Spam-free diet

Like just about everyone else using e-mail, government users are fed up with spam — the unsolicited and unwanted junk e-mail that inundates inboxes with advertisements of get-rich-quick schemes, cheap drugs and pornography.

Whether information technology managers' motivation comes from user complaints or an e-mail virus that crashes the network, government agencies are learning how to use anti-spam tools — and their advanced features — to help stem the tide of spam.

There are many forms of anti-spam solutions: hardware appliances, server- and client-based software products, and managed services. Some are free and some cost thousands of dollars. And there are features common to many of them, such as white lists, blacklists, Bayesian filtering and heuristics (see box, Page 27).

Before settling on a particular solution, users say it's important to first establish some parameters. "My biggest challenge was the cost. We don't have a big budget," said Tony Langone, network administrator for the Agriculture Department's Appalachian Fruit Research Station and the National Center for Cool and Cold Water Aquaculture.

Langone picked a suite of products from Nemx Software Corp. that cost less than $1,000. The software plugged into the agency's Microsoft Corp. Exchange e-mail server, was easy to configure and stopped the spam that had upset users, he said. Langone supports about 120 users — mainly scientists and researchers — who were distressed about receiving e-mails of a sexual nature.

Nemx's Power Tools, a suite of products that block spam and viruses, fix the problem without requiring much user interaction, Langone said.

"It's configurable. It doesn't take over the whole network. I can manage it simply," he said. Langone said he asks users to forward him any offensive e-mail message. He then looks for a unique feature in each of the messages, such as the word "Viagra" or an attachment carrying a known virus, and creates a rule to block it in the future.

Langone uses the product's content-filtering features to block messages and attachments based on the rules he writes to look for keywords, phrases and patterns. He uses other features in the suite to filter out subject lines, addresses and headers in messages that aren't allowed in. These rules take only seconds to write, he said, and they help keep viruses off the network. He can write and implement a rule in less time than it takes the agency's

antivirus vendor to update its software to catch the same virus.

For rules to be effective, Langone said, they must be specific. If a spam message contains five question marks in the subject line, then the rule must be written to recognize that.

Just in case the Exchange server goes down, Nemx allows him to export the rules he has written to text files, which he then saves on a floppy disk and keeps in a safe location. If he has to reload the Exchange server, the rules can easily be imported instead of rewritten, he said.

Langone likes the control he has over which messages pass through, which ones don't and which ones are sent to the administrator for further consideration.

"The nicest thing is that it's right inside Exchange and I can control it," Langone said.

The bigger the agency, the bigger the spam problem and the more automated the process is likely to be. For example, officials from the General Services Administration wanted a product that would stop spam at the gateway, before it reached the inboxes of its 17,500 users.

Reactive mode wasn't cutting it, said Sally Perry, director of infrastructure applications in GSA's Office of the Chief Information Officer. GSA officials used to block spam only after it hit employees' mailboxes and a user complained about it.

Since December 2003, using software from Cloudmark Inc. installed on a Linux server, GSA officials can move away from manual blacklisting and become "a little bit more proactive in stopping the mail," Perry said, while keeping the number of false positives — messages that are erroneously flagged as spam — to a minimum.

Cloudmark's server-based Authority technology analyzes a message based on its structure and content and determines whether it is spam or not. The solution includes a database of spam messages that should be blocked immediately without requiring a network administrator to write a new rule. Users install a new cartridge about once a month that updates the existing list, similar to how antivirus subscription services work.

"If it looks like something Cloudmark should have caught but it didn't, we can add it to the cartridge" along with other spam that GSA collects, said Anne Marie Davis, team leader for groupware and messaging in GSA's Office of the CIO.

GSA also uses Tumbleweed Communication Corp.'s firewall software for content filtering and virus protection.

The software from Cloudmark offers the next layer of security by catching the spam at the gateway, Perry said.

GSA officials educate their users about "safe surfing" on the Internet and have a personal use policy in place, Perry said. Often spam is in the eye of the beholder. "We apply some judgment to this," she said. "Every user has the ability to send us a message that this domain should not or should be blocked. We do a good job of responding to that."

Spam concerns are not limited to federal agencies. User complaints motivated Doug Hollis, IT director for the city of South San Francisco, to do something about the increasing amount of pornographic spam his 450 users were receiving. The filters he had in place "weren't sophisticated enough to filter out the

e-mail bombardment we were getting," he said.

One challenge was allowing "the police department to function without it impeding their e-mail," Hollis said. The city purchased SurfControl plc's E-Mail Filter, which Hollis tweaked to block pornographic spam messages while still allowing police officers to investigate crimes of a sexual nature.

Hollis also created white lists so that,

for example, e-mail messages from a human resources consulting company that contain certain words that would normally get flagged by the filter as spam — such as the word "young" — could get through the

system.

The product sends e-mail messages through 12 steps — some of which happen by default and some of which are enabled by the user — before they are allowed to pass through, Hollis said. This includes a feature to detect adult images in e-mail messages using adaptive reasoning and the ability to compare messages against a constantly updated database of known spam.

"We set up the rules, and everyone's e-mail comes through that filter," he said. "It's the difference between being effective and not being effective."

Pornographic e-mail was also a concern for Joseph Frasier, IT manager for the Public Defender's Office in Jacksonville, Fla., and the 200 users that he supports. Because price and ease of

use were concerns, Frasier said he chose IMail Server from Ipswitch Inc., a product that took 15 minutes to get up and running, he said.

A lot of spam is HTML-encoded e-mail, which is more difficult to block, Frasier said. In addition to filtering content based on phrases, white lists and blacklists, and Bayesian technology, IMail 8.01 can blacklist URLs that appear in spam messages and can also detect hyperlinks and images.

Still, users have to be vigilant. They must be careful of where they post their addresses and forward any spam to administrators so that it can be blocked in the future, Frasier said.

For David Jordan, chief information security officer for Arlington County, Va., protecting the security of the network was the motivation behind managing

the county's spam problem. Already a user of Symantec Corp.'s antivirus products, the county added the company's anti-spam product to stop spam at the gateway.

Subject-line blocking "produced immediate results," but when heuristics came, "it was like taking a little pill and feeling a lot better," Jordan said. The heuristics engine analyzes the message's content to determine if a message is spam. Most spammers don't speak the language of government, Jordan said, so it makes it easier for county officials to identify and block the messages that are not related to government business.

Jordan said he generates a report every week to see where spam is coming from and then blocks those messages from entering the network in the future. Blocking e-mail originating from a certain IP range is an effective tool for keeping spam out, he said.

Jordan said he asks users to forward any spam messages to the information security department, but he also wants them to be more proactive. He advises employees to use more business-like phrases in subject lines, to know what to do when a virus is on the loose and to protect their home computers as they would their work computers.

"The best weapon — even though we have great tools from Symantec — is awareness from people who are on the Internet," Jordan said.

O'Hara is a freelance writer in Arlington, Va.