just about everyone but native Hawaiians and direct marketers hate spam. Hawaiians consider Spam-the canned luncheon media staple in cooking, having developed a number of amazing recipes using it as the main ingredient (see www.myhawaii online.com/articles/spam.htm if you don't believe us). Marketers love the electronic form of spam because blitzing millions of recipients with an electronic promotion is much cheaper than sending an envelope or postcard to just a few thousand potential customers. Getting hundreds of spam messages a week is bad enough, but getting hundreds of spam messages intended for a different audience just adds insult to injury.
And the problem (the electronic one, at least) is only getting worse. Consumers will be inundated with 206 billion junk emailings in 2006, double the number received this year, research firm Jupiter estimates. Spam comprises nearly one in three corporate messages exchanged this year, with that number expected to climb to 39 percent by 2006, The Radicati Group estimates. Medium-size companies routinely get 20,000 spam messages per day, according to the Meta Group.
During a recent 24-hour period, one of NETWORK COMPUTING's small (20 user) mail servers blocked 2,478
messages from known sparnmers, stopped 61 messages via
a spam trap and permitted about 1,000 Spam messages to
be delivered. That's 177 pieces of spam addressed to each
user on this server in a single 24-hour period. Do the
math-that's a staggering 64,605 spam messages per year
per user. Admittedly, our e-mail addresses are plastered
prominently all over the Web, so we're easier targets than
most,, but based on our experience we don't think the ana
lysts' predictions are off by much. An d the saddest part of
that story is the 1,000 junk. messages that got through
.despite the costs we've incurred and the protective meas
ures we've implemented in our fight against spam.
tunately, right now there is no perfect answer. Blacklists are reactive, and filtering tools aren't smart enough to block every message that is spam. and pass every message that isn't. What you can do now is combine the available spam-fighting tools to help stem the tide.
INGREDIENT 1: A SOUPCON OF SECRECY
Some advise you to never give your e-mail address to anyone, or at the very least, to obscure it when using it in electronically visible places, such as the Web or Usenet newsgroups. Others use public e-mail addresses, usually from a free mail service, when conducting business on the Internet or posting to newsgroups, reserving
their main addresses for business and personal use. But these strategies are imperfect: It takes just one slipuponce the address is had, it is had. ,
From an administration standpoint, your first line of defense should be to implement systemwide rules that block known spam. We started getting a number of junk messages that had a particular string in the "From" header. We blocked, these by creating a simple server-, based rule that rejected mail with that particular header. Problem solved, and it took only a minute or so, at least for that single sender. And therein lies the problem-the target is always moving, and this solution is designed to hit a stationary mark. Many servers let you create your own blacklists of offending IP addresses. This is the same con
cept, a quick and dirty method for blocking spam but one that doesn't scale well and, again, is reactive rather than proactive.
If you have sophisticated users, they may be able to create rules on a per- user basis, either at the server, if your mail server permits user rules, or locally, using the rules capabilities of their own mail clients. For example, some users on our mail server move all messages originating from free mail servers, such as yahoo.com and hotmail.com, into folders separate from their inboxes so they can deal with them when they have time. Some even go so far as to delete these emails automatically because nearly all of them are spam. We don't advocate this method without consulting your users, many of whom will have a legitimate need to get e-mail from free-service users.
INGREDIENT 2: THE BLACKLIST DU JOUR
Spam blacklists, also known as block lists, offer a valuable automated tool as your second line of defense. A blacklist lets your mail server query,
via DNS, a list of known spammers maintained by a variety of organizations, such as MAPS RBL (Mail Abuse Prevention System Realtime Blacklist; mail-abuse.org), SpamCop (spamcop.net) or Spamhaus (spam haus.org). If your server's blacklist DNS query returns a hit, meaning that the sending server has a DNS record on the blacklister's DNS zone, the system that is sending mail is a known spammer.
Blacklists are created and maintained in a variety of ways, from sending "robots" out to look for open relays then listing them when they're found, to creating the
lists dynamically based on day-today, minute -by-minute analysis of user reports. SpamCop uses the latter method, along with a scoring system that factors in the percent of spam sent from a system versus legitimate e-mail, the freshness of the report, and whether the report is for mail sent to a spam trap (SpamCop gives these reports double weight). SpamCop removes a blacklist entry if it has fewer than three reports against it and no report is newer than six hours.
When mail arrives from a server that is on a blacklist, you have some handling options. For instance, the incoming message can be refused, or it can be rerouted away from the user. Also, most mail servers optionally will send a message back to the original
sender, assuming his or her return-to address hasn't been forged, stating that the mail server has been blacklisted and your organization won't accept his or her mail.
Of course, as you can see from ''A. Day in the Life of an E-Mail Admin istrator" (page 63), a return message about blacklisting. often causes con fusion but we feel this step is neces sary so that senders understand their mail isn't getting through to you users and can open a dialog with you to see what can be done. Consider the wording of your return message carefully to avoid any unnecessary confusion.
Blacklists, when used in the right combination, are I a great defense mechanism. We use MAPS, SpamCop and Spamhaus, and that combination
is about right for our users-we don't get many complaints from legitimate mail senders, and we're able to block thousands of sparn messages a day. Some lists are stricter than others, increasing the risk of blocking legitimate mail, and some don't do enough to block spam. Your mileage will vary depending on your users' needs; it's a good idea to research prospective blacklists to find where they are on the spectrum.
Because these lists are maintained by their creators, administrative overhead is low. Each list does require a DNS, lookup per list per message (we do three DNS queries per message plus a reverse DNS lookup to make sure the server is really who it says it is) so there is some expense on the server side in
terms of CPU cycles and on the network to perform the lookups.
AND NOW FOR SOMETHING COMPLETELY DIFFERENT
Another type of DNS lookup service, currently in beta tests by IronPort Systems, makes use of a whitelist. A whitelist identifies servers that can always deliver mail to your users. IronPort's Bonded Sender Program (www.bondedsendercom) is a good example of a third-party-managed whitelist.
Let's suppose for a minute that you're a business, say AT&T Broadband, and you want to send messages to your users periodically, for example, about rate increases. If your outbound mail server's IP address is on your inbound mail server's whitelist, there's no problem., But what if you
don't have a whitelist and don't subscribe to IronPort's Bonded Sender Program and your filter software decides that all the rate increase notices are spam and drops your 64,000 pieces of mail into the bit bucket? Then you're embarrassedand that's exactly what happened to AT&T Broadband in May (www. usatoday.com/life/Cyber/tecb/2002/ 05/22/e-mail-filter htm).
IronPort's idea is that large emailers with legitimate business
* Two sites that offer in-depth technical tips for spam fighting as well as a plethora of. links are spam.abuse.net and www.cauce.org (Coalition Against Unsolicited Commercial Email)
Opt ill equiles marketers to get permission from recipients below they send unsolicited commercial advertisements. Note flint EU Directives bind member states to end results. The means
To match the EU's Directive Congress should amend tile tele phone Consumei I'lotection Act (P.L. 103 243) to include (ill optill syst(111 fol spoill The ad lecocillizes tilot unsolicited toleirial
,j colllpoiqlrl~', alicil cc)[11111c,"Icial facsimiles are costly flulsonces to consulliels and invosions of privacy. It p;ollibds outonicited telemaiketing (:alls ond bons unsolicited comillelcial facsimiles. FXtendinc) t1le, od to plollibit sporil unles~, the leciplellt Optod in Would clcknoledl~]e flicit sporil costs locipierifs money tOO-401_ tl'.e S101090 Of Uri,,ollcitecl commeicial adveitisenlerits and tl)e tillie last it) occessill~j~ leviewing and discordill(l] it,
C_0!1~)wss failule to (ld Continues to 111oke tile Intellict cill
unfettered modium lot busine~~cs to advettise, d1olt of fratud Until the fecs enter the gome for eal 51--mil-mels will Continue to flood our inboxes witli ways to lose weiglit, HIC100SC? SOXIJ01 prowess and reduce Our nioogages I)eld in clieck only by o patcliwork quilt of state lows cind filterinci feclmolo( y. C iven t1bol iecility, we can only bope dicit filtei in(j tecimology impi oves.
As cin IT polossionol you need to make youi voico lwiicl (oil tact youi lawmakers und Jell tbem you suppoit tliese bills. C"o to WIVW.Col~~pess otcj ancl www.5onote oov,/confact1,,,w I index. ( in) lot cortact informotioll. You con even ~30 all tll(' wcl~ to flic iop~ I
needs can post a bond, the size of which is determined by the amount of mail being sent. ISPs and corporations that subscribe to IronPort's whitelist allow all mail that has been bonded through to their users. Spam complaints about those messages generate fines that are paid from the bond. The more complaints, the more money comes out of the bond
piggy bank. Where do the fines go? According to IronPort, they are donated to nonprofit antisparn organizations.
Besides you and your users hitting the delete key hundreds of times daily, your last line of defense is filtering software. We break this category down into three distinct groups: client-based filtering, server-based
filtering and outsourced filtering.
The client-side products generally plug in to your e-mail client, usually Lotus Notes or Microsoft Outlook or Outlook Express, or connect directly to your MAPI or POP3 mailbox. These products are based on an updatable list of client-side rules that filter based on sender, subject or an analysis of content. Two packages in this category that we looked at while preparing this article were McAfee.com's SpamKiller
(www.mcafee.com), which works with, any MAPI or POP3 account, and. Sunbelt Software's aptly named, iHateSpam (www.sunheltsoftware.com), which works with Outlook in MAPI, IMAP or POP3 mode or Outlook Express in POP3 or IMAP mode. These packages run $20 to $30 and don't consume any server resources. Additionally, each user can customize the product to his or her heart's content. The downside is that your mail
server still has to process and deliver each piece of spam, your users' ability to roam from one computer to another is severely limited if they want their spam processed, and you've now distributed your support issues to each user's computer.
During our use of both of these products, we found that some legitimate mail was moved to the spam folder while some spam slipped through the cracks. The result of this less -than-perfect accu
ach message anyway, which somehat defeated the purpose of the roduct. The benefit was the timg-because the messages suspected
be spam were moved to a separate Ider, we could examine them durg work lulls or in the evening, givg us more time to deal with legitiate mail during the day. In addition, hese products "learn," so their perrmance improves over time.
Server-based filtering products n the gamut from commercial softare, such as Brightmail's AntiSpam ww.hrightmaiLcom), Vircom's VOP odusMail (www.vircom.com) and urfControl's E-mail Filter for MTP/Exchange (www.surfcontrol. M), to the freely available, PERLcript-based SpamAssassin (www. spamassassin.org), to outsourced soluons such as Postini's Active EMS. These products are more sophisticated versions of their client-based brethren, operating on e-mail as it enters the server rather than after it is delivered. If you implement a server-basod product, youeusers are freed from the responsibility of managing their own antisparn measures, and support issues are centralized.
Before you start with one of these products, make sure you can tailor its spam-filtering activities for various user groups. Your sales folks may want to receive all their mail unfil
tered-the cost of their missing an important message due to a false positive can be high-while your engineers may want to filter 110 percent of their mail. In addition, these products require the most CPU cycles of any of the antispam measures we've discussed because they examine each and every message
including headers, contents and attachments-before they pass the
Which brings us back to our original point: If a relatively inexpensive DNS lookup can reject a majority o your inbound spam before the workhorse, server-based filter products start eating your CPU cycles, your entire e-mail infrastructure will benefit from greater scalability. And considering that spam is projected to increase at a rate of 100 percent per year for the foreseeable future, scalability is a critical concern. M
Ron Anderson, lab director at NETWORK COMPUTING, at randerson-nospam@
nwc.com (humans remove the -nospam, robots need not respond). Oh, and Spam is a registered trademark for a pork
product, packed only by Geo. A. Hormel & Co., Austin, Minn.
(Information Week Feb 28, 2002)
www.informationweek. .com/story/
I'll a o6ows is an actuai e-mah exchange. Only the names were changed to protect the innocent:
Original Message From- Innocent o inail user
Subject: Why was my e inail blocked! Docir Blacklist odwin:
I (Ain a public ielations piofession(il who recently sent a single press release to one of your users from my Bell Atlantic (Veii Zoll) Mail account and received the fol
Reason: The mail server you are SEND ING FROM is listed oil an international blacklist. Your inessage was rejected, Send your questions to blacklist adrnin@rnysei ver.corn.
I fail to understond how my mail server (Verizon) is oil (in inteinotional blocklist. I am not a spaininer. Please advise how I am supposed to cornrnunicate with MyUser in the future.
Subject: RE Why was my e mail blocked! Innocent e-rnail user,
I'll look into it. Car) you fell me what day and what time you sent the message to MyUsei? Blacklistadmin
~- Original Message--- Frorn: Innocent e mail user
Subject: Re: Why was rny o mail blocked, Hi Blacklist admin,
i Fhonks for your response. I sent the, o inail to her about 4:30 on Friday afternoon, Hope this helps, Innocent e mail user
Original Message From: Blacklist-adinin
Subject: RE Why was my e-mail blockedi Innocent e mail Lisel,
One of t1he `ieal lime blocklist" services I Use to 1101r) C(IntlOl the' C11110I.Alt of SpUln Illy LISCIS iece;ve does list the server [ran) which you sent your 1110il (0Ut0031PlJb. verizon.riet, 206.46,170 103) (is a known