Fighting back against spam

In late January, an avalanche of 15,000 spam e-mails took down a midlevel Simple Mail Transfer Protocol gateway server at a major credit information company, bringing e-mail to a grinding halt for 10,000 end users in 35 countries.

Scott DeGulio, global collaborative and messaging services manager for the New Jersey company, says the spammers made an educated guess at a block of e-mail addresses and sent spam to those suspected users. If the user didn’t exist, DeGulio’s mail system generated a nondelivery report that went back to the spammer. The spammer’s return address was bogus, so the system generated another block of nondelivery reports back to DeGulio’s servers, in a vicious cycle. “It’s a load issue, a bulge coming in and a bulge going out. It’s like watching a swarm of bees,” he says.

In response, DeGulio and two colleagues sifted through mail queues for more than two hours, finally locating a subject line repeated in 10,000 e-mails. He configured a server rule to delete the spam, but it took the affected server three hours to recover. “We had pizza and watched the queues go down,” he says.

Unfortunately for IT departments across the country, spam, or unsolicited bulk e-mail, is becoming more than just a nuisance. It’s costing big bucks by jamming the flow of e-mail traffic, disrupting business, stealing bandwidth, hogging servers and storage devices, and taking up staff time. The Radicati Group estimates that spam comprises nearly one in three corporate messages exchanged this year, and that is expected to climb to 39 per cent by 2006.

There’s no federal law or single tool to stop spam from crashing corporate servers. Spammers are a moving target, hiding behind spoofed e-mail headers, switched IP addresses and hijacked open relays.

Fighting Back Against Spam

Companies can fight back with a combination of usage policy, firewall and SMTP gateway rules and antivirus filters. Applying antispam software or services adds another protective layer, but these filters require constant updates. And even if you put layers of filters everywhere from the gateway to the mail server to the desktop, there’s still the thorny issue of striking a balance between setting the filters so loosely that spam leaks in or so tightly that legitimate e-mail is blocked.

IDC analyst Mark Levitt recommends blocking the most offensive and common spam at the server, letting the rest through and training end users to manage it. But everyone agrees that there’s no easy answer.

On an average day, 100,000 incoming spam messages hit the two Unix mail servers at California Polytechnic State University in San Luis Obispo, bogging down the system and leading to complaints from end users about messages being delayed.

But Scott Busby, the university’s application administrator, doesn’t have many weapons in his ongoing battle against spammers. The free speech culture at the college doesn’t allow spam filters on gateways or mail servers. The best Busby can do is to apply server rules that buffer spam attacks during peak periods so that the servers can process the surges during off-peak hours.

He tries to train users to set up client desktop filters, but they are difficult to use. “There’s no good way to filter for spam and not grab a percentage of good mail,” he says.

Use What You’ve Got

For most companies, the first step in fighting spam is configuring existing technology. Insurance agency Allstate is using a combination of education and usage-policy, along with server configurations for blocking IP addresses and performing reverse DNS look-ups, a verification process that lets the server reject mail if the host’s name doesn’t match its IP address.

But, Ken Davis, director of information security at Allstate in Northbrook, Ill., says a gradual increase in spam over the past year has him evaluating spam-filter technology.

“No matter if we get software in here, there’s not going to be one silver bullet,” Davis says. It takes technology and policy to prohibit users from signing up for e-mail newsletters with nonbusiness entities and the like.

Combating spam is like the war on drugs – you can’t just attack the problem on the supply side, you need to attack it with good employee-use policy, says Dana Gardner, research director at Aberdeen Group. Part of that policy would also include a prohibition against employees sending out porn, because the recipient could file a claim of sexual harassment.

Add Antispam Tools and Policies

Antispam tools, similar to virus software, can identify spam and create business rules based on those patterns. Products include Elron Software IM Message Inspector, TrendMicro eManager and Clearswift MIMEsweeper.

Gardner recommends going beyond deploying specific tools and creating an overall security system that applies policies about what is allowed to come in and go out.

Penn National Insurance is using Clearswift MIMEsweeper to slap its policy on incoming and outgoing e-mail. “While we hate to go that route, we’ll block a domain if we have to,” says Tom Miele, information security manager for the Harrisburg, Pa., firm. MIMEsweeper eradicates spam based on the user-defined policy that is translated into filter rules that block spam.

The Hartford Financial Services group in Connecticut is using antispam software in a layered filter approach, with Clearswift MIMEsweeper on its SMTP gateway, TrendMicro eManager on the mailbox servers and client filters on desktops, along with user policy. Some spam never reaches Hartford’s SMTP system because it gets killed at the Internet gateway through reverse DNS look-ups and IP blocking. The mail that reaches the SMTP gateway is sifted through MIMEsweeper’s lexicon analysis, where spam based on specified criteria is automatically deleted.

It’s always a concern that legitimate mail gets killed in this process, says C.J. Young, enterprise messaging group manager. Hartford limits its use of MIMEsweeper’s canned filter phrases because of this reason, Young says. Instead, two IT staffers maintain and customize the filter rules for blocking spam based on feedback from Hartford’s 20,000 users.

At the mailbox server layer, Young says, TrendMicro eManager acts much like virus software, using a vendor-updated filter file to identify and delete spam. “We choose to delete rather than quarantine suspect spam,” he says.

But Hartford’s layered filtering approach, in place since 1999, is no match for the recent increase in volume and sophistication of spam, and IT is seeing a gradual increase in help desk complaints about spam reaching user desktops.

Young says IT now is training users to apply client filters and also is evaluating other technologies to apply at the gateway. “Our goal is to keep spam closest to the Internet,” Young says.

Seek Help From Vendors

Even with an overall policy, managing spam in-house takes a toll on IT, which has to determine what is legitimate mail. Many spammer domains are well known and easily blocked. But, identifying spam through a key word search or through blocking constantly changing spammer IP addresses adds lots of administrative overhead.

With 100 local mail servers across the globe and only six staff members, DeGulio says it would be a huge undertaking to constantly update those filters.

IDC’s Levitt recommends that IT departments partner with an antispam product vendor or service provider rather than try to program rules and algorithms on their own. “You can’t build your own spam engine. You don’t have time,” he says.

Aetna knows this all too well, with IT writing scripts, digging legitimate messages out of quarantined mail and visiting security bulletin boards to find common attacks and IP addresses to block, says Perry Gesell, information security architecture manager for the Hartford, Conn., insurance firm.

He is starting to look at products and services for separating out legitimate e-mail because administering the filter eats up his time. “I need a service to eliminate this stuff, stop it at the firewall. It’s too costly to do in-house, and not the core competency at Aetna,” he says.

Providers such as Brightmail, Big Fish, MessageLabs and Postini offer services to filter spam. Brightmail pays full-time staff to inspect spam and write updated filters for the more than 3 million spams that were collected and processed through its Probe Network during February this year. According to Brightmail, the Probe Network is a collection of e-mail accounts with a statistical reach of 100 million mailboxes.

With that level of spam exposure, Brightmail develops the kind of expertise that one enterprise IT department can’t match.

Sovereign Bank is benefiting from Big Fish spam filtering services. The Boston bank is having its mail scoured for spam and viruses before it hits the network, says Brad Rightmyer, network engineering and design manager. Big Fish services also cover e-mail storage and load balancing. “I don’t think we could get one-and-a-half persons to manage an in-house system for the price of the services.” Big Fish services cost US$150 to US$6,000 per month based on volume, usage and level of service.

The Ultimate Solution: Private E-mail Networks

The lack of a 100 percent effective approach has some experts and users saying private networks, using tokens for strong authentication, are required.

Cal Poly’s Busby has considered setting up an autoforward in his e-mail client that would require legitimate mail to authenticate via a token or key word. “The hard part is that someone would always have to e-mail me twice, once to get the token and then to send their message,” he says.

“Right now we’re doing our business on the public street, and companies are realizing that the cost of managing spam is huge,” says Jacques Hale, director of research for the Butler Group. The conceptual problem with spam that software cannot solve is determining what is spam and what is not, he says. “Filtering technologies are and probably will be a hit-or-miss affair.”

Supporting a private business network where security costs are shared between partners is an extreme view, but ultimately might be necessary.