitting either in front of or behind the "black box". It sounds like this is how your tool is written, since you mentioned that it acts like a proxy. The nice thing about this method is that, as a developer, you don't need to have much knowledge about the mail client. This is often the best way and sometimes the only way to interface to a proprietary mail client. The problem with this is that a good spam tool would need to implement all the mail client/server interface types (like SSL, TLS, IMAP, POP3, etc). Another way to interface to a mail client is to use the mail client's API (if it has one)--This would be rare although some mail clients have APIs.

In the past, I used a spam filter called spampal. The way it worked was that it ran as a kind of proxy tool. Upon installation it would insert itself between the mail client and the mail server. The mail client would connect to the spampal tool and then spampal would talk to the mail server (pop3 or imap). By doing this, it would allow spampal to process the mail message before the mail client got it. From your description, this sounds like how your spam tool works.

A spam tool that operates as a proxy would have to be able to read the text of the mail in order to process the headers and/or the body of the message. For encrypted connections, the tool would have to decrypt the data coming in and possibly re-encrypt it on the way out to the mail client (or not depending on security). The only way to process the message data would be to read it while it passed through the spam tool.

Any search for a spam tool would require that you make sure the tool handles TLS or SSL connections. It is possible that your tool has the ability and is just mis-configured. It is also possible that you may need to purchase additional software to handle this type of connection. The additional tool might need to be connected as a "black box" the the spam tool. Again it's hard to say without knowing the particulars about the spam tool.

I guess this is why it's a good idea to be able to get a demo copy of the software before you purchase it, so that you can make sure it has all the needed requirements for communicating with all your mail servers.

Not to sound like an advertisement (especially since I'm not affiliated with spamcop in any way except that I use spamcop as my spam tool), but spamcop seems to handle SSL.

Just an added note....

Most spam tools probably operate as POP3 clients probably because they expect to only see each email message once. They probably expect to download and then remove the message from the server, rather than keeping track of what has been seen and processed.

Edited by kae
Link to comment
Share on other sites

The problem is, I'm experiencing this with several spam filters, most spam filters analyse POP traffic right? They normally act as a proxy between the POP server and the e-mail client,

That is one way to describe some applications, others go far beyond being 'just a proxy' ...

but if the POP traffic is encrypted, what's the use? I don't see any anti-spam vendors mentioning this to their prospective clients.

And as I stated / suggested in my last, how many prospective clients have asked for this capability? How many would be willing to put up with the overhead required? Does the vendor have anyone hired that can handle this kind of programming? How much would the price have to go up to add-in and then support such a feature?

Like I said earlier, I encountered the same problem with Mozilla Thunderbird. As a built-in spam filter it should be able to filter spam regardless of the encryption, it downloads the spam e-mail anyway, so what is the use of analysing the POP traffic before delivery, it can just as well analyse the e-mail after it has been downloaded and then decide whether it is spam or not.

Actually, you seem to have used a description that many believe, yet it is in error. Take a deep breath, sit back, and ponder about it a bit. There is no way that your e-mail can be handled, analyzed, sorted, whatever until it gets downloaded to your system. At best, you may have some application that makes some decision based on header data only, but that header data still has to be moved onto your system for any data analysis to be accomplished.

The majority of anti-spam, anti-virus tools actually build their own InBox (the extension of your Proxy scenario) .. download your e-mail into that 'safe' box .. do the analysis .. then move, delete, tag, unsting, whatever the resulting e-mails per however you have things configured, for instance moving e-mail that passed any testing for bad stuff to your 'real' e-mail client's InBox.

Your query seems to based on the all too typical view-point of trying to move bad e-mail out of your InBox. However, what I have suggested for years is to do exactly the opposite. Generate folders for your 'good' e-mail, example, one for Family, one for Friends, one for Business, etc. .... set up rules in your e-mail client to move all the 'good' e-mail into the appropriate Folder. The results will end up being what you really want ... the InBox will hold either e-mail that needs yet another Rule to be written or . lo and behold .. all your 'BAD' e-mail.

Link to comment
Share on other sites

Thanks for the replies guys, your answers (especially kae's) provided a lot of insight and confirmed many suspicious I had.

Actually, you seem to have used a description that many believe, yet it is in error. Take a deep breath, sit back, and ponder about it a bit. There is no way that your e-mail can be handled, analyzed, sorted, whatever until it gets downloaded to your system. At best, you may have some application that makes some decision based on header data only, but that header data still has to be moved onto your system for any data analysis to be accomplished.

Wazoo, I have a wonderful gift of saying things in such a way that it comes out all wrong. I guess you can see why I never became a teacher. :-). I read my remarks again and realised how narrow-minded it sound. I guess I should also stop doing forum posts in the early morning hours and rather get more sleep. :lol:

I fully understand that you need to download the e-mail completely before you really can do anything with it, but when it is possible for a spam filter, don't mess around with encrypted data, wait for the decrypted message to be delivered in the e-mail client and then do the analysis. I know not all spam filters can operate this way, but I believe Thunderbird's built-in filter should be able to do that. It is a built-in filter so there is no need to analyse the encrypted data beforehand (perhaps for performance reasons, but other than that, I can't see why). I will take this up with the guys at Mozilla, perhaps they can explain it to me in more detail or show me what I might be doing wrong here.

I agree with your white-listing method, far more effective and easier to maintain than blacklisting or heuristic spam filtering.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...