Security

Lock IT Down: Know your resources in the war against spam

Find allies in the battle against spam


Just last week I received eight credit card offers, twelve sexually explicit ads, six ads for online pharmaceuticals, and numerous other solicitations all not so subtly designed to part me from my money. I’m being spammed on a daily basis.

Since the first spam, sent in 1978 by Einar Stefferud, this particularly irritating form of advertising has grown to where, according to a May 2003 article in Information Week, unprotected e-mail users waste an average of 200 minutes processing spam for every 1,000 messages they receive—adding up to an unbelievable 3.5 hours of lost productivity per person per month. And if the loss in productivity is not a sufficiently compelling reason to apply resources to the war on spam, just consider the ramifications of the offended employee shocked by the contents of a message bringing a hostile work environment suit against the company.

So if you’ve made the decision to filter incoming e-mail, your next step is to determine exactly how. A basic search on the Internet will reveal a confusing plethora of alternative options, products, methods, and services. How do you decide which is the best choice for your environment? Regardless of whether you decide to utilize a service, purchase an add-on for your e-mail server, buy a client-based product or filter at the periphery of your network, a basic understanding of spam control methodologies will facilitate your decision making process. Here’s an evaluative summary of a few of the methodologies most frequently employed.

Content filtering
(Example products/services: ESafe, GFI MailEssentials and SpamKiller)

This method scans the subject line and/or message contents for specified individual words and phrases. Most products that offer this form of filtering supply a canned list of words that can then be customized to meet your specific needs. While this method is appealing in its simplicity, it’s too crude to be seriously considered as a total solution. If the list of words and phrases is sufficiently comprehensive to block most spam, it will also block many legitimate messages, especially if used in a multilanguage environment. Word lists require a great deal of maintenance. Many spammers succeed in thwarting content filtering by disguising certain key words and by embedding all text within file types the scanner cannot read. Content filtering is a useful method when used as one aspect of a total solution.

Heuristic filtering
(Example products/services: SpamAssassin, SpamKiller and ScanMail eManager)

Heuristic filtering takes content filtering to the next level by scanning message subject and contents for patterns. Most products utilizing heuristic scanning apply rules to each message to determine its degree of compliance with known spam words/phrases and scores are applied accordingly. A message is then classified according to its total score. Some applications allow the strength of the heuristics applied to be selected by the user—the stronger the heuristics the more spam will be blocked—but this also increases the risk of blocking more legitimate messages. In general, heuristic filtering is more sensitive and effective than content filtering, but it cannot protect against all forms of spam.

Tarpitting
(Example products/services: VisNetic MailScan, Merak E-Mail Server, Alligate)

Tarpitting is an entirely different approach designed to thwart spammers. Instead of inspecting the contents of a message, tarpitting looks at such factors as the number of recipients or the number of unsuccessful delivery attempts. If a message has more than a specified number of recipients, for example, a delay is inserted between the delivery times of the message to each recipient. This delay has the effect of “tarpitting” the spammer, causing them to assume that the connection has stalled and cease sending. This use of tarpitting is particularly effective against spammers attempting to use your e-mail server as an open relay. Another example of tarpitting counts unsuccessful attempts to deliver a message. When this count exceeds a specified amount, the sender’s IP is blocked for the remainder of the session.

Blocking
(Example products/services: ESafe, SpamCop, MailProtector)

Similar to content filtering, spam blocking simply prevents messages from being delivered to the intended recipient if it was sent from a specified e-mail address, domain, server, IP address, or range of addresses. Some products offering this feature have a predefined list of known spammers that can be updated by download. This is another simple solution that requires almost daily maintenance because regardless of how many senders are added to the blocked list, new spammers are constantly spawned and old ones learn to disguise their identity. As with content filtering, blocking is useful only as an adjunct to other forms of spamicide.

Real-time black hole
(Example products/services: WebShield, AppRiver, IronMail)

Real-time black hole improves on simple blocking by comparing the sender’s domain against a real-time list of known spammers. Products using this methodology frequently scan and block mail at the gateway thereby preventing spam from ever reaching the e-mail server. When considering using a product or service that employs a real time black hole, it’s important to determine what type of list or lists is used. In most cases, the lists are either comprised of domains or open relays.

Whereas using real-time lists of domains is a very effective method of blocking spam without incurring a high risk of accidentally blocking legitimate e-mail, using lists of open relays is more problematic. An open relay is a mail server that is capable of processing messages where neither the sender nor the recipient is a local user. Open relays are frequently used by spammers to distribute their messages. Not every e-mail administrator is necessarily aware that their server is an open relay; hence blocking open relays could result in a high number of false positives. As general awareness and understanding of spam grows, this could become a more viable method of reducing spam.

RFC compliance
(Example products/services: Alligate, ActiveServers, SpamCop)

RFCs or Request for Comments is a set of standards for communication across the Internet. No one is forced to comply with RFCs, but it’s generally regarded as bad practice not to do so. Some spam services/products offer the ability to block e-mail originating from a domain or IP address that is not RFC compliant. As with open relay real-time blackholes, implementing an antispam methodology based on RFC compliance is at high risk for blocking a considerable number of legitimate messages. Again, as awareness of RFC compliance grows, this method will increase in usability.

This list of available methodologies is by no means exhaustive. As the volume of spam grows, so too do the options for its prevention. Whether you decide to employ a service, purchase a software package, implement a free solution or select an e-mail system with built-in antispam options, it’s vitally important that you fully understand all the implications of the methodologies employed. At the very least you should seek answers for the following questions for each solution you consider:
  • How high is the risk of blocking legitimate mail in this environment?
  • Can blocked mail be retrieved, and if so, for how long?
  • Is there an option for informing senders/recipients that a message has been blocked?
  • How many hours of maintenance are required?
  • How many different methods does the package employ?
  • Is it possible to customize the strength of each method, e.g., strong or weak heuristics?
  • What reporting tools are provided?

In the days when the occasional spam message interrupted our day we could afford to treat it as a mild irritation, fixed in a couple of seconds with a click on the delete button. Those days are long gone; it is now an insult to our sensibilities and a threat to our productivity; its management demands handling with commensurate importance and attention.

Regardless of the size of your spam prevention budget, there are certain steps you can take—at the very least—to reduce the volume of spam without spending a single penny:
  • Never follow the instructions for removing your address or unsubscribing from a spammer’s mailing list. In most cases this will not have the desired result; instead it is merely confirming the validity of your e-mail address.
  • Forward all spam to spamrecycle@chooseyourmail.com—this site offers a free service informing the Federal Trade Commission and Web filter developers of spammer’s addresses.
  • Never enter a company e-mail address in any Web site.
  • Ensure that your mail servers are not open relays; if you do not know how, http://www.mail-abuse.org/tsi/ar-fix.html contains instructions for over sixty e-mail systems.
  • Utilize any spam prevention tools you may already possess, such as the junk mail filter provided with Microsoft Outlook.
  • Do not automatically assign Internet addresses to all users. Even if all employees require internal e-mail, they do not necessarily need the ability to send/receive Internet mail. Require users to have written approval from their manager before than can receive an Internet address.
  • Delete unused addresses from your domain as soon as possible and do not reuse them.

Some useful links:

Editor's Picks