Spam accounts for a large percentage of all email traffic on the internet. The volume of spam places a large burden on Mail Transfer Agents (MTAs), which are computing devices that transfer email messages between network components. Where an MTA uses a disproportionate amount of its resources for antispam processing (e.g., detection, blocking, etc.), its performance suffers, and the conventional delivery of legitimate email messages can become delayed. It is therefore desirable to offload antispam processing from MTAs to dedicated antispam computing devices. To this end, antispam processing can be implemented on a transparent proxy or antispam gateway that resides between an MTA that receives and processes incoming email messages for an enterprise and the sources of those email messages. Since the antispam device resides between the MTA and the sources of incoming email messages, the antispam device can filter the email traffic between these endpoints. To the extent that the antispam device can perform antispam processing that would otherwise be conducted by the MTA, the MTA is freed to use its resources for non-spam related email transfer functionality.
Antispam processing takes different forms. One form is the analysis of the content in email messages to determine whether the email messages comprise spam. This technique requires access to the content of email messages (not just the addresses of origination). Blocking an incoming spam message based on its content is known as content time blocking. Another form of antispam processing involves determining whether email comprises spam based on factors that do not require actually receiving and analyzing the content, such as the identity of the source attempting to deliver the message. Blocking a message prior to actually receiving it is known as connection time blocking.
Some antispam technologies involve analyzing patterns of email activity associated with given sources, and learning reputations of multiple sources over time. The analysis required to learn a reputation typically involves analyzing message content, but once it has been learned that a given source has a bad reputation (e.g., the source is associated with sending a sufficient amount of spam), blocking of messages originating from that source can occur at connection time rather than content time.
An antispam device filtering email traffic for an MTA may lack certain information for performing antispam processing. Where the MTA performs connection time blocking, the antispam device is unable to analyze the content of the blocked messages and thus learn reputations of the sources from which the messages originated. Furthermore, the receiving MTA might have additional antispam information not available to the antispam device, such as a blacklist of blocked senders or reputation information concerning given sources. When email content and/or additional antispam information is not available to the antispam device, the ability to offload antispam processing from the MTA to the antispam device is limited. More specifically, without access to the content of email messages and additional relevant information the MTA may have, the antispam device is hindered in its ability to learn reputations of sources. Without the antispam device being able to perform such learning, the associated connection time blocking of email from sources with bad reputations cannot be offloaded from the receiving MTA. This causes excessive capacity demands on the receiving MTA to process spam traffic.
It would be desirable to address these issues.