Want to stop spam? Multiple techniques in unison is the answer.
To fight spam effectively today, organizations must employ a multi-layered approach, which combines a broad set of techniques to turn spam's own objectives, characteristics, and defenses against itself. No one method can do it all. By combining a variety of techniques, businesses can create an exceptionally effective anti-spam barrier that is custom tailored to the particular needs of the organization. Organizations looking to reduce spam must consider the following techniques.
A key objective of spammers is to avoid being traced. The more anonymously they can send email, the more likely it is that they will be able to continue using the same systems and services they are using without threat of interruption. Connection filtering detects many of the methods that spammers use to avoid being traced and also includes mechanisms for blocking spam that comes from known spam senders. Connection filtering techniques identify spam by checking characteristics of the sending server and information presented by the sending server before it begins to transfer mail.
A common connection filtering technique is the use of Black Lists. Black lists are maintained by various organizations and are generally used to track IP addresses used to send spam. Black lists are often used to identify open relays, computers that allow anyone to send outbound email. Relay prevention requires the email server to know who is sending the message, or at least trust the IP address of the computer used to send the email. A large portion of the spam sent daily is sent using an open relay to help spammers hide their identities.
Other connection filtering techniques include reverse lookups, verifying computer names and verifying the from email address.
After two mail servers establish a connection with each other, they initiate a dialog in which the sending mail server tells the receiving server who the next email message is from, and to whom it is being sent. During this SMTP (Simple Mail Transfer Protocol) exchange, the receiving server employs filtering rules to stop spam before it is received into the organization's mail system. SMTP filtering is similar to connection filtering but it relies more heavily on the information provided by the sending server, rather than the TCP/IP connection information.
At this stage the receiving email server can help prevent dictionary attacks, where spammers attempt to validate random email addresses through the use of the verify command (VRFY) or by faking an email to series of email addresses.
Because the goal of all spam is essentially the same--selling or promoting a product or service--a great deal of spam content shares common characteristics. Certain words and phrases such as "Silk ties" or "Eliminate debt" appear with such frequency in spam that they can be used as excellent indicators of unwanted email. Other characteristics are also reliable spam identifiers, such as the call to action--"Find out how, click here"--or even the ubiquitous removal notification--"If you want to be removed from our mailing lists ...". Content filtering turns the spammers' need to promote and sell against them by analyzing the words, phrases, structure and URLs contained within an email message to separate spam from legitimate email.
With Bayesian statistical filtering, the words in an incoming email message are evaluated based on the frequency that they appear in spam and non-spam email. A probability is then calculated on the likelihood of the email being spam. The statistical filters can be updated with an organization's own sample of good and bad messages to improve the accuracy of the filter. One particularly effective way of helping the filter "learn" is to update it with any spam that it failed to identify on its first pass. Very quickly the filter will be able to improve its ability to accurately identify what constitutes spam for a particular business.
URL domain black list
The email server searches through the body of the message for specific URLs that have been cultivated from a large sample of spam. This is a very effective way to identify spam since all spam has some call to action that typically urges the user to visit a web site or another online resource.
HTML tag filtering
The email server can look for and filter out specific HTML attributes commonly found in spam. Spammers often use HTML formatting in an attempt to circumvent statistical of a word, such as: VIA<!--comment here-->GRA. This causes a single word, in this and phrase filtering. For example, spammers may place an HTML comment in the middle case VIAGRA, to appear as two words (VIA and GRA) to the filtering software, but as a single word to the email recipient. Often, the comments themselves contain neutral words that spammers intentionally use to throw off statistical filters.
Delivery rules are one of the oldest ways to filter spam by looking for a specific phrase or combination of words in the body or subject of the email. These techniques are not very useful against the modern spammer since their email addresses, subject lines and message content are constantly changing. Delivery rules can be very effective against viruses and other threats that rely on sending vast numbers of the same email message.
Educating End Users
One of the most effective ways to stop spam is to educate end users. Informed users are less likely to fall into common traps that spammers use to acquire email addresses and sustain their business. Ensuring that everyone is aware of a few basic rules makes the spammer's job more difficult, reduces inbound spam, and may even help curtail spamming as a practice:
* Never buy any product or service as a result of a spam message. Spammers only send spam because it is profitable.
* Do not use a valid email address when posting to news groups' list servers, chat rooms or bulletin boards. If giving an email address is absolutely required, disguise it by removing the symbols. For example, instead of email@example.com use "jsmith at abc dot com", which is much less likely to be automatically detected by email address harvesting software.
* Do not reply in any way to spam. Once you reply, the spammer will know your email address is valid and will share it with other spammers.
* Do not use your business email address online unless you trust the organization collecting it and you know how it will be used.
* If possible, turn off your email client's ability to preview messages or disable outbound HTTP for the mail client.
* Forward spam to the IT department. IT staff will then be able to modify filters to catch similar messages in the future.
Preventing False Positives
All anti-spam methods have the potential to occasionally flag a valid message as spam. Most email servers provide a number of features to help prevent these false positives, while maximizing the amount of spam that is blocked:
* Skip authenticated users--The receiving email server can allow all email from authenticated users (users that provided a username and password during the SMTP transaction) to bypass the content filters. This is useful in many corporate environments where all users on the system are trusted to not send out spam. Service provider users' intentions are not as clear and even email from authenticated users on the server may need to be scanned for spam.
* White lists--All email from a specific domain or email address will bypass the filters.
* Trusted IP addresses--Messages from a specific IP address will bypass the filters.
You're Ready To Can Spam
By using a variety of anti-spam techniques, businesses will minimize spam and its costs--reduced productivity, burdened IT resources, and end-user frustration. The important thing to keep in mind is to constantly monitor spammer techniques. Remember, they are crafty and constantly adapting to your efforts to stop them. By staying on top of spammer activities and adjusting your multi-method approach accordingly, you're sure to stop spam in its tracks.
John Korsak is product marketing manager for messaging products at Ipswitch (Lexington, MA)
|Printer friendly Cite/link Email Feedback|
|Publication:||Computer Technology Review|
|Date:||Jan 1, 2004|
|Previous Article:||Addressing the challenges of data protection; key data must be 100% reliable, accessible and up-to-date.|
|Next Article:||Enterprise IM-ing: once a neat pop-up window for casual conversation, now a powerful networking tool speculated to revolutionize company productivity.|