Looking for ways to control the spam beast?

Here’s a primer to help you gain the upper hand

Spam may seem like a trivial nuisance, but it can significantly drain your network and server resources and hamper user productivity. Left unchecked, spam can consume network bandwidth, devour disk storage and lengthen backup times. Productivity suffers as users and administrators grapple with removing unsolicited commercial e-mail messages from mobile devices, chat interfaces, blogs and e-mail inboxes.

Industry experts say spam has increased more than 65 percent since 2002. On average, eight in 10 e-mail messages delivered to an inbox are spam. Why the rapid increase? It’s simple economics. The costs of hijacking e-mail addresses and sending spam are nearly nil for the spammers. Instead, spammers shift the costs associated with sending and receiving their virtual junk to your end of the connection.

Spammers know that no one is consistently enforcing antispam laws. With no pending legislation and no one imposing standards to curb the practice, spammers feel emboldened to expand their efforts, all in the name of making a few bucks.

Beyond the rising costs of controlling spam, another risk looms. Although response rates to spam are generally minuscule, spam is frequently the carrier of phishing attacks, viruses or other malware. If your users are unaware, they might receive, open or reply to such spam without knowing that their actions could open a huge security hole. Spam education is critical and urgent.

Antispam technologies
To gain the upper hand, best practices dictate the application of multiple techniques enterprisewide. Today’s spam-fighting techniques typically involve three main strategies: content filtering, traffic analysis and manual specification, which lets users establish block lists.

Many of the available tools support multiple techniques, which increases your spam-fighting success rate. For example, open-source antispam solution SpamAssassin uses several spam-fighting techniques, including header and text analysis; Bayesian filtering, which analyzes the content of a message and assigns a spam probability; Domain Name System block lists; and the use of collaborative filtering databases.

Antispam tools sometimes inadvertently flag a message as spam when it is not — known as a false positive. As you evaluate antispam solutions, check closely for the frequency of false positives. A large number could negatively impact agency communications with the public, contractors and other organizations.

Building your antispam arsenal
Unless you manage only a small organization, you’ll likely need to consider employing a variety of antispam technologies.

1. Desktop PC solutions. Desktop antispam solutions are software-based and limited to content filtering and, in some cases, manual specification. Among other vendors, Trend Micro and McAfee offer some antispam solutions for desktop usage and others for the broader enterprise.

2. Server solutions. Enterprise products and services usually offer a broader array of antispam tools than desktop solutions, including in-depth content filtering, traffic analysis and manual specification. Many enterprise solutions support multiple algorithms to increase the chances of successfully repelling spam.

You can add enterprise antispam tools to e-mail servers, such as Microsoft Exchange and IBM Lotus Domino. You can also deploy one or more antispam appliances at the edges of your network to prevent spam from ever reaching your infrastructure. The latter type of solution tends to incur higher initial costs but reduces your e-mail servers’ load. Symantec’s Brightmail, IronPort Systems’ various solutions and CipherTrust’s products, which work on different parts of an infrastructure, are all solid bets in the enterprise antispam arena.

In addition, using an antispam appliance can be effective because it reduces the impact on your infrastructure. Many antispam appliances and other enterprise software solutions offer another benefit — centralized management.

For example, Webroot Software’s SpySweeper offers a centralized interface in which administrators can deploy and control antispam software on a large number of computers. Centralized administration goes beyond generic deployment tools because it helps execute tasks, such as antispam updates, and enables scheduled e-mail scans when convenient for the agency.

Centralized administration is also useful for reporting. Deploying an antispam strategy is not a one-time project. Because spammers change their methods, regularly reviewing antispam reporting and, in particular, analyzing antispam trends will reveal if your strategy remains effective or if it requires revision.

3. Service solutions. External antispam services, such as Postini or AppRiver’s Secure Tide, are another option. By using a service approach, you can stop spam before it reaches your enterprise. However, agencies must be mindful of service-level capabilities, such as security measures and company stability.

Many companies offer multiple types of antispam solutions, and others offer solutions that blend antispam tools with antivirus and firewall capabilities. Your e-mail server provider may also have suggestions about the best antispam solutions.

As much as spam is a moving, fluid target, antispam solutions are equally agile. Vendors are doing a fairly good job of meeting spammers head-on when it comes to e-mail. Agencies that regularly execute updates from major antispam providers or use a service can expect their e-mail infrastructures to remain largely free from spam with relatively few false positives.

But spammers are beginning to invade other forms of communications, including instant messaging, mobile devices and blogs. As in any good game of cat and mouse, spam techniques and the technologies that fend them off are evolving. So organizations need to continually reassess antispam strategies to ensure successful coverage.

Establishing a plan of action Three primary concerns pertain to your purchase decisions for an antispam strategy. First, consider the effectiveness of the strategy and its solutions. Second, gauge the impact on your infrastructure. Third, evaluate the costs associated with killing spam before it affects your bottom line.

Because most antispam technologies cover the same ground, you should compare similar tasks on available solutions. For example, you might try implementing an outside antispam service together with an antispam plug-in on your e-mail servers for two weeks.

After the test, examine the quantity of spam that the service collected. Did it produce any false positives? Check your e-mail servers to measure how much spam the plug-in detected. What was the accuracy rate? Did the e-mail server performance monitors show any impact because of the use of the antispam plug-in? You will also want to examine how much spam reached agency computers.

Suppose your e-mail servers support a large number of accounts. In that case, it would likely be less effective to use a plug-in on the e-mail server because the demands of antispam activity could negatively affect users’ access to e-mail.

In such a situation, you would most likely want to implement an antispam service with one or more antispam appliances at the edge of your infrastructure. Then add antispam technology on desktop computers. That setup would be less taxing on your already busy e-mail servers.

Unless you’re dealing with a small network, you’ll likely need a multilayered approach using more than one antispam solution. Differences among deployments will include the location of solutions and the frequency of false positives. Look for solutions with the highest success rate and the lowest number of false positives.

Finally, after examining effectiveness and infrastructure impact, evaluate how the cost of your strategy will meld with agency budget requirements. Overall, pricing for desktop antispam tools is fairly competitive. But costs for server-side solutions, appliances and antispam services can vary greatly. Compare costs with effectiveness and infrastructure impact to realize your best antispam strategy.

Biggs, a senior engineer and freelance technical writer based in northern California, is a Federal Computer Week analyst. She can be reached at maggiebiggs@acm.org.

Spam-fighting techniquesThere are several ways to fight the spam beast. Many products employ some type of content filtering, traffic analysis and manual specification such as block lists. Here’s a quick look at how those techniques work.

1. Content filtering. Depending on the solutions you select, various types of content-filtering algorithms will detect and eliminate spam. For example, Bayesian filtering is one type of algorithm that analyzes the content of a message and assigns it a probability of being spam. To learn more about Bayesian filtering, visit : email.about.com/cs/bayesianfilters/a/bayesian_filter.htm.

Text and header analysis tools examine portions of messages to identify spam. Header analysis tools scan message address information to determine if a message is from a known spammer. Likewise, text analysis can look for suspect phrases in e-mail messages, such as the ubiquitously received “update your eBay account information.”

Although header and text analysis tools are useful, they don’t recognize that a message is spam as often as more sophisticated content-filtering algorithms, such as Bayesian, do. Using analysis and filtering techniques concurrently usually provides the most accurate results.

2. Traffic analysis. Another type of antispam scrutiny involves the use of traffic analysis, also known as reputation detection. This type of analysis may consider the source of an e-mail message and the destination of links in the e-mail message. For example, products from IronPort Systems (www.ironport.com) can analyze the behavior of Web sites and URLs in e-mail messages to determine trustworthiness. The tools also often run reputation analysis against the content of e-mails.

When examining content, most reputation-detection tools won’t go to the level of scoring the likelihood that a message is spam. Rather, in an adaptive manner, such tools will flag and perhaps quarantine messages with suspicious content. In other words, reputation detection is a step above text analysis, but it is not as sophisticated as more specialized spam algorithms that score content. Analysis tools are particularly useful for ferreting out certain kinds of threats, such as phishing attacks.

3. Manual or adaptive specification. Domain Name System block lists allow users or adaptive programs to establish a list of message senders from whom the recipients will never accept messages. Likewise, many programs support white lists that contain DNS entries from which a user will always accept messages. Some solutions offer support for gray lists, which capture items that match neither the black nor the white lists but seem suspicious.

Collaborative filtering lists or databases contain information about known spammers that organizations can share. Examples of these would be Spamhaus (www.spamhaus.org) and SpamCop (www.spamcop.net). With a simple DNS query, a user can check an inbound e-mail message against the lists or databases. If the system finds a match, it rejects the message. One benefit of this antispam method is that the lists and databases update regularly, and users can integrate them into their antispam strategies so that they can stay ahead of the latest spam threats.

For large organizations, fighting spam requires deploying multiple technologies and services. Here’s a list of vendors’ leading spam-fighting tools for servers and desktop computers.

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above