Knowledgeable humans are still the best spam filters

Spammers and phishers spoof the addresses, subject lines, and contents of legitimate emails from popular services. A simple rule of thumb can help spot the fakes.

Spammers and phishers spoof the addresses, subject lines, and contents of legitimate emails from popular services. A simple rule of thumb can help spot the fakes.

Both spam filters and increasing awareness of the most simple forms of trickery are allowing many users to more easily detect and avoid opening spam and phishing emails. While automated spam filters are far from perfect — one must effectively choose between a filter that doesn't catch everything it should or a filter that catches things it shouldn't — they are getting better at filtering out the simple stuff.

The spammers and phishers are not taking this lying down, however. As with the Cold War between the United States and the Soviet Union, there is an arms race going on between mass unsolicited emailers and the people trying to detect, and defend against, their efforts. Every time a new solution is available that provides better detection and protection, it turns out the spammers and phishers have already developed an even better way to get around your defenses and have already been using it for a while. Unfortunately, the defenders are always a couple of steps behind in the technological arms race. It takes human judgment to really beat the spammers and phishers.

The most knowledgeable and careful among us tend to be fairly immune to these problems. For instance, by reading all email in plain text, with zero markup parsing and no image displaying, some of us have rendered ourselves effectively untouchable by the efforts of phishers: it tends to be safe to open emails from such miscreants as plain text, since the scripting and markup tricks phishers use to get computers to do their dirty work for them without the permission of the user are rendered inert and ineffective when the email client does not parse the content as markup. The day may come when someone finds a way around even that level of caution, but by then the most knowledgeable about email security will probably have come up with an even better way to deal with the issue.

The fact remains, though, that no matter how well the most knowledgeable (and careful) among us can defend ourselves against phishers and spammers, the majority of email users have neither the understanding nor the tools to similarly defend themselves. More depressingly, many people who should know better refuse to use such tactics as viewing emails only in plain text at least until the safety of the email in question has been determined to be safe and genuine with certainty.

One of the keys to protecting yourself is to avoid acting impulsively when it comes to email. Another is to minimize the tendency to let the computer do your thinking for you, especially considering how bad computers are at approximating "thinking". Relying solely on safety rules imposed by an application developer is a recipe for failure, in part because by the time the newest version of an application gets to the end user the chances are good that these rules are already out of date. It is even worse when using email Web client software such as one of Microsoft's flagship offerings, Windows Live Hotmail. Such services typically "help" you by defaulting to opening new messages when users try to select a message or even when they simply delete another message in the same "mailbox". From a security perspective, this kind of email interface behavior is simply unacceptable, but it is essentially the norm for Webmail.

Going back to acting impulsively, however, a constant problem for phishing and spam email is the tactic of spoofing, or taking on the appearance of, legitimate emails from popular Web services. It is a constant problem, rather than a solved problem, largely because the efforts to spoof legitimate emails are becoming more sophisticated. This is an attack not only on the ability of spam filters to weed out the bad apples, but also on the ability of end users to recognize something "phishy" about the malignant emails — at least until it is too late, and most users have already opened the email.

By curbing the tendency to act immediately and impulsively when dealing with such emails, a simple rule of thumb can help defend against the attempts to trick us into trusting an email we should not, in fact, trust. The rule is simple: have patience.

Specifically, whenever you get an unexpected email from something like Amazon, PayPal, Facebook, eBay, or even Chase Bank, wait a while before opening it. Wait at least 12 hours, in fact. The theory is quite simple: when botnets start sending out phishing and spam emails targeting users of specific services or customers of specific businesses, they tend to send everyone several such emails in a short period of time. If you get one such email now, chances are good that you will get a couple more in the next twelve hours or so, with the same subject line, or at least as subject line that is recognizably similar. Even if a legitimate email of the type being spoofed involves some kind of request for confirmation, such requests tend to take at least 24 hours to expire (usually longer), meaning that waiting somewhere in the range of twelve to sixteen hours gives you plenty of leeway. Even if you let requests in legitimate emails expire, the default tends to be to let things remain how you set them up in the first place, so that there is probably no harm done by missing the deadline.

This simple technique of having patience, and looking for duplicate phishing attempts, is especially effective if you have multiple email addresses. In that case, more than one of your email accounts may well receive such spam or phishing emails spoofing legitimate communications from popular Web services, making the clumsy deception even more obvious.

Keep in mind that this is not a foolproof method of detection. There may be cases where only one such email arrives in your inbox in the first twelve hours, leaving you still uncertain, so that opening the email to read it in all its HTML- and JavaScript-parsed glory can still be dangerous. As always, you should engage your brain before dealing with any unexpected emails, and exercise your best judgment. Waiting before even considering opening such emails, however, may well help you improve your effectiveness and accuracy in identifying spam and phishing emails that try to sneak in past the BS filter in your brain.


Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks