Best Practices in Spam Control

1
Best Practices in Spam Control
2
The Problem Is Big and Getting Bigger

• Meta Group estimates at least 40 of email that
  reaches the enterprise is Spam
• Major email providers like AOL, MSN, EarthLink
  and Yahoo block up to 70 of the spam before it
  reaches the enterprise
• Jupiter Research predicts that the number of
  unsolicited emails will reach 4.9 Trillion in
  2003
• The average worker receives 13.3 spam messages a
  day

3
The Problem Is Big and Getting Bigger

• Meta Group estimates enterprises spend 20 per
  user per year (or 10 of the total email budget)
  fighting Spam.
• US Corporations will spend at least 120 million
  on anti-spam systems this year (some estimates
  are as high as 635M).
• Estimates of the cost of lost productivity range
  from 8.9 billion to 87 billion a year in the US
  alone.
• The rate of Spam is threatening the viability of
  email as a communications medium Kevin Doerr,
  Business Manager MSN.
• Spam is a thousand times more horrible than you
  can ever imagine. The entire Internet mail system
  is under a denial of service attack. Barry
  Shein, President The World ISP.

4
The Problem Is Big and Getting Bigger
Quarterly from March 2002 to June 2003, the peak
number of daily spam emails detected and blocked
by America Online. Source AOL
5
Why Is It So Attractive to Spam?
6
Why Is It So Attractive to Spam?

• Its cheap
• The research firm eMarketer estimates that it can
  cost as little as 0.00032 cents to send an email
  spam (thats 3.20 for 1 million pieces of spam).
  
• It works
• With such a cheap way to reach a large number of
  people, spam needs to have an infinitesimal
  response rate to be financially viable.

7
How Do They Find You?

• Public web pages
• Special software can harvest addresses.
• Dictionary attacks
• Programs put together combinations
  (john101_at_aol.com , john102_at_aol.com, etc.), if you
  respond or in some cases simply open the email,
  the spammer knows its a valid address.
• Online registrations
• Sites with no privacy policy can share or sell
  your address to unnamed partners. Be sure to
  check the policy and opt out of solicitations.
• Chat rooms

8
Is There Help on the Horizon?

• Some marketing trade groups (e.g. Network
  Advertising Initiative Email Service Provider
  Coalition and Privacy Seal Group Truste) are
  attempting to certify legitimate companies and
  practices, but these seem unlikely to have much
  affect on the bulk of spammers who wont
  voluntarily follow the standards.
• There are legislative bills in process at both
  the state and federal level. The longest standing
  Federal bill is the Controlling the Assault of
  Non-Solicited Pornography and Marketing Act of
  2001, also known as the CAN-SPAM initiative.
  It bans the use of false or deceptive headers and
  provides users with an opt-out feature. Although
  it has potentially high fines for non-compliance,
  it is widely thought to have little chance of
  having a dramatic impact on spam.

9
Its Not Easy Catching Spam

• Its a dimension more difficult than
  anti-virus which is essentially a binary decision
  (is it a virus or not). Spam is more like triage,
  while there are some emails that are clearly spam
  and some that are clearly not spam, many are not
  so clearly black or white but gray. Spam can be
  categorized in four ways
• Confidence games, pornography and unethical
  senders
• Chain letter, hoaxes and urban legends
• Legitimate offers from legitimate senders
• Occupational spam from your colleagues and
  business associates
• The job at the boundary is to separate the
  good guys (3 4), who should be using ethical
  practices that will allow you to unsubscribe,
  from the bad guys (1 2) who should be
  blocked.

10
Tuning Your Practices for Your Business

• How much time and resource is it prudent to spend
  for a given level of spam reduction?
• Is the prevention of spam the responsibility of
  the system administrator or the end user or some
  combination of both?
• Should email identified as potential spam be
  flatly rejected, or just tagged as spam and
  routed accordingly?
• Should systems administrators (yours or anyone
  elses) who have misconfigured their systems to
  allow them to be used to relay spam be held
  responsible for any problems that result?
• Should you reject email messages that are
  legitimate in content but that do not conform to
  known and accepted standards? (e.g. no subject
  line).

11
Tuning Your Practices for Your Business

• Should you accept for delivery mail that does not
  have a valid reply information (either in the
  envelope or from address)?
• What criteria should be met before an individual
  or ISP is justifiable classified as
  spam-friendly?
• Are there specific words or phrases related to
  your business directly that might be blocked as
  spam (e.g. breast cancer)?
• What about questionable language from customers?
  Block as spam?
• What percentage of false positives can your
  business tolerate?
• No current spam control methods can provide a
  100 capture rate and a 0 false positive rate.
  With best of the rules based tools available
  today capture rates in excess of 85 will yield
  false positive rates of 5 or greater. (Gartner
  Research)

12
Tuning Your Practices for Your Business

• Develop a comfort level and stage your
  implementation of spam control.
• Use reporting to size the problem and test the
  rules youve built, you can mark the headers
  without actually blocking the spam and see how
  your rules will play out.
• Quarantine before deleting until youve found the
  right mix between spam control and false
  positives.

13
System Approaches to Minimize the Problem

• Rules Based Content Filters at both the ISP and
  Local level.
• Can reduce the most blatant spam using (among
  other things) key words.
• Only partially effective.
• Can be difficult to set up and require constant
  attention.
• Danger of false positives rises as the rules
  become more stringent.

14
System Approaches to Minimize the Problem

• Bayesian filtering.
• The filtering software learns about the
  individual user and can deduce the likelihood
  that a particular piece of email is or is not
  spam, by weighing various factors.
• Can be very effective but works best at the
  individual level not at the system level.

15
System Approaches to Minimize the Problem

• White lists/Black lists.
• Lists of addresses of those you always want to
  accept mail from and those you never want to
  accept. Developed over time as you add false
  positives to White list and offenders to Black
  lists.
• There are both free and pay services that provide
  updated Realtime Third-Party Black-hole lists
  (RBLs), which list spam friendly ISPs and open
  relays. These can help you stay abreast of the
  ever changing Black lists.

16
System Approaches to Minimize the Problem

• Challenge Response.
• When an email comes to an addressee for the first
  time the sender receives an email with a simple
  question or a link to a web page where the sender
  must go and type in the characters shown in an
  image. Since a computer sending the reams of spam
  cant do this, it will fail to deliver the
  message. Once the person has met the challenge,
  all subsequent emails from that sender will go
  through (basically places them on your White
  list).
• Not practical for all businesses. B2B maybe, B2C
  doubtful.

17
System Approaches to Minimize the Problem

• Spam protection services (e.g. Frontbridge,
  Singlefin).
• Your email is routed through the service, they
  screen the spam and deliver the other mail.
• Any users who have had mail trapped are notified
  via email and are provided a method to review the
  email, confirm its spam or white list it and have
  it delivered.
• Uses best of most of the approaches discussed on
  previous slides. Can check as many as 10,000
  separate criteria for spam.
• Gets you out of the spam prevention business.
• Appears to be cost effective.
• Does require active participation at the user
  level, especially at the start of the program.

18
System Approaches to Minimize the Problem

• New approaches from email providers Project
  Lumos
• Rather than approaching the problem by trying to
  stop the spam, this approach tries to identify
  the good mail.
• Microsoft, AOL, Yahoo and EarthLink are thought
  to be close to a trusted sender system
  announcement
• The idea is to remove the impunity of anonymity
  for bulk emailing. Relies on bulk emailers
  voluntarily adopting a set of technical standards
  for adding information to the header portion of
  the message.
• The ISPs would then adjust their mail servers to
  block any mail sent in bulk that does not include
  the information.

19
System Approaches to Minimize the Problem

• New approaches from email providers - Project
  Lumos
• To be certified bulk emailers would have to abide
  by good citizenship rules, such as providing easy
  ways for consumers to stop getting messages.
• Also creates a scoring system that rates emailers
  based on number of complaints, too many and they
  turn them off.
• Uncertified mailers are automatically blocked at
  the ISP.
• Makes it relatively easy to tell whos playing by
  the rules and who isnt

20
System Approaches to Minimize the Problem

• New approaches from email providers Senders
  Permitted From (SPF)
• Seeks to stop spammers from hiding behind
  fictitious Internet address or forging the
  addresses of others (Joe-jobbing).
• Joe-jobbing is wide spread and troublesome
  because the only thing ISPs can do is turn off
  the account being Joe-jobbed even though that
  isnt the spammer.
• Under this system companies that operate outgoing
  mail servers would electronically publish the
  address of all confirmed machines that send mail
  from its domain.

21
System Approaches to Minimize the Problem

• New approaches from email providers Senders
  Permitted From (SPF)
• When mail comes in the domain is checked against
  the address to see if it matches (aol.com email
  would have to come from aol for instance).
• If the address is spoofed the email is blocked.
• If an aol account holder is really spamming, they
  can be easily found.

22
Individual Best Practices

• Dont give your email address to organizations
  you dont trust.
• Read the terms of use.
• Be sure you uncheck the boxes that okay sending
  you things.
• Consider alternate email addresses for use
  online.
• Dont respond to spam, it just validates your
  address.
• Report any spam you do get.
• Educate.
• Make sure your own system is properly configured
  and secured.
• Keep your email clients patched and up to date.
• Use a personal firewall.
• Consider using Mail Client filtering, most
  clients have something built in.