death2spam

Enterprise Edition FAQ

Frequently Asked Questions

Why use D2S instead of an inhouse filter?
First and foremost, because no other email filtering system can provide the stunning accuracy of D2S.  The Death2Spam Project is totally focussed on eliminating spam and viruses from email.  This task has become highly specialized, and spammers (not to mention the authors of viruses and worms) are constantly trying new tricks to evade filters.

A self-learning expert system, leveraging off vast collaborative dictionaries, is far superior to deterministic and rules-based (second-generation) filters such as SpamAssassin.  The Death2Spam Managed Service provides a high return on investment, and near-zero administrative overheads. Sound reasons for entrusting your business email security to D2S!

Will D2S slow down my email delivery?
Death2Spam operates completely transparently to the end-user, and it's fast!  Our latency metrics show that the time taken to scan a message for viruses and to determine its spam probability (classify) is 50-75 milliseconds for an average-sized email message.  In practice, you won't notice any difference in message transit time.  You will notice, however, that more than 99% of spam and malware is tossed in the sin-bin!

What are aliases, and how are they used?
D2S can use "aliases" to map each actual email address against a D2S account (logon ID).  Often, users have several email addresses, and for convenience, all inbound emails being filtered can be "ghosted" into a single D2S account for review and system-training purposes.  This makes it easier to classify "unsures" and false negatives (junk mail incorrectly categorized as good), since the user only has to logon once to access the D2S web interface for all their email addresses.

Additionally, a "fall-through" or default account can be specified using the asterisk wild-card character, e.g. *@your.domain.com could be aliased to admin@your.domain.com.  This configures D2S to ghost any email for recipients not explicitly declared in the aliases table into the administrator's D2S account.  Note that mail filtered by D2S is always delivered to the intended recipient, irrespective of D2S aliasing (unless forwarding rules have been defined for an email address).

What's an "Authenticating POP Host"?
To prevent unauthorized access to a D2S account's web interface, users need to logon using their email address and a password.  To avoid unnecessary duplication of passwords, D2S can query your domain's POP (Post Office Protocol) server.  Users can logon using the same password they use to access their POP mailbox from an email program, simplifying matters considerably!  If your domain doesn't have a POP host, passwords can be assigned to users automatically via email, and can easily be changed using the D2S web interface.

Spam seems to be sneaking past the D2S service... ?!
Many people have two (or more) mail servers for their domain: a primary, and a secondary or backup server.  The IP addresses for these servers are publicly listed in your domain's Mail Exchanger (MX) records, by the Domain Name System.  Spammers frequently send their drivel into a domain's secondary mail server, since these are frequently unfiltered.

Since D2S is configured to relay filtered mail into your primary mail server, the best way to avoid suffering spam "jumping over the back fence" is to eliminate your mail servers from the MX listing, and use a D2S secondary for backup service.  In addition, many customers have found it necessary to firewall off their mail server (port 25) from accepting connections from any SMTP servers other than D2S.  This always does the trick!

How can I prevent Directory Harvest Attacks?
Spammers frequently attempt to obtain a list of valid email addresses for a domain by mounting a Directory Harvest Attack (DHA).  The perpetrator unleashes an automated Internet program which guesses at possible email addresses within the domain, and tries to send junk messages to those addresses.  Many SMTP servers immediately reject transactions addressed to non-existent mailboxes.

So, by a process of elimination, any addresses which aren't rejected are considered valid, and the leeching software adds these to the spammer's database.  Aggressive DHAs also place heavy demands on a domain's mail server, and can even mimic a denial-of-service (DoS) attack, thereby slowing legitimate email delivery.  Death2Spam contains special anti-DHA heuristics, which detect attempts to send a message to numerous invalid addresses from a given IP address.

What do "FP" and "FN" mean?
These are False Positives (good classified as spam) and False Negatives (spam allowed through as good), often expressed as a percentage of the total number of messages.  These numbers are the ultimate "quality metric" of an email filter.  FPs are much worse than FNs, since such false alarms throw useful messages into the spam bin (where they can easily be missed).  Zero FP + Zero FN = 100% Accuracy = Very Good.


"The best commercial server-level Bayesian filter is probably Death2Spam."
   Plan for Spam FAQ  -- Paul Graham