Thursday, October 21, 2021

Battling Spam with an Array of Weapons

According to the pundits, we are a 50/50 nation, evenly split on most

political and cultural issues. But there is one topic where there is

nearly unanimous agreement — Everyone hates spam.

Unsolicited bulk email saps employee productivity, wastes network

resources, drives up Internet costs, and clutters the network with

viruses, worms and Trojans.

”We were getting tons and tons of mail that users didn’t want,” says

Rod Baker, MIS Director for Reebok. Ltd. in Canton, Mass. ”Some users

were getting 300 to 400 pieces of spam per day.”

While the email server could handle the extra load, he says the volume of

messages required the company to purchase additional storage. Spam ate up

user time reviewing and deleting the unwanted messages. And the IT staff

time would have to help users — either getting rid of malware or

restoring legitimate messges that were accidentally delted.

All this occurred despite the fact that Reebok had filtering software in

place.

”Our filtering software was a resource hog, required a lot of time to

manage it, and was only blocking 30 percent of the spam on its best

days,” Baker adds. ”We were looking at having to hire an additional

person to handle the workload.”

To cut its personnel and storage needs, Reebok switched to using an

outside email processing service — FrontBridge Technologies, Inc. of

Marina del Rey, Calif. The change eliminated 90 percent to 95 percent of

spam and reduced IT’s spam-related administration time to 15 minutes a

month spent running a report for the CIO.

An Array of Armaments

Reebok may have given spam the boot, but spam control is no shoe in.

As a result, companies are harnessing a variety of technologies to tackle

spam. Most find it takes a multi-faceted approach, though not everyone

has gone so far as the sneaker giant in outsourcing the handling of spam.

But anyone who has been involved in the fray realizes something. There is

a war going on between bulk emailers and IT departments. It follows many

of the same rules as conventional warfare, though no one is expected to

follow the Geneva Convention if they got their hands on a spammer.

To begin with, the goal is containment rather than total elimination.

Dropping a nuclear bomb would kill all the enemy combatants in an area,

but it would kill all the civilians, as well. Instead, you have to select

weapons and tactics which kill most of the enemy, without excessive

collateral damage. The ”collateral damage” in using anti-spam tools too

aggressively consists of blocking legitimate emails along with the junk.

Instead, you need to adjust the threshold to achieve a balance between a

tolerable level of unwanted email, and an acceptable level of ”false

positives” — valid messages incorrectly identified as spam.

”The way organizations deal with this depends on their culture and

philosophy,” says Ant Allan, a U.K.-based analyst for the Stamford,

Conn. consulting firm Gartner, Inc. ”Some organizations would rather get

a large residue of spam coming through than block legitimate messages.”

The second lesson is that the battle is constantly evolving.

As Prussian general Helmuth von Moltke stated, ”No plan of operation

extends with any certainty beyond the first contact with the main hostile

force.” Instead, it requires continuous intelligence on what the enemy

is doing next, and then devising new ways to block it. In fighting spam,

this means using an array of technologies, not a single one, and

constantly updating them to counter the latest threats.

The exact techniques vary from one product to another, and each gives

different weights to particular methods. Some of the more common ones

include:

  • Blacklists/Whitelists — These are lists of IP or SMTP addresses

    from which email is allowed (whitelist) or blocked (blacklist). The

    company or individual users can create their own lists, or they can use

    ones from the vendor or an outside source. Several organizations

    including SPAMHAUS (www.spamhaus.org) and SPEWS (www.spews.org) maintain

    freely available blacklists which are regularly updated by their members.

  • Heuristic Analysis — This involves analyzing a batch of known spam

    and a batch of known good email. Incoming mail is then compared to the

    characteristics of these two groups and the software assigns a

    probability that the email is spam. The analysis is continually updated

    as users identify new mail as good or bad. Bayesian analysis is one of

    the more commonly used varieties of heuristic analysis.

  • Keyword Analysis — This looks for commonly used words. Spammers get

    around this by altering spellings, so an updated technique called Complex

    Dictionary Checking looks for variations such as V!oxx or M$Utgage.

  • Checksum — This is a method of creating a signature for known spam.

    If other email comes in with an identical signature, it is blocked.

    (Spammers get around this by adding random words to email, thereby

    changing the signature.)

  • Quantity Checking – This method looks for a large volume of email

    coming from a single address and flags it for the administrator’s

    attention.

    ”If you have a solution based on a single way of identifying spam, what

    do you do when the spammers figure out how to get around it?” asks

    Allan. ”The best solutions have a spectrum of techniques to give you the

    best all around performance.”

    Guarding the Infrastructure

    Companies looking to reduce their unwanted email load have several

    options. They can select an outsourcer, as Reebok did, or they can stay

    in-house using either software or an appliance. Most products do an

    adequate job of filtering. The difference comes in the management

    features.

    ”The spam filtering itself is becoming a commodity,” says Allan. ”It

    is not just the effectiveness, but the enterprise-class features which

    matter when working with large populations, such as ease in setting up

    custom rules for different groups of users.”

    Cable and broadband provider Cox Communications, Inc. took the appliance

    route for its 40,000 employees at 60 locations.

    Everything comes in to servers at the company’s Atlanta headquarters,

    passes to hub servers and then out to mailbox servers for end-user

    access. A year ago, Cox installed six CipherTrust, Inc. IronMail

    appliances to block spam at the gateway before it hits the Exchange

    servers.

    Senior messaging manager Franklin Warlick says the appliances themselves

    only took about half an hour to set up, and he spent another day tweaking

    the settings. The real work came in setting up whitelists.

    ”We started out doing the whitelist too aggressively,” he explains.

    ”Then we found that one person’s newsletter is another person’s spam.”

    That process took about a month. In the first few weeks there were also

    some false positives, but that has been corrected and he hasn’t heard of

    any for months. With the appliances in place, although the level of spam

    has skyrocketed, it is not swamping users’ mailboxes.

    ”A year ago, we were getting eight to nine million messages a month. Now

    we are getting over 40 and blocking about 38 million of those as spam or

    viruses,” says Warlick. ”If we were handling that volume anywhere other

    than at the edge, we would have had to grow our Exchange infrastructure

    and staff to four times what it was a year ago.”

  • Similar articles

    Latest Articles