[ Home | Standard Products | Custom Products | Downloads ]

SpamSniffer Product Description

PCSI is currently developing SpamSniffer to detect unwanted spam from within an ISP's entire connection to the Internet. SpamSniffer will "sniff" all Internet traffic flowing on high speed, optical OC-12 lines (622 Mbps!), identify those mail messages that act like "spam", and provide updated filters to the ISP's mail server software to cause the spam to be blocked. Timely removal will not only prevent spam from annoying the end-users, but will also stop the spam from using up additional ISP forwarding and storage resources.



NOW IN DEVELOPMENT ! !


Figure 1. SpamSniffer - Rackmount Configuration

Extending the development work done for PostMaster to 12x-higher input speed, the key to SpamSniffer is the ability to process all of the TCP/IP packets arriving at the ISP in real-time, first recognizing the mail packets, then building separate mail transactions, and finally scanning the contents of every mail message for keywords (such as "adult", "xxx", "porn", "marketting", "invest"). At the ISP level, the valuable feature for separating spam from innocuous messages containing the same keywords is the combination of having the wrong words in the message AND having too many copies of the message posted in a short period of time. Once the spam is identified, SpamSniffer will communicate new filters to the ISP's mail-server software to block subsequent spam from being accepted.

SpamSniffer is implemented using PCSI's new board to monitor the ISP OC-12 lines. This board breaks extracts all TCP/IP packets from up to 336 T1 links, and forwards only the SMTP packets used by the Internet's email protocol. The Xeon-2.4GHz processor compiles the complete email transactions, identifying the source and destination TCP/IP addresses, the e-mail source and destination, the header description and the mail body. Email evaluation is done by parsing the entire message, building a "score" based on offending words and number of copies being cc'ed in this message. Low scoring mail is dropped from further concern.

But undesirable, high scoring mail either starts up a new entry to be matched in the future, or bumps up the count of prior-identified mail. Once the count of identical offending mail passes an adjustable threshold, an alert message is prepared. This ultimately results in a new filter entry sent via Ethernet to the ISP mail server.

Unlike current spam prevention products, SpamSniffer will provide timely, automatic recognition of spam while permitting personal mail containing the very same words. And because it has access to the raw TCP/IP packets, SpamSniffer will be able to defeat more sophisticated techniques used by spammers to get past the current mail server filters.

If you are an ISP interested in being a beta site for this advanced technology solution to your spam problem, please contact us (steve@pac-custom.com).


Last modified: 19 January 2003