Spam, Spam, eggs, sausage, and Spam. Spam was a popular item on a diner's menu in a Monty Python sketch, but it's also an excellent description of the daily contents of my e-mail inbox.
Spam definition one: A meat-like substance that tastes good but may clog your arteries. Spam definition two: A message-like substance from a complete stranger that clogs your e-mail.
So why am I writing about e-mail in a security column? Because e-mail can adversely impact the operation of your network, either accidentally or intentionally; thus, it’s a security risk.
There's certainly no denying that a flood of e-mail can cause a denial of service attack whether intentional or accidental. If it hasn't happened to you already, it could. It has happened to businesses I’ve worked with.
Whether you are facing a major spam attack that takes your e-mail server down or an attack that affects just a full mailbox or two, your users lose messages. To outsiders, your business can appear inept.
There are programs designed to help filter out this mass of unwanted e-mail, but that means extra expense for installing and maintaining the software. And there is always the possibility that some messages that should get through will be accidentally blocked.
Prevention is the best medicine
It's better to avoid spam in the first place. There are strategies you can implement to greatly reduce the amount of spam aimed at your server.
The vast majority of spam comes from automatic scan programs, which watch newsgroups. Most Usenet chat is just that—chat. However, there are a number of newsgroups where people exchange useful computer-related information, from troubleshooting tips to discussions of new products. For some companies, newsgroups are also extremely fertile sources of information about consumer wants and complaints. Participation can also be a solid stealth-marketing strategy. So, while you might want a policy restricting newsgroup participation from work, it probably isn't a good idea to ban it entirely.
A growing amount of junk e-mail is acquaintance spam, which is triggered by visits to business sites that capture your employees' addresses while they legitimately seek product information. You probably already have a policy in place telling employees they shouldn't surf the Web on company time, but such policies obviously shouldn't stop authorized, legitimate surfing for product information.
As for unauthorized Web surfing, surveys have shown that company policies don't stop most workers from surfing, and it's difficult to block unauthorized Web surfing. And because some employees should be tracking newsgroup messages and perhaps even interacting with others in newsgroups to build company presence, it's important to find a simple way to battle spam.
Just configure one or more free e-mail accounts at any of the many Web portals offering this service and use them where appropriate. I find that mail.usa.com is a good choice because of the variety of address options available, such as server names for each state and each major city as well as the ease of configuring the mailbox to forward messages.
Forwarding messages is especially important if you expect a flood of e-mail about some special offer or other event, but you don't want to be bothered with people learning of it six months later and writing upon discovery. You can forward the initial surge of messages to any mailbox you desire, even changing the mailbox hourly or daily if necessary. When the event is over, just check the messages occasionally right at mail.usa.com or close the mailbox.
Once you get another address, set this as your reply address in any company browsers. Now users can surf the Web with impunity because the spam will go to the dummy mailbox that you can access if desired, or you can simply ignore it completely.
This is a painless way to eliminate most of the spam you would otherwise have to manage on your own server. But, there are other aspects of e-mail that directly concern security engineers.
Users tend to forget just how unreliable e-mail can be and how insecure it is. Also, your messages usually go through, but sometimes they get lost and are often altered. These changes are usually very slight formatting ones, such as altering tabs to spaces, but this should remind you that no e-mail message containing any confidential data should be sent in plaintext. Plaintext, of course, is cryptographer-speak for unencrypted.
John McCormick is a consultant and writer (five books, 14,000 plus articles and columns) who has been working with computers for more than 35 years.
Have a comment?
If you'd like to share your opinion, please post a comment at the bottom of this page or send the editor an e-mail.