Spam: Choosing the Right Defenses

By Jan E. Eighme

E-mail Story Print Story

Avoid Spam If You Can

To avoid as much spam as possible, a company must strive to keep its e-mail addresses off the mailing lists compiled by spammers (distributors of spam). A study done by the Center for Democracy and Technology found that spammers compile their mailing lists primarily by using address-harvesting programs to collect the e-mail addresses found on public websites. The study also found that writing an e-mail address in a slightly unconventional way can fool address-harvesting programs. For example, writing out the @ symbol in an address—abc at cpafirm.com—substantially reduces the probability that the address will be harvested from a webpage.

Additional ways of keeping e-mail addresses off spammer mailing lists include minimizing the number of e-mail addresses posted on the company’s website; avoiding the use of short, easy-to-guess e-mail addresses; embedding e-mail addresses in an image on the webpage; designing the webpage so that e-mail addresses are hidden until a visitor clicks on a link; and instructing employees, especially those who are receiving large amounts of spam, to guard their addresses. Employees should not use a business e-mail address for personal use or post it on discussion groups or other places where spammers are likely to harvest it. If an employee’s company e-mail address ends up on a spammer’s mailing list, the employee should not respond to spam; any reply, even an opt-out request, will confirm to the spammer that the address is valid. The result could be even more spam.

For very small companies, a spam-avoidance strategy may be all that is needed to keep spam under control. Most companies, however, will need to combine a spam-avoidance strategy with spam-filtering software or a service provider to achieve optimal results.

How Do Spam Filters Work?

No single spam-filtering methodology is 100% effective; therefore, good spam-filtering software and services typically use a combination of methods. Four of the most commonly used spam-filtering methods are:

• heuristic analysis,
• Bayesian filtering,
• signature matching, and
• traffic-pattern analysis.

A basic understanding of how these methods work can decipher confusing sales jargon and help users select the spam-filtering software or service that is most appropriate.

Heuristic analysis uses rules, sometimes numbering in the thousands, to detect spam. For example, an e-mail message from a “spam-friendly” country would violate a heuristic filter’s place-of-origin rules and be assigned a point value as a result. Additional rule violations, such as the use of the words “click here,” excessive use of dollar signs, and all capital letters in the subject line, would result in the assignment of more points. If the message’s point total exceeds a value set by the company as its spam threshold, the message is classified as spam.

A Bayesian filter compares the words in a sample of a company’s received spam to a sample of its legitimate e-mail. Each word in the two samples is scored based on how frequently it appears in the spam sample versus the legitimate e-mail sample. For example, words that appear only in the spam sample receive a high score, those that appear only in the legitimate e-mail sample receive a low score. The compilation of word scores is used to evaluate incoming e-mail. When an e-mail message arrives, an overall score is calculated based on the message’s word scores. If the score is above the spam threshold that the company has set, the message is classified as spam.

Signature matching utilizes decoy e-mail accounts that are established and monitored by the spam-filtering software or service provider. These accounts serve no other purpose than to collect unsolicited bulk e-mail, so the messages they receive are, by definition, spam. As messages come into the decoy accounts, they are “fingerprinted” (i.e., uniquely identified), and the fingerprints are stored in a database. The fingerprints of incoming e-mail messages are compared to those in the database. If an incoming message’s fingerprint matches one in the database, the message is classified as spam.

Traffic-pattern analysis examines e-mail transmission characteristics to determine whether an e-mail is spam. For example, if a sender transmits a high volume of e-mail in a brief time period, spam-filtering software or a service provider may conclude that e-mail from the sender is spam. Other transmission characteristics indicative of spam include sending e-mail to an excessive number of invalid e-mail addresses and routing e-mail in a way that attempts to conceal the sender’s identity.

Spam-Filtering Options

Desktop software, gateway software, and managed service providers are the primary spam-filtering options (see the Exhibit). A discussion of each option, including guidelines to help choose between them, is presented below.

Desktop software. Small companies may find that desktop spam-filtering software, which is installed on users’ PCs, is their best option for blocking spam. For under $50 per desktop, a company can install software that catches approximately 90% of spam and experiences a false positive (legitimate e-mail being mistaken for spam) less than 4% of the time. Because spammers are constantly changing their tactics, desktop software should be regularly updated to maintain its effectiveness; many software providers offer subscriptions for online updates.

Desktop software provides end-users with a great deal of control over e-mail filtering. End-users can usually “whitelist” e-mail addresses and domains from which messages should never be blocked and “blacklist” addresses and domains from which messages should always be blocked. In addition, end-users can often tweak a filter’s rules to match their preferences. For example, if a rule assigns points to e-mail messages that originate in a spam-friendly country, an end-user who has clients or colleagues in this country can turn the rule off or reduce its point value.

Desktop software also gives end-users substantial control over the handling of their spam. An end-user can decide whether spam should be deleted, “quarantined” in a separate folder, or tagged and delivered. The action can also be contingent upon the e-mail’s relative spam score and the company’s spam threshold.

Larger organizations may find that desktop software lacks the centralized control, scalability, accuracy, effectiveness, and reporting capability they need. They may also find that desktop software’s training and support requirements place too much of a burden on IT personnel. In addition, because desktop software allows malicious spam to reach end-user desktops before the filtering takes place, larger companies may decide that this option will not adequately protect the network from the problems that malicious spam can cause.

Users who decide desktop software is the right choice should look for a product that adds its controls to an e-mail program’s toolbar, uses Bayesian filtering, and is frequently updated online. Useful features include buttons that add e-mail senders to a whitelist or blacklist, a quarantine that deletes messages after a user-determined time period, and a control that adjusts the software’s filtering aggressiveness. Popular desktop-software vendors include MailFrontier, McAfee, Sunbelt Software, and Symantec.

Gateway software. Larger organizations will probably decide that desktop software cannot meet their spam-filtering requirements. Gateway software intercepts spam at the e-mail gateway, the point at which e-mail enters a firm’s computer network from the Internet. There are two primary gateway-software options: server software and appliance software. Server software is installed on a company’s e-mail server (a central computer that receives e-mail and distributes it to end-users’ PCs). Appliance software comes preinstalled in a self-contained hardware unit, known as an appliance, that sits between a company’s e-mail server and the Internet.

By filtering at the e-mail gateway, administrators can manage an organization’s spam-filtering policy rather than have end-users create policy through their desktop software. This is not to say that gateway software necessitates a “one size fits all” filtering approach. Many products offer management tools that allow a company to customize its spam policy for different groups and individuals. These tools can lessen the expense of administering gateway software and create greater end-user satisfaction.

Spam-filtering software running at the e-mail gateway allows for advanced filtering techniques, such as signature matching. On average, a gateway-software product will catch approximately 95% of a firm’s spam and experience a false positive as rarely as once per 10,000 messages. Beware that greater accuracy may come at the expense of spam-blocking effectiveness. Making it easier for legitimate e-mail to pass through a spam filter can also make it easier for spam to slip through. Many organizations, however, are willing to put up with a modest amount of spam in exchange for a high probability that legitimate e-mail will be delivered.

There are drawbacks to gateway software. The cost of ongoing administration can be substantial. It does nothing to reduce the volume of incoming e-mail. And companies with scarce resources may not be able to afford the upfront costs. Regardless of its drawbacks, gateway software is the only practical option for larger companies that desire an in-house solution.

Consumers should ask the following questions before purchasing gateway software: Does the product provide statistics on the types of spam received and who is receiving it? Can filtering emphasis be adjusted so that offensive spam, such as pornography, is filtered more aggressively than nonoffensive spam? How easily can end-users find messages that have been accidentally blocked? Popular vendors of gateway software include CipherTrust, Proofpoint, SonicWall and Symantec Brightmail.

Managed service providers. Managed service providers (MSP) are for organizations that prefer to outsource the chore of spam filtering rather than deal with it in-house. They are an accurate, hands-off solution that appeals to both larger and smaller entities, although very small companies may find them to be too expensive.

MSPs intercept spam before it reaches a company’s computer network by diverting the firm’s e-mail to a secure data center where a number of techniques—common ones being traffic-pattern analysis, heuristic analysis, and signature matching—are used to weed out spam. Legitimate e-mail is then passed along to the company’s mail server, while spam is usually quarantined at the data center or deleted.

Because they process millions of e-mail messages each day, MSPs are very good at spotting emerging spam threats. In addition, they are easy to set up, prevent malicious spam from entering a company’s network, store e-mail messages in the event a company’s e-mail server goes down, and are able to handle the increased volume of e-mail that a growing entity may experience. Furthermore, MSPs have virtually no upfront costs, and ongoing administration expense is low.

Some organizations fear that using a MSP could compromise the privacy of their clients and business partners. MSPs are responding to privacy concerns by offering to sign nondisclosure agreements. In addition, some MSPs are using pass-through technology that allows them to forward legitimate e-mail almost instantly. The result: Legitimate e-mail is not stored on disks, and it spends very little time in a data center.

The reliability of MSPs is also a concern for some. If an MSP goes down, e-mail may be delayed or, worse yet, lost. Consumers may decide to select an MSP that has received an unqualified SysTrust, WebTrust, or SAS 70 Type II attestation report, which warrants that an MSP has passed rigorous tests to determine whether appropriate controls are in place and operating effectively. These tests provide reasonable assurance to current and potential subscribers that an MSP operates in a stable and secure environment.

Potential subscribers should look for an MSP that allows end-users to determine some of their own spam settings, establish a whitelist, and set up a personal quarantine area. Leading MSPs include MessageLabs, Microsoft Exchange Hosted Filtering, MX Logic, and Postini. A frequently updated buying guide that contains prices and features of MSPs and gateway software is located at
www.networkworld.com/bg/2003/spam/compare.jsp.

Closing the Door on Spam

Spammers are similar in one respect to polluters: If no obstacle is placed in their path, they bear only a small portion of the overall cost of their actions. Spam-fighting techniques, such as spam avoidance, desktop software, gateway software, and managed service providers, make it harder for spammers to deliver their messages. This obstacle increases the spammers’ costs. If, for example, spam-filtering software can reduce the amount of spam that reaches an e-mail inbox by 90%, a spammer must now incur the cost of sending 10 messages to get a single message into an inbox. If filtering software can reduce the amount of spam by 95%, the cost of sending spam has increased by a factor of 20.

As the use of spam-fighting techniques grows, as new techniques are developed and old techniques are perfected, one can hope that the cost of sending spam will increase until it eventually becomes prohibitive for most spammers. Just as good defense wins football games, good defense can win the battle against spam.

Click here to see Sidebar.