By Kevin Savetz

Spam and e-mail viruses are more than nuisances. They tie up your employees’ time and take a bite out of your IT budget by hogging bandwidth on your LAN and Internet connection. You can fight back against junk e-mail and virus threats with a well-designed and strategically placed e-mail filter. But a poorly implemented filter can remove important messages, which could cost you more than a barrage of useless e-mail.

An e-mail filter is software that scans messages for undesirable content, from annoying “make money fast” messages to hostile viruses. A filter can be installed on your company’s LAN or work as an outsourced service. Filters range from simple to sophisticated; a basic filter scans for spam and viruses, while a more sophisticated filter can search for other criteria, such as pornography or confidential business information.

Spam filters are good things, but system administrators must implement them with care. If filters are too stringent, they can stop legitimate e-mail in its tracks; too lax, and spam and viruses will sneak through.

Check out a related white paper

There are financial benefits of stopping spam – increased productivity and reduced costs – and cost considerations for implementing a filtering solution. Learn how to evaluate the ROI of a spam-filtering solution with the help of this white paper from Sophos.

Local LAN filtering
Filters generally work using heuristics—a problem-solving method that uses rules of thumb rather than a strict formula. The process compares messages to lexicons of spam words and checks for attachments that fit the profiles of viruses. Some advanced tools keep track of whom you regularly communicate with, as well as correspondence from unfamiliar sources, and employ more stringent filters against strangers’ e-mail. The simplest filters scan only message headers, while more advanced filters scan the message body as well. Other filters use “black hole” lists of known spammers that are published online and updated as spammers change their tactics and points of attack. The most popular is the MAPS Realtime Blackhole List.

Large and medium-sized enterprises will want to consider running filtering software within their LANs. This software can run on the mail host or on a standalone filtering server.

Your mail server may have some built-in filtering capabilities. For instance, Sendmail can disable mail relaying and includes an access database that allows administrators to reject mail from certain domains. Sendmail can also be set to refer to the MAPS Realtime Blackhole List. Microsoft Exchange Server can be set to reject relayed mail as well. These built-in filtering options are a good first line of defense against spam but often are not powerful enough to block serious spam attempts or e-mail viruses.

Compared to an outsourced filtering service, local filtering has a key advantage: Filtering software can screen intraoffice e-mail. If an e-mail virus gets into the network, filtering intranet mail will keep the virus from flooding the local network.

These are some popular filtering software products:

Mirapoint’s Message Director is an industrial-strength solution for local filtering. The rack-mount hardware device connects between your router and mail servers. In addition to spam and virus filtering, the unit can perform outbound message content filtering, which can be used to ensure that sensitive material is not sent out without proper authorization. This works with any e-mail server and supports POP3, IMAP, and other common messaging protocols. Prices for the Message Director start at $26,000.

Junkfilter is free software that works with procmail (a popular mail processing utility) to extract spam. It works at both the individual user level and the system level, but the creator discourages its use systemwide for networks with heavy e-mail loads. Procmail works under standard mail servers running on UNIX and Linux but not Windows NT/2000.

Options for Windows NT/2000 environments include CommandView and Tumbleweed Messaging Management System.

Outsourced services
It takes IT resources to configure, maintain, and update filters on an internal mail server. If yours is a smaller business or your IT staff is already tapped, an outsourced filtering service may be a better solution. You won’t have to update filters when new viruses are released or spammers try new tactics.

What CNET Enterprise readers are doing to combat spam

John Stockman: “We have created a spam mailbox for users to forward these messages to. Once a day, we review these submissions and add entries to our blocking and content filters. We are now blocking nearly 10 percent of all incoming messages through this automatic filtering system.”

Jason Rabel, Webmaster, Extreme Overclocking: “[You] can edit the [Sendmail] Access.conf file to reject domains, e-mail addresses, IPs, and so on. So as spam comes in, I check the entire header to see if I can find a legitimate origin. If so, I send an e-mail and Cc: the letter to an admin of the domain…then I add that e-mail/IP/domain to my reject list. I’ve already killed off many junk domains that have open relays, and I’m contemplating killing off [other entire domains].”

Dave Therault, Field IT Manager: “The best thing I’ve found for spam is (I use Spaminator, the EarthLink private label of it.) There are always 100 to 200 spammies sitting in my Spaminator account, and I only receive about one to three spams a day…I have two of my e-mail addresses forwarded to a Motorola two-way pager, where I pay for service by the character. So far, I have kept those addresses from getting spammed. When enough people paying a nickel for every hundred characters start getting spammed, we’ll see some laws with teeth in them.”

On the downside, sending e-mail to an external filtering service adds a layer that can slow down delivery. Managers may worry that routing outbound e-mail through another company’s server could compromise confidentiality, but unencrypted e-mail is always prone to being sniffed. Filtering does not significantly increase the possibility of outbound or inbound messages being intercepted.

Outsourced filtering options include MessageLabs’ SkyScan and Postini’s Junk Email Assistant.

The cost of these services varies considerably, depending on the features you want (spam filtering, virus filtering, or both) and the number of e-mailboxes to be scanned. Postini, for instance, charges $1.50 to $2.50 per month per user for spam and virus scanning. MessageLabs quoted a starting price of $1.50 per user per month.

Whichever option you choose, no filtering tool is perfect. “The moment you automate anything, there is the risk that you’re going to have a little bit of collateral damage,” says Satish Ramachandran, CEO of Mirapoint. “Those fishing nets that are out to catch tuna—invariably they catch some dolphins as well.”

With some software, legitimate commercial e-mail and mailing list messages can resemble junk mail. Also, black hole lists may temporarily block messages from legitimate business partners, so how your filtering tool handles suspected spam could make all the difference.

Configuring your filter
Most filtering tools offer choices for how to treat potential spam. Suspicious messages can be tagged (using a header field such as X-SPAM: yes) but delivered normally. The recipient can then use an e-mail client filter to delete the message or move it to a special folder. Suspect messages can also be moved automatically to a gray list e-mailbox, where they can be verified by staff. Or messages can be deleted. Simply throwing away messages is the worst option; if the software is wrong, it could trash vital messages.

“Most people start off cautiously, letting it all through and logging hits to see if the stuff we’re tagging really is spam. Once they are confident, they generally go for the full block,” says Alex Shipp, chief antivirus technologist at MessageLabs.

A diverse array of mail filtering options exists and, with a little research, any organization can find the one that best suits its needs, budget, and mail volume. Many large organizations will benefit most by using an in-house mail filter, though outsourcing may be the answer for organizations with a taxed IT staff. Some enterprises may get the best of both worlds if their ISP is willing to filter messages on its mail server. This will provide a local filter and distribute the cost across multiple clients.

No matter which method you eventually choose to fight e-mail spam and viruses, your planning and cautious implementation will ultimately pay off—for your users and for your bottom line.

How are you combating spam?

What steps does your organization take to reduce or eliminate spam? Do you use client- or server-side methods? What have you found to be most effective? Post a comment or send us a note and share your experiences.

Kevin Savetz, a frequent contributor to CNET Enterprise, is a freelance computer technology writer who has specialized in the Internet since 1992.

This document was originally published by CNET on June 21, 2001.