09
- December
2010
Posted By : Gom Jabbar
Mixing Medications – A parable for spam filtering

Some ungodly hour in the morning, way before my alarms usually go off.

There’s a rebellion going on inside my body, a coup d’├ętat in my own personal Banana Republic. I hear the dull distant roar of my army of white blood cells swarming over some unidentified microbial invaders. Evidently, my guys are using heavy artillery to take down an enemy unit in the region of my brain that governs motor control. They’re napalming my central nervous system.

I need snipers. Air cover. Sniffling Sneezing Coughing Aching Stuffyhead Fever So You Can Configure A Network Medicine. This flu bug has decimated half my colleagues and customers. And here I thought hand sanitizer would keep me safe.

Rummaging in my stash of over-the-counter meds. A 2-gallon Ziploc bag full of partially-consumed bottles, sachets and bubble packs. Dosage instructions in a dozen languages. Most of these meds were bought at airport drugstores, pharmaceutical souvenirs from backpacking trips through foreign countries where you can’t read the labels because you don’t understand the language, but you can pick out the correct meds because you recognize the familiar logos and color schemes on the packaging.

The Ziploc baggie looks like a hypochondriac’s version of Hunter S Thompson’s Vegas roadtrip supplies.

The sporting editors had also given me $300 in cash, most of which was already spent on extremely dangerous drugs. The trunk of the car looked like a mobile police narcotics lab. We had two bags of grass, seventy-five pellets of mescaline, five sheets of high-powered blotter acid, a salt shaker half full of cocaine, and a whole galaxy of multi-colored uppers, downers, screamers, laughers and also a quart of tequila, a quart of rum, a case of Budweiser, a pint of raw ether and two dozen amyls. Not that we needed all that for the trip, but once you get locked into a serious drug-collection, the tendency is to push it as far as you can.

– Fear and Loathing in Las Vegas

Hunter S Thompson

The Cambodian Actifed, bought outside Angkor Wat, is labeled in English but might be counterfeit. Bubble packs of Paracetemol, with labels in curly Thai or semi-understandable Italian. Effervescent Panadol in sachets to be plopped into water to make a fizzy drink, bought by mistake at Gatwick Airport. (Packaging was in English, but I thought they were the regular tablets.) And there it is, my salvation, at the bottom of the Ziploc bag. The searing bright orange half-bottle of DayQuil. Expired in 2008. Guess I haven’t been sick in a long time. Like Twinkies, I don’t think DayQuil can actually degrade even after the expiration date, or possibly thermonuclear war, whichever comes first.

I guesstimate the dosage as 1 swig every 4 hours. Given the variation of adult body weight in the general population and the slightly diminished potency of the active ingredients, I bet there’s a big old buffer zone between the correct dosage and dangerous recreational drug use.

The first swig of DayQuil warms my esophagus, radiates throughout my body with a slightly spicy aftertaste, before sloshing downwards and settling in my feet. I pour in a couple of cups of coffee as a chaser and regain enough brain function to get myself to work. Mid-morning, I procure an armful of Robitussin, Lemsip, Strepsils and Halls Cough Drops and dutifully ingest everything. My insides are a strata of medications, like those diagrams in science textbooks that show the layers of sediment covering fossilized dinosaur bones deep below the earth. I am layers of pink and orange liquids interspersed with coffee and dissolved cough drops.

In my head, a half-remembered Chris Rock comedy routine. No matter what choo got, Robitussin better handle it. I broke my leg, Daddy poured Robitussin on it. “Yeah, boy. Let that ‘Tussin get on down to da bone!” This Chris Rock routine might be the single biggest reason I pick Robitussin every time I need flu medication.

http://www.youtube.com/watch?v=wESrtAdYdn0

Anyway, does this Mixing Your Medications approach work with spam filtering in the messaging infrastructure? Let’s have a look.

Mail flow at a customer site
Mail flow at a customer site

This is a typical mail flow at a customer site:

  1. Spamlords use various source addresses to send emails addressed to recipient addresses that belong to my customer’s domain. They usually comprise 75% to 90% of the actual email volume.
  2. Legitimate senders also send emails addressed to recipient addresses that belong to my customer’s domain.
  3. All these emails are routed to the IP address of the preferred MX record for my customer’s domain. In this case, it is the IP address of the outside interface of the Cisco ASA 5510 firewall.
  4. The Cisco ASA 5510 can be configured to perform traffic inspection and filtering, but is usually configured to send all SMTP and POP3 mail traffic to the CSC-SSM-10 module.
  5. The CSC-SSM-10 module is configured for spam filtering and content checking. The Trend Micro InterScan Engine can filter for keywords and phrases, and you can also configure sender blacklists and whitelists. This deletes (or at least tags) some of the spam, and should allow all legitimate emails to pass through.
  6. The customer’s email server also has some filtering capability and can be configured with sender blacklists and whitelists. Spam that has been sent to a nonexistent user will be discarded, and an NDR can be sent out to the sender. Antivirus filters can be configured here.
  7. Finally, the recipient’s email client will also have a Junk Mail filter that will weed out most of the remaining spam. You can also configure rules to dispose of emails based on sender and keywords. I usually like to let all but the most egregiously obvious spam get to the recipient’s email client, where it is tossed into the Junk Mail folder instead of being deleted outright at an earlier step. This ensures that the spam is kept out of sight, but legit emails that have been incorrectly tagged as spam are retrievable.

Like my strata of medications, it is a bit overkill, but the different products and filtering methodologies usually manage to weed out most of the spam. You may have a single product that does the antispam filtering, and the Cisco CSC-SSM-10 actually lets you do antivirus and content filtering as well (Sniffling Sneezing Coughing Aching Stuffyhead Fever So You Can Send Email Medicine). However, a layered defense of multiple spam filtering products along the path of the mail flow is what really works for me.