Whither - CAS

Please discuss in this topic any ideas or views you may have regarding the longer term future direction of CAS. The ideas may be about technical direction, or broadly how CAS might do its job in the future.

(Opinions on short term priorities for the next version go in the Beta forum here - suggested current priorities are bug-fixing, increasing usability, increasing cultural sensitivity, and resolving flaws in the implementation of current filtering policies. Specific feature requests go in the wishlist here ).

I’ll get things started by listing issues which have recently been raised, cross referencing to the relevant posts, then maintain this post as a running summary.

  • Should CAS offer alternatives to the email filtering polic(ies) currently offered. If so what should they be
  • Should a client- specific plug-ins be developed for CAS, to supplement the current client neutral approach?
  • Everything’s moving into the cloud. Should CAS be a cloud service? How would this work?
  • Sale as a corporate antivirus could be more remunerative, could this be done?
  • Would a merger with CIS make CAS more convenient for users?

Alternative email filtering policies

  • Melih proposes checking URLs contained in emails against blacklists maintained by a team of people here and here.
  • I note here that CAS already supports an alternative default deny policy policy, though it is well hidden, misnamed, and needs some further development. I like to call it ‘assisted manual filtering’.
  • Many people have suggested that CAS should offer traditional (default allow) blacklist or Bayesian filtering based on DNSBL lists or email contents. For example: here and here and here.
  • I review the issue below and suggest that, in addition a) traditional methods may be used to assist, and ease peoples transition to default deny, b) CAS’s implementation of default deny (challenge-response) can be greatly improved to make it more accessible.

Client specific plug-ins
Junhua and others have suggested outside this forum that CAS might be plug-in based. Here are some relevant posts from the forum:

  • Bassman suggests Outlook integration, including keeping quarantined emails in the client, would be more convenient here and here.
  • Lalligood points out that this would mean unpleasant emails and malware getting into your client here.

Moving into the cloud
This hasn’t been discussed much as yet, but I think it should be. Suggestions which move the debate in this direction are:

  • Melih suggests that Comodo could pool user judgements on URLs contained in emails here.
  • Bassman suggests Comodo could survey email addresses blacklisted by many users, and update CAS so these are quarantined. here.
  • I suggest a possible strategy here.

Corporate use
This would be a major change of direction, involving a great deal of work, but could be more remunerative. It is suggested by Esutter here that CAS might be more suitable for this role than the personal antivirus role. I do not have any knowledge of this area to contribute by way of discussion.

Merging with CIS (or CSE)
CAS would need to be considerably more stable and mature before merging with CAS’s flagship product CIS. But this must be logical at some stage, as most people don’t want to run several pieces of security software. Most competing internet security suites integrate anti-spam. Possibly a merger with CSE would be a more logical first step. Merger with CIS has been suggested by:

  • Alleksis Here who thinks the stand-alone product should be retained after merger.
    [li] Security maniac here.

Here’s my opinion on this interesting topic, for what it is worth.

Advantages of CAS’s challenge response policy, and separate email storage
CAS, as currently designed, has four powerful advantages over most anti-spam systems:

  • 100% (or so nearly 100% as makes no difference) spam exclusion
  • spam mails are kept out of email client inboxes entirely both because quarantined mails are kept in a separate database, and because of 100% exclusion
  • CAS is capable of fully automated operation. (Most antispam systems require you to regularly review a folder full of probable spam)
  • it avoids the high costs (whether financial costs or community effort) of maintaining accurate public blacklists, or effective spam filtering rules.

Disadvantages of the challenge/response policy
These are substantial advantages, but the technique currently used to achieve 100% exclusion, challenge-response, has significant disadvantages, too:

  • users don’t like the idea that friends and collegues may receive challenge emails
  • recipents of challenge emails may not do what is asked and may be discouraged from further communication with you
  • challenge emails, both because of their similar format and because of the quantity that may be sent, can be blocked by other anti-spam software
  • CAS can be seen as adding to spam, if you consider CAS challenge emails to be spam. (Although of course if everyone used CAS spam might be greatly reduced in volume, as there would be no point in sending it!)

Reducing the disadvantages
The disadvantages can be reduced considerably by good software design. Having fully editable challenge emails (and all other emails) helps with three of these. Making sure that comprehensive whitelists are built, automatically, from installation will help with all four. It’s also important to help users develop confidence in the challenge-response approach, which they are likely to find unusual and unexpected. The building of confidence can be addressed by careful explanation in installation routines, a simulation mode perhaps, the option to progress to challenge-response gradually via a less ‘unexpected’ approach, the option to delay sending challenge emails to give time for quarantine database review, and the ability to keep user-viewable logs of challenge emails sent.

But there’ll still be some people it will never suit
But for some users challenge-response will never be right. For example if you are a salesperson and receive sales leads by email from previously unknown people you are not going to want to run the risk of discouraging potential customers. If you are trying to run an very user friendly support service of some description, the same applies.

Alternative spam filtering policies
If CAS is to appeal to all then, CAS needs to add email exclusion policies more suitable to such groups. Important questions then are:

  • How far does Comodo want to go beyond its sworn default-deny philospohy to provide for such groups? For example, the most commonly used commercial policy, filtering out emails that have spam characteristics or which are on DNSBL lists is default-allow.
  • How far away from 100% spam exclusion is Comodo willling to go. CAS achieves 100% exclusion precisely becuase it is default-deny
  • How costly a solution is Comodo willing to entertain?

Some possibilities are:

  • develop an ‘assisted manual filtering’ mode, in which all mail which is not on white or black-lists is presented to the user for review. In fact this mode already exists in CAS, it just needs to be revealed & slightly enhanced. This approach is default deny and excludes 100% of spams (subject to user error).
  • develop a hybrid approach in which people start with a default-allow blacklisting approach and move over time to a default- deny approach (whether asssisted manual filtering or challenge response), as they build their whitelists
  • develop a better default-allow approach than anyone else, perhaps using Melih’s sggestions of employing large numbers of people to check and maintain blacklists, or using a proper Bayesian approach with multiple indendendant ‘sensor’ modules contributing to spam probability. (In the latter approach the sensor modules might be developed by a community, or by a significant sized group of Comodo employees). This option seems to go with CAS becoming a paid Comodo service, as there is lot of labour cost involved!

Any other options? What do you think? Please add your comments everyone!

[NB: This is a deliberate partial repost by the forum Moderator].

It seems to me that the advantages and disadvantages associated with using client specific plug-ins can be broken down as follows. Those associated with integrating:

  • The user interface
  • Data storage
  • Email protocol processing

In my opinion there would seem to be clear advantages in integrating email processing, significant advantages in integrating the user interface which however need to be weighed against a reduction in the range of clients supported. There would seem to be significant disadvantages in integrating data storage.

So one question is - can some parts of CAS be integrated but not others?

The user interface
Advantages
Convenience of invoking client directly from email client
Convenience of harmonising user interface look and feel

Disadvantages
UI needs to be crafted and maintained for each email client

Data storage
Advantages
Can use data storage and manipulation services in client instead of creating own

Disdvantages
Distasteful spam emails are visble in client
Malware in spam may exploit client services to breach security. (CAS by contrast, as a separate spam filter can be locked down hard in CIS to prevent security breaches).
Direct user manipulation of critical CAS data may be difficult to prevent, resulting in corruption.
Data access services have to be separately crafted for each client, requiring extra effort.

Email protocol processing
Advantages
Range of email protocols can be extended at little additional effort
Email protocols can be kept up to date at little additional effort
The unreliability associated with transparent proxies can be avoided (aka Layered Service Providers).

Disadvantages
None obvious, though interface to email processing services would have to be crafted for each client, this would probably not be a big job.

Cloud technologies pose both threats and opportunities to CAS:

Threats

  • More people will be using webmail, less client based email. CAS as currently implemented cannot filter webmail
  • The challenge emails required by CAs’s challenge-response approach probably cannot be sent by web servers. Too many similar emails from one we server would doubtless trigger spam filters

Opportunities

  • No-one seems to be offering third-party spam filters for web mail. Yet email forwarding technology appears to allow this
  • No-one seems to have thought much about hybrid client/server based spam filtering models, how these two technologies might work together
  • No-one seems to have thought much about hybrid default-deny & default allow systems.

CAS and Comodo have strengths & weaknesses to face these threats & opportunities:

Strengths

  • Comodo has cloud/server-based security experience, in particular URL verification lists. It also has strengths in secure email.
  • Comodo has a business model that has allowed it to commercialise the previously unprofitable. This might allow it to commercialise reliable DNSBL lists.
  • CAS’s default deny policies - challenge response and assisted manual filtering – allow 100% spam filtering
  • CAS’s approach keeps spam out of the email client

Weaknesses

  • CAS may be badly coded and difficult to adapt to a new role
  • Some people don’t like CAS’s challenge response system

A possible strategy which uses CAS & Comodo strengths, while avoiding a weakness
Make use of email forwarding to offer a server-based spam filtering service for webmail. People forward mail to Comodo filtering servers which filter the mail then direct the mail back to another email box with the same webmail provider. The filtered mail can then be read via a webmail service or an email client.

The filtering works using hybrid default deny/allow and client/server techniques:
The server pre-filters arriving mail, checking against server-based blacklists specifically designed not to give false rejections – maybe some Comodo server-based whitelists are involved here as well. Melih’s URL checking filtering and reliable blacklist suggestions are employed - see here under ‘Alternative Email Filtering Policies’ . Maybe CIS’s AV lists are used to filter as well.
The pre-filtered mail is then checked against personal (client or server-based) whitelists, and optionally against Comodo server-based whitelists. Where there is a match the mail is passed through, where there is not then, according to user choice, either:

  • CAS challenge response message is sent from client software, this generates less challenge mails because the mail is pre-filtered
  • the user is alerted by client software, and asked to manually check the mail. This is more feasible because the mail is pre-filtered.

This strategy, like CAS yields 100% spam filtering and keeps spam mail out of email clients and the webmail server mail boxes which are consulted from day to day. The strategy could easily be adapted to support those who want only black-list based filtering by strengthening the initial filter and eliminating the whitelist stage.