Battling Spam with an Array of Weapons

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
According to the pundits, we are a 50/50 nation, evenly split on mostpolitical and cultural issues. But there is one topic where there isnearly unanimous agreement -- Everyone hates spam.

Unsolicited bulk email saps employee productivity, wastes networkresources, drives up Internet costs, and clutters the network withviruses, worms and Trojans.

''We were getting tons and tons of mail that users didn't want,'' saysRod Baker, MIS Director for Reebok. Ltd. in Canton, Mass. ''Some userswere getting 300 to 400 pieces of spam per day.''

While the email server could handle the extra load, he says the volume ofmessages required the company to purchase additional storage. Spam ate upuser time reviewing and deleting the unwanted messages. And the IT stafftime would have to help users -- either getting rid of malware orrestoring legitimate messges that were accidentally delted.

All this occurred despite the fact that Reebok had filtering software inplace.

''Our filtering software was a resource hog, required a lot of time tomanage it, and was only blocking 30 percent of the spam on its bestdays,'' Baker adds. ''We were looking at having to hire an additionalperson to handle the workload.''

To cut its personnel and storage needs, Reebok switched to using anoutside email processing service -- FrontBridge Technologies, Inc. ofMarina del Rey, Calif. The change eliminated 90 percent to 95 percent ofspam and reduced IT's spam-related administration time to 15 minutes amonth spent running a report for the CIO.

An Array of Armaments

Reebok may have given spam the boot, but spam control is no shoe in.

As a result, companies are harnessing a variety of technologies to tacklespam. Most find it takes a multi-faceted approach, though not everyonehas gone so far as the sneaker giant in outsourcing the handling of spam.

But anyone who has been involved in the fray realizes something. There isa war going on between bulk emailers and IT departments. It follows manyof the same rules as conventional warfare, though no one is expected tofollow the Geneva Convention if they got their hands on a spammer.

To begin with, the goal is containment rather than total elimination.

Dropping a nuclear bomb would kill all the enemy combatants in an area,but it would kill all the civilians, as well. Instead, you have to selectweapons and tactics which kill most of the enemy, without excessivecollateral damage. The ''collateral damage'' in using anti-spam tools tooaggressively consists of blocking legitimate emails along with the junk.

Instead, you need to adjust the threshold to achieve a balance between atolerable level of unwanted email, and an acceptable level of ''falsepositives'' -- valid messages incorrectly identified as spam.

''The way organizations deal with this depends on their culture andphilosophy,'' says Ant Allan, a U.K.-based analyst for the Stamford,Conn. consulting firm Gartner, Inc. ''Some organizations would rather geta large residue of spam coming through than block legitimate messages.''

The second lesson is that the battle is constantly evolving.

As Prussian general Helmuth von Moltke stated, ''No plan of operationextends with any certainty beyond the first contact with the main hostileforce.'' Instead, it requires continuous intelligence on what the enemyis doing next, and then devising new ways to block it. In fighting spam,this means using an array of technologies, not a single one, andconstantly updating them to counter the latest threats.

The exact techniques vary from one product to another, and each givesdifferent weights to particular methods. Some of the more common onesinclude:

  • Blacklists/Whitelists -- These are lists of IP or SMTP addressesfrom which email is allowed (whitelist) or blocked (blacklist). Thecompany or individual users can create their own lists, or they can useones from the vendor or an outside source. Several organizationsincluding SPAMHAUS (www.spamhaus.org) and SPEWS (www.spews.org) maintainfreely available blacklists which are regularly updated by their members.
  • Heuristic Analysis -- This involves analyzing a batch of known spamand a batch of known good email. Incoming mail is then compared to thecharacteristics of these two groups and the software assigns aprobability that the email is spam. The analysis is continually updatedas users identify new mail as good or bad. Bayesian analysis is one ofthe more commonly used varieties of heuristic analysis.
  • Keyword Analysis -- This looks for commonly used words. Spammers getaround this by altering spellings, so an updated technique called ComplexDictionary Checking looks for variations such as V!oxx or M$Utgage.
  • Checksum -- This is a method of creating a signature for known spam.If other email comes in with an identical signature, it is blocked.(Spammers get around this by adding random words to email, therebychanging the signature.)
  • Quantity Checking - This method looks for a large volume of emailcoming from a single address and flags it for the administrator'sattention.

    ''If you have a solution based on a single way of identifying spam, whatdo you do when the spammers figure out how to get around it?'' asksAllan. ''The best solutions have a spectrum of techniques to give you thebest all around performance.''

    Guarding the Infrastructure

    Companies looking to reduce their unwanted email load have severaloptions. They can select an outsourcer, as Reebok did, or they can stayin-house using either software or an appliance. Most products do anadequate job of filtering. The difference comes in the managementfeatures.

    ''The spam filtering itself is becoming a commodity,'' says Allan. ''Itis not just the effectiveness, but the enterprise-class features whichmatter when working with large populations, such as ease in setting upcustom rules for different groups of users.''

    Cable and broadband provider Cox Communications, Inc. took the applianceroute for its 40,000 employees at 60 locations.

    Everything comes in to servers at the company's Atlanta headquarters,passes to hub servers and then out to mailbox servers for end-useraccess. A year ago, Cox installed six CipherTrust, Inc. IronMailappliances to block spam at the gateway before it hits the Exchangeservers.

    Senior messaging manager Franklin Warlick says the appliances themselvesonly took about half an hour to set up, and he spent another day tweakingthe settings. The real work came in setting up whitelists.

    ''We started out doing the whitelist too aggressively,'' he explains.''Then we found that one person's newsletter is another person's spam.''

    That process took about a month. In the first few weeks there were alsosome false positives, but that has been corrected and he hasn't heard ofany for months. With the appliances in place, although the level of spamhas skyrocketed, it is not swamping users' mailboxes.

    ''A year ago, we were getting eight to nine million messages a month. Nowwe are getting over 40 and blocking about 38 million of those as spam orviruses,'' says Warlick. ''If we were handling that volume anywhere otherthan at the edge, we would have had to grow our Exchange infrastructureand staff to four times what it was a year ago.''