Free Newsletters :

Battling Spam with an Array of Weapons

Battling spam is no easy thing. It often takes more than one kind of tactic and more than one kind of weapon. Here's a look at the different multi-faceted approaches.
Posted January 13, 2005
By

Drew Robb

Drew Robb


According to the pundits, we are a 50/50 nation, evenly split on most political and cultural issues. But there is one topic where there is nearly unanimous agreement -- Everyone hates spam.

Unsolicited bulk email saps employee productivity, wastes network resources, drives up Internet costs, and clutters the network with viruses, worms and Trojans.

''We were getting tons and tons of mail that users didn't want,'' says Rod Baker, MIS Director for Reebok. Ltd. in Canton, Mass. ''Some users were getting 300 to 400 pieces of spam per day.''

While the email server could handle the extra load, he says the volume of messages required the company to purchase additional storage. Spam ate up user time reviewing and deleting the unwanted messages. And the IT staff time would have to help users -- either getting rid of malware or restoring legitimate messges that were accidentally delted.

All this occurred despite the fact that Reebok had filtering software in place.

''Our filtering software was a resource hog, required a lot of time to manage it, and was only blocking 30 percent of the spam on its best days,'' Baker adds. ''We were looking at having to hire an additional person to handle the workload.''

To cut its personnel and storage needs, Reebok switched to using an outside email processing service -- FrontBridge Technologies, Inc. of Marina del Rey, Calif. The change eliminated 90 percent to 95 percent of spam and reduced IT's spam-related administration time to 15 minutes a month spent running a report for the CIO.

An Array of Armaments

Reebok may have given spam the boot, but spam control is no shoe in.

As a result, companies are harnessing a variety of technologies to tackle spam. Most find it takes a multi-faceted approach, though not everyone has gone so far as the sneaker giant in outsourcing the handling of spam.

But anyone who has been involved in the fray realizes something. There is a war going on between bulk emailers and IT departments. It follows many of the same rules as conventional warfare, though no one is expected to follow the Geneva Convention if they got their hands on a spammer.

To begin with, the goal is containment rather than total elimination.

Dropping a nuclear bomb would kill all the enemy combatants in an area, but it would kill all the civilians, as well. Instead, you have to select weapons and tactics which kill most of the enemy, without excessive collateral damage. The ''collateral damage'' in using anti-spam tools too aggressively consists of blocking legitimate emails along with the junk.

Instead, you need to adjust the threshold to achieve a balance between a tolerable level of unwanted email, and an acceptable level of ''false positives'' -- valid messages incorrectly identified as spam.

''The way organizations deal with this depends on their culture and philosophy,'' says Ant Allan, a U.K.-based analyst for the Stamford, Conn. consulting firm Gartner, Inc. ''Some organizations would rather get a large residue of spam coming through than block legitimate messages.''

The second lesson is that the battle is constantly evolving.

As Prussian general Helmuth von Moltke stated, ''No plan of operation extends with any certainty beyond the first contact with the main hostile force.'' Instead, it requires continuous intelligence on what the enemy is doing next, and then devising new ways to block it. In fighting spam, this means using an array of technologies, not a single one, and constantly updating them to counter the latest threats.

The exact techniques vary from one product to another, and each gives different weights to particular methods. Some of the more common ones include:

  • Blacklists/Whitelists -- These are lists of IP or SMTP addresses from which email is allowed (whitelist) or blocked (blacklist). The company or individual users can create their own lists, or they can use ones from the vendor or an outside source. Several organizations including SPAMHAUS (www.spamhaus.org) and SPEWS (www.spews.org) maintain freely available blacklists which are regularly updated by their members.
  • Heuristic Analysis -- This involves analyzing a batch of known spam and a batch of known good email. Incoming mail is then compared to the characteristics of these two groups and the software assigns a probability that the email is spam. The analysis is continually updated as users identify new mail as good or bad. Bayesian analysis is one of the more commonly used varieties of heuristic analysis.
  • Keyword Analysis -- This looks for commonly used words. Spammers get around this by altering spellings, so an updated technique called Complex Dictionary Checking looks for variations such as V!oxx or M$Utgage.
  • Checksum -- This is a method of creating a signature for known spam. If other email comes in with an identical signature, it is blocked. (Spammers get around this by adding random words to email, thereby changing the signature.)
  • Quantity Checking - This method looks for a large volume of email coming from a single address and flags it for the administrator's attention.

    ''If you have a solution based on a single way of identifying spam, what do you do when the spammers figure out how to get around it?'' asks Allan. ''The best solutions have a spectrum of techniques to give you the best all around performance.''

    Guarding the Infrastructure

    Companies looking to reduce their unwanted email load have several options. They can select an outsourcer, as Reebok did, or they can stay in-house using either software or an appliance. Most products do an adequate job of filtering. The difference comes in the management features.

    ''The spam filtering itself is becoming a commodity,'' says Allan. ''It is not just the effectiveness, but the enterprise-class features which matter when working with large populations, such as ease in setting up custom rules for different groups of users.''

    Cable and broadband provider Cox Communications, Inc. took the appliance route for its 40,000 employees at 60 locations.

    Everything comes in to servers at the company's Atlanta headquarters, passes to hub servers and then out to mailbox servers for end-user access. A year ago, Cox installed six CipherTrust, Inc. IronMail appliances to block spam at the gateway before it hits the Exchange servers.

    Senior messaging manager Franklin Warlick says the appliances themselves only took about half an hour to set up, and he spent another day tweaking the settings. The real work came in setting up whitelists.

    ''We started out doing the whitelist too aggressively,'' he explains. ''Then we found that one person's newsletter is another person's spam.''

    That process took about a month. In the first few weeks there were also some false positives, but that has been corrected and he hasn't heard of any for months. With the appliances in place, although the level of spam has skyrocketed, it is not swamping users' mailboxes.

    ''A year ago, we were getting eight to nine million messages a month. Now we are getting over 40 and blocking about 38 million of those as spam or viruses,'' says Warlick. ''If we were handling that volume anywhere other than at the edge, we would have had to grow our Exchange infrastructure and staff to four times what it was a year ago.''






  • 0 Comments (click to add your comment)
    Comment and Contribute

     


    (Maximum characters: 1200). You have characters left.