If you are being overwhelmed by junk e-mail, here is the bare minimum you need to avoid the deluge.
How to Put a Lid on Spam
By Chris Miller
If you’re being overwhelmed by junk e-mail, here’s the bare minimum you need to avoid the deluge.
Just how big of a problem is spam? Consider the following:
In 2001, an estimated 8 percent of all e-mail was spam. By 2003 that number had jumped to more than 50 percent, according to several anti-spam companies. Ferris Research in San Francisco estimates that unsolicited e-mail cost U.S. companies more than $10 billion last year. In a survey released in December, online market researcher InsightExpress found that spam is such a costly and growing business concern that it is causing some organizations to consider foregoing e-mail altogether. The Pew Internet & American Life Project reports that 25 percent of consumers say they have reduced or stopped using e-mail because of spam.
2003 was a watershed year for spam, in ways both good and bad. While enterprises saw their inboxes fill up with unsolicited and unwanted junk mail, causing a severe drain on their business resources, concrete steps were taken to tame the menace. Let’s look at recent developments in spam and at how enterprises, through a combination of technology, vigilance, and best practices, can significantly reduce the negative impact of spam on their operations.
In December, President George W. Bush signed into law a bill establishing federal rules for commercial e-mail and penalties for unsolicited mass spamming. The so-called CAN-SPAM Act took effect January 1. The law prohibits the use of false header information in bulk commercial e-mail and requires unsolicited messages to include opt-out instructions. Penalties for violations include fines of up to $250 per e-mail, capped at up to $6 million.
While several major Internet service providers and e-commerce companies lined up to endorse the legislation, critics of the bill argued that its effect would be mostly ceremonial. They noted that bulk e-mail operators outside the U.S. will be beyond the law’s jurisdiction, that opt-out laws are unenforceable, and that the Act overrides state anti-spam laws, which in some areas are stronger than the new federal regulations. (Case in point: California Attorney General Bill Lockyer said recently that Californians will have less protection against spammers under CAN-SPAM than under a stricter, opt-in state law that had been slated to go into effect January 1.)
In an advisory, research firm Gartner Inc. said the new law is unlikely to change spammers’ behavior. For its part, Forrester Research observed that state laws have done nothing to slow spam’s growth so far, and it expects the CAN-SPAM Act will be no different.
While it is far too early to gauge the ultimate effectiveness of the CAN-SPAM Act, it has already provided one tangible benefit: increased scrutiny of all e-mail.
Spammers becoming more sophisticated
One of the most disturbing spamming developments of 2003 was the rise of “phishing,” where spammers create fraudulent e-mails and Web sites that look identical to well-known brands in order to trick consumers into providing credit card or bank account information.
For several years now the message has been delivered over and over again not to give away personal information on the Internet, however, phishing makes this even more challenging. Similar to spam, phishing spoofs the FROM and REPLY TO addresses to make an e-mail look like it came from a legitimate source. To make matters worse, the e-mail is usually HTML-based making it look to the recipient that the e-mail even contains the authentic trademarks or graphics of the spoofed company.
PayPal, the payment subsidiary of online auctioneer EBay, is a common target of phishers. Citibank, Visa International, and the London-based Barclays Bank have all recently warned customers to ignore e-mail messages urging them to go to Web sites to provide sensitive information.
Dave Jevans, chairman of the recently formed Anti-Phishing Working Group, says the number of unique phishing scams has grown to about five per day. Besides the direct financial costs that phishing can inflict, Jevans said corporations face a potentially greater loss: trust. Once a phisher has succeeded with a particular institution, the “trust chain” is broken, he says, making it much more difficult for the institution to maintain a relationship with its customers.
2003 also saw a rise in the number of Trojan horse programs that sneak onto users’ computers and send e-mail on a spammer’s behalf. Just last month, a new e-mail worm known as [email protected] appeared, with the potential of harvesting millions of e-mail addresses from infected PCs. Commentators said Beagle contained code that could turn an infected computer into a veritable "spamming machine.”
How can today’s enterprises stem this ever-rising tide of spam and thwart spammers who take increasingly devious routes to ply their trade? Despite the best intentions of lawmakers, enterprises “shouldn’t expect federal legislation to solve their inbound spam filtering problem,” says Gartner. Instead, security experts propose a combination of smart e-mail management and judicious use of spam-filtering technology. Here are some specifics:
Take a multi-layered approach. The only effective way to provide long-term protection against spam is to take a multi-layered approach. This is not unlike virus protection, which combines layers of signatures, a variety of heuristics, and basic blocking techniques. Ideally, security experts say, combinations of heuristic techniques (whether context based, neural networks based, Bayesian based, or based on some other algorithm) should be used for maximum detection and minimal “false positives” (i.e., e-mails incorrectly identified as spam).
Be smart about filtering. As enterprises increase the number of spam filtering mechanisms they have in place, the unintended consequence is that spammers are now sending out even more messages in order to make a buck. Gartner recommends deploying filtering technology in phases to achieve a more precise implementation that filters spam specific to department needs and reduces the risk of false positives.
Adopt best practices:
Be wary of vendor branded software offers that come from a source not recognized as a legitimate reseller. Do not respond to suspicious spammed e-mails. A response only confirms the accuracy of your e-mail address, and may result in even more messages filling up your In-box. If you are suspicious, do not click on the link asking to be taken off the sender’s list, as the senders often use that as a ploy to confirm the recipient’s address, resulting in even more spammed e-mail. Never submit your credit card details or other personal information to non-secure Web sites (there should be a locked padlock icon that appears in yellow, or in a yellow box, on the bottom bar of the order form Web browser). Use spam filtering or spam blocking software. Do not send your e-mail address through chat rooms, instant message services or Internet bulletin boards and newsgroups. Report suspicious online promotions of vendor branded software. You may also connect with the local contact of the Business Software Alliance (check the contacts list at www.bsa.org). In the US, you can also file a complaint with the Federal Trade Commission (FTC) about a spam e-mail that you have received. Visit the FTC online to file a complaint, or forward the spam e-mail to the FTC for investigation. Do not give out your primary e-mail address for online registration or on e-commerce sites. Have another free e-mail address to use more publicly. Do not forward chain e-mail. This special type of e-mail is considered spam. It is unsolicited, intrusive and may clog up e-mail servers and slow down Internet traffic.
Follow the latest developments. One anti-spam technology that has garnered much attention lately is Sender Permitted From (or SPF), an open-standard Simple Mail Transfer Protocol (SMTP) extension that stops spam before ISPs have to download messages by rejecting e-mails coming from forged addresses. Under SPF, e-mail users enter their valid domains and IP addresses into the SPF registry. In January, America Online launched a trial of SPF among its 33 million subscribers worldwide, saying the filter could help recipients of AOL e-mail to “separate the wheat from the chaff.”
Every enterprise knows that the spam menace won’t disappear anytime soon. As the last few years have shown, spammers will go to great lengths to bypass or defeat anti-spam defenses. That’s why no single anti-spam tactic or countermeasure can be counted on to solve the problem over the long term. Combating spam in the enterprise requires a combination of technology, vigilance, and best practices outlined above. As for legislative remedies, don’t give up on them just yet. Enterprises should continue to press for strong e-mail sender authentication mandated by law.
Chris Miller is director of product management for Symantec Corp.