IT managers struggle every day in the fight against spam in the enterprise. Forget about telling users to return spammers’ e-mails with the subject “Remove” in the headers. This action will only tell the spammer that your e-mail address is legitimate and will probably only send more junk mail your way. This and other reasons make it difficult to fight spam head-on, so IT managers must develop other ways to battle it.

In a recent article, TechRepublic writer Brian Hook outlined several ways IT managers can control spam. This article highlights some entries in the discussion, which followed Hook’s article, on how to fight spam.

A hard-line approach for users
One way to fight spam is to develop an e-mail policy and educate your organization’s users. If users disregard company policy on spam, S.Chandler believes that a hard-line approach is called for. “…There are two truths about spam,” Chandler said. “You cannot stop it and you cannot successfully educate users on how to fight it. But you can make users pay for opening attachments containing viruses.

“You can make users, who disobey company policy regarding the opening of e-mail from unknown sources, pay for part of the damage,” he said. Here’s how he proposes to do it:

  • Develop a zero tolerance policy toward opening attachments.
  • Make sure every employee knows about and understands the policy.
  • If your organization uses Microsoft Outlook, make sure the Inbox preview window is turned off so users will have less of a chance to open attachments.
  • Ensure that employees understand they will be fined for any e-mail or network damage incurred from or through their accounts or workstations.

“If you can’t beat it, you can, at least, mitigate the damage,” he said.

Good luck, said TechRepublic member Jill about Chandler’s process. “Considering most viruses deliver their payload at a later time than when they’re installed, your policy would only work if every person in your company had a dedicated machine that they didn’t share with others and that nobody else could have logged in to,” she said.

She is also concerned about imposing such a tough policy on users. This could be a detriment to employee morale, she said.

“(It’s) better to hire someone to specifically take care of making sure that the systems are clean and stay clean…it may be expensive to hire another person, but I think if you implement a policy like that one, you’ll pay more in terms of lost production from your existing people,” she said.

Use targeted education campaigns
In response to S. Chandler’s views, Bill Schirf, a senior systems engineer, said that the zero tolerance approach might be the right idea but may not work. “But even computer-savvy users have a hard time managing spam (and) viruses. Even with the Outlook preview screen turned off, if you delete one message, Outlook, by default, will automatically open the next message,” he said.

Schirf offered an approach that’s easy on users and will reduce spam:

  • Keep spam from reaching your users by stopping spam at the point-of-presence (POP) with server filters.
  • Continually educate users about spam and its dangers.
  • Offer suggested remedies that users can understand.

Educating users about spam is the number one strategy Ilana Trager uses in her organization. An information systems manager in Washington state, Trager said that organizations should coach users to manage spam themselves because spammers can find their way around filters.

She also said that with filters in place, she spends a lot of her time sorting blocked messages for legitimate e-mails.

“The only way I’ve found that seems to work efficiently is to educate the end user,” she said.

She offered a list of don’ts users should heed:

  • Never reply to spam.
  • Don’t get suckered by the “Remove” procedures.
  • If you’re using Outlook, turn off the Out Of Office Auto Reply.
  • Use the junk filters provided by your e-mail client.
  • Instruct users on how to forward a spam to the IT team or to the ISP from which the spam originated.

“So far, it’s working pretty well. The [users] who have gotten a lot of spam in the past have it under control, and the rest of us don’t seem to be getting much spam at all,” she said.

Look into the law
TechRepublic member Phil Hall suggests that IT managers look into state laws that are on the books designed to combat spam. “Many states, like Iowa, have antispam laws on the books now (in Iowa’s case, it’s Iowa code 714E) that allow recipients to charge the sender $500 per incident; failure to comply allows the recipient to pass it to the State Attorney General,” said Hall, an IT technician for the VGM Group.

“Personally, the ‘real-time black hole’ list is a joke. We tried that at work and it failed. Also, there simply are too many companies with their mail gateways misconfigured (like being able to have EACH e-mail server reverse lookup), which is an RFC standard, but most companies apparently don’t know crap.”

Hall said the easiest way to deal with spam would be to strengthen antispam legislation. “We need (in the USA) to have 47 USC 227 altered to specifically cover unsolicited e-mail. Then there would be federal legislation. (As it stands, 47 USC 227 is unclear and as a result can’t be used.)”

Antispam software solutions

Check out this list from CNET of software packages designed to fight spam.