Learn IT: Defeating Spam in the Enterprise

1. What exactly is spam?

Spam is unsolicited bulk e-mail (UBE). From the sender's perspective, spam is an extremely efficient and cost-effective way to distribute a message, but to most recipients, spam is just junk e-mail. Spammers typically send a piece of e-mail to a distribution list in the millions, expecting that only a tiny number of readers will respond to their offer.

The term is said to derive from a famous Monty Python sketch ("Well, we have Spam, tomato & Spam, egg & Spam, Egg, bacon & Spam...") that was current when spam first began arriving on the Internet. SPAM is a trademarked Hormel meat product that was well-known in the U.S. Armed Forces during World War II.

According to a report from the Spamhaus Project anti-spam organization, over 90% of all the spam received in North America and Europe originates from only about 200 senders. Most spam falls into the category of unsolicited commercial e-mail (UCE), but the term also encompasses other types of mass mailings, such as e-mail chain letters, personal campaign mailings, messages with virus-laden attachments, and messages containing virus hoaxes, among other possibilities.

Here's a break-down on spam categories by percentage:
(From a Brightmail Probe Network report, statistics as of September 2003)

• 19%: Product marketing messages
• 14%: Financial services marketing messages
• 12%: Adult content marketing messages
• 11%: Internet-based service marketing messages
• 10%: Fraudulent messages
• 8%: Health-related product and service marketing messages
• 7%: Leisure-related product and service marketing messages
• 3%: Political campaign messages
• 1%: Spirituality-related messages
• 15%: Other (spam that doesn't fit any of the established categories)

 

 

Related Links: Brightmail provides graphically represented statistics for spam on their Web site. The Spamhaus Project is a comprehensive resource for information about spam. CAUCE offers more details in their spam FAQ list.

 

2. How bad is the spam problem?

In September 2003, spam accounted for 54% of all Internet e-mail -- up from 18% in April 2002 (source Brightmail Probe Network). The spam problem is bad -- and rapidly getting worse -- for a number of reasons. In the U.S., for example, the recently established National Do Not Call Registry has enabled people to add their telephone numbers to a list that telemarketers are not allowed to call. As a result, people and organizations that had relied on telemarketing campaigns have begun to look for other ways to get their messages out, and many have turned to the Internet as the least expensive means of doing so. The cost of using the postal system, and the further complication of the recent anthrax scare, has meant that a mail campaign is not a viable alternative to many who relied on telemarketing. As a result of these and other factors, the amount of spam clogging the Internet has expanded alarmingly.

Some other spam statistics:

• Spam will account for 60% of all Internet e-mail by January 2004 (source: Spamhaus Project).
• In 2002, time and resources used to deal with spam cost U.S. companies almost $9 billion (source: Ferris Research).
• An organization with 10,000 employees spends an estimated $71.91 per mailbox per year because of spam (source: Radicati Group).
• Worldwide, spam is expected to cost businesses $30 billion this year, and $113 billion by 2007 (source: Radicati Group).
• Over 70% of technology professionals believe the spam problem has reached epidemic proportions (source: TrendMicro).
• One-third of all companies surveyed have not, as yet, implemented any anti-spam measures (source: TrendMicro).

Related Links: Jon Panker's SearchNetworking article explains why "Spam is a pricey pest." Panker's SearchDomino Survey finds that "Spam is the scourge of the messaging world."

 

3. Just how effective is spam, anyway?

Spam definitely makes money for the sender; they wouldn't continue to send it so relentlessly otherwise. Spam works because of the huge volume of messages sent. It's easy and inexpensive to send spam. Even with a dialup connection, a spammer can send out hundreds of thousands of messages in an hour for next to nothing. And even though the vast majority of people who receive a spam message will not respond to it, the tiny fraction of recipients that do are enough to make sending it a viable proposition. According to Vincent Schiavone, CEO of the ePrivacy Group, "A small spammer may send out 10 million e-mails a day. If only 100 people buy, then their expenses are covered." Anything beyond those 100 responses is profit.

Successful spammers do a lot better than that. For example, Ron Scelson, known as the "Cajun Spammer," claims to get responses from 1% of messages he sends: that comes to 10,000 responses per million messages sent, 100,000 responses per day if he sends out 10 million messages. Scelson, who works on a commission basis, says he makes between $4,000 and $5,000 for each mailing.

4. What's your average spammer's modus operandi?

Most spammers tend to think of themselves as entrepreneurs that are hard-pressed to dodge the stringent anti-spam measures imposed by ISPs. To get around such measures, Ron Scelson (the aforementioned "Cajun Spammer") has sometimes used offshore servers to send his mailings, though they can be up to five times more expensive than domestic systems. Scelson tests all his e-mails against spam filters to make sure they can get through. He claims that he can get spam through a new filtering system in less than 24 hours, and sometimes in as little as three minutes. Scelson said he will use e-mail spoofing if he has to. "It's a last resort for me, a backup system, but again, it can totally be done," he said during a recent webcast presented by messaging product vendor IntelliReach.

Spamming is not rocket science. Here are some simple step-by-step instructions:

• First, you need addresses. A quick Google or EBay search will find lots of people willing to sell you lists with millions of e-mail addresses, and spambots that will collect addresses from the Internet for you automatically.
• In a text editor, such as Word, you can format these into blocks of addresses to paste into e-mail messages, maybe a hundred recipients at a time.
• If you want to get fancy, you can include some online payment method. Or you can, like many other spammers, simply get customers to send you checks or money orders by regular mail.
• Come up with a subject line, insert your message, and hit send.
• Once you've gotten this far, you can automate the process of sending, allowing you to send huge volumes of spam without risking repetitive stress injury.
• Congratulations! You're a spammer.

Related Links: Robin Good's article is called "Confessions of a Spam King Revisited.". SearchSecurity expert Ed Hurley explores what goes on "In the spammer's lair." Here's Marshall Brain's explanation of "How Spam Works.".

 

5. Is spam in your inbox really any different from 3rd class junk mail that arrives in your mailbox, or telemarketing?

According to CAUCE, (Coalition Against Unsolicited Commercial Email), a spammer sending you e-mail is like a telemarketer calling you -- collect. As far as 3rd class mail goes, the cost of sending the mail is borne by the sender. Much of the cost of sending spam, on the other hand, is borne by the recipient's ISP, because of the burden it places on server resources. And if it costs your ISP, it ultimately costs you.

6. How can I combat spam in the enterprise?

You really need to attack spam on two fronts: In addition to implementing anti-spam technologies, you've got to make sure that each user knows how to protect themselves through cautious behavior online.

At the server:
From an administrative perspective, one of the most basic and crucial anti-spam measures is to ensure your server is not configured to serve as an open relay, blindly relaying any and all messages that come through it.

Here's how to do it in Exchange Server: In the Registry Editor, navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceMSExchangeIMCParameters. Add a REG_DWORD value named RelayFlags. Set this value to 8. This will allow both remote and local hosts with valid credentials to use the server; others will be rejected.

Next, you can block specific senders or whole domains. For example, in Exchange 2000, open Exchange System Manager and select Server > Global Settings > Message Delivery. Right click, and go to properties. Select the filtering tab, which then gives you options to block by e-mail address or by domain. There are a number of server-side spam filter applications, such as Roaring Penguin's CanIt and MIMEdefang.

Several organizations, such as the Spamhaus Project, maintain blacklists of known sources of spam. You can make use of such a list, adding to it as you wish. You might want to also establish a whitelist of addresses or domains that are to be automatically accepted by the server. Other options exist, such as that of archiving filtered messages, which may be advisable while you're seeing how a new filtering system works. By making changes at the server, you save a good deal of time and resources spent by individual recipients at your organization.

At the client:
Here, you can install a program, such as MailWasher, that works with a POP3-compliant mail program. These programs can be configured to accept or bounce e-mail based on your specified criteria. Then, you can save lists of sources that are bounced and those that are accepted to a shared drive, where they are available to everyone within your organization.

In terms of educating the user, you should establish guidelines for prudent online behavior, such as:

• Don't divulge your e-mail address online indiscriminately.
• Establish a throw-away e-mail account for online dealings that are not connected to the company.
• Never respond to spam, especially to remove yourself from the sender's list. (Many spammers use such responses to determine that the e-mail address is active. The result: more spam.)
• Instead of responding to the spammer, create a form letter of complaint to send to any spammer's ISP.
• Spend a few minutes once to set up spam-filtering capabilities in your e-mail program, instead of spending several minutes every day deleting unwanted messages.

 

Related Links: A SearchCIO article explains how " Experts differ on ways to spear spam." Search2000 provides a collection of resources in their Featured Topic: "Winning the War on Spam." According to Roaring Penguin, a vendor for open source spam filtering, mid-sized organizations bare the brunt of e-mail spam. Spam.abuse.net offers technical information for systems administrators.

 

7. How do spam filters work?

Spam filters block messages that are detected to match program-specified or user-specified criteria, such as words in the subject line, or messages that are detected to be machine-generated, part of a bulk mailing, or from a known source of spam. Other spam filters, such as Bayesian and heuristic programs take more complex approaches to detecting spam.

A Bayesian spam filter is based on probability (Bayesian logic is an area in mathematics that deals with decision making and probability inference). The program considers each message as a collection of tokens: each word, number, and header is considered separately. A database is consulted that contains probabilities of given tokens being content of a spam message, and a message is given a spam probability score based on the number and score of its tokens. CanIt, a server-side anti-spam application from Roaring Penguin, includes Bayesian filtering capabilities that can be fine-tuned to suit the particular environment it's used in. In an interview with ITBusiness, David Skoll, president of the company, said that by implementing CanIt, businesses will see a return on investment within the first year. 

A heuristic spam filter, such as SpamAssassin, checks messages against criteria established in a rule base and assigns each message a score based on matching that criteria. Above a specified score, messages are flagged as spam. SpamAssassin is often used in conjunction with MIMEDefang: SpamAssassin provides the heuristics for identifying likely spam and MIMEDefang provides the actual filter mechanism that allows administrators to decide how to deal with it.

One problem with many filtering tools is that if they are configured stringently enough to be effective, there's a fairly high chance of getting false positives: legitimate messages that are stopped by the filter and don't get to the intended recipient. The chance of accidentally blocking an important message has been enough to keep many administrators from filtering spam at all. However, an effective spam filtering application -- combined with wise management -- can save a company substantial amounts of time and money that would otherwise have been lost to dealing with spam.

 

Related Links: MSExchange.org has much more information on its anti-spam pages. Paul Graham's article, "Better Bayesian Filtering" is available on his Web site. ITBusiness.ca explains how "Roaring Penguin says CanIt to Spam."

 

8. What's the current status of anti-spam legislation?

Various European countries are drafting or enacting anti-spam laws. In Britain, opt-in e-mail legislation is currently being implemented. This legislation effectively makes it illegal to send UCE from within the country, although spammers located elsewhere would be difficult to prosecute. Another problem with the British legislation is that it only targets spam sent to private homes, which does nothing to alleviate the severe spam problem facing businesses throughout the country. Italy has implemented the European Anti-Spam Directive, which mandates jail time for sending spam.

The United States has tended towards an opt-out approach, which many fear will make the problem worse than ever. The Can Spam Act, passed 97-0 in the Senate October 22, 2003 makes it illegal to send UCE to anyone who says they don't want to receive it. However, the only way to refuse future UCE from a particular sender is to respond to their message. According to experts, that's something you should never do: spammers use such responses to verify active e-mail addresses, which can be sold for a higher price. As a rule, the result is even greater volumes of UCE. The bill also makes it illegal to harvest addresses from Web sites or to disguise your identity in a commercial e-mail.

Various states are taking more stringent legislative action on their own. However, for anti-spam legislation to be effective, it really needs to be national -- if not international -- in scope.

A proposed "do not spam" list, similar to the telemarketing-targeted "do not call" list could be effective, although it would work in a roundabout way. E-mails would be marked to attest that the sender abides by the list. One way of ensuring this would by using ePrivacy Group's Trusted Email Open Standard. The standard works by inserting small -- less than 1 KB -- digital certificates into the headers of e-mails. The certificates assure the recipient that messages actually originated from the addresses they claim to come from. UCE without such a certificate could be blocked by the ISP's mail server or the user's spam filter.

Related Links: Ed Hurley's SearchSecurity article asks "Could a 'do not spam' list really stop spammers?" . SearchCRM features the Barney Beal article, "Anti-spam law 12-18 months away, consultant says." A libertarian Web site The Colorado Freedom Report, has a recent article called "How to Kill Spam Without the State."

9. Spam Words-to-Go Glossary:

Browse through spam vocabulary in a handy printable glossary.

 

10. Self-assessment:

After you've looked at the glossary, quiz yourself to see what you've learned about spam.