100% spam prevention – impossible?

On one of the security mailing lists I follow, someone had an interesting conundrum. His management wants a 100% effective spam stopping solution.

My bosses are demanding 100% spam prevention, and I’d like to find some industry papers, articles, etc … that explains why that’s not advisable (if even possible). My understanding is that spam mitigation is the goal, keeping spam down to where it’s not a distraction from business.

What we have here is a situation where non-technically-minded management would like a perfect spam filtering solution.

It’s impossible to achieve 100% spam filtering using traditional means unless you’re ready to live with large numbers of false-positives. You can get pretty close. Many solutions out there claim 99%+ catch rates with few or no false-positives. However achieving perfection is impossible. There is no reputation-based system or machine-learning based systems out there that are perfect.

Email has a default open security model

Normally you put in layers of filtering between the sender and the recipient: connection-Level blocking measures (DNSBLs, SPF checking,  DKIM, Reputation systems, etc …) supplemented by content-filtering layers.

The more aggressive the measures are; the higher false-positive rates will be.

There’s also an inherent “Gray zone“ one guy’s spam might be another guys ham. For instance, you have mailing list operators that distribute confirmed opt-in mailing lists for very legitimate companies. Even though I might consider them spam if I did not directly solicit them to send me stuff, the guy sitting next to me might like it.

This solution isn’t perfect but you can block pretty much 99% of the garbage flying around with few false-positives if you strike the proper balance.

Alternative, using a default-closed security model

I know of only one method that is close to 100% effective, it’s to use a “default-closed security model “ this is less traditional. Basically, you basically use a spam filter that blocks everything that comes in EXCEPT for mail that is coming from trusted senders.

That implies the following:

• You need to get the list of trusted senders from management (using their address books for instance).
• You need to implement it as a trusted list in whatever spam filter you use.
• You need a mechanism that makes it easy for end-users to add trusted senders to their list (via a Quarantine report/digest or a Mail client plug-in with direct access to the quarantine).  Some servers allow confirmation Emails to be sent to the sender prior to accepting Emails from them.
• Your spam filter needs some way of automatically trusting on outbound traffic. If someone internally sends an Email to an external address, that external address should be added to the senders trusted list.

This is the only way you can achieve near perfect catch rates. The catch though is that it’s a lot more work both for the admin & the end users.

A default-closed system can work, but is it really worth the extra energy, time and money?

Assuming a 99% catch rate “ if end users have a handful of spams each day versus hundreds, you’ve cut down the overhead by 99% percent already. To get that extra 1% may require some serious efforts and inconveniences that make a default-closed model simply not cost-effective.