Unfortunately, there’s no magic bullet for getting rid of spam. But you don’t have to put up with the deluge complacently. With multiple techniques, the flood can be reduced to a trickle.
Spammers have proved to be both determined and technologically savvy. Despite miniscule response rates and the ire of e-mail users everywhere, the number of people sending spam continues to grow. And, despite concerted efforts of businesses to block spam, it continues to sap productivity and drain resources. Spammers are leveraging technology not only to increase the number of messages they send, but also to thwart some of the rudimentary anti-spam approaches that are now in place at some businesses. Simply filtering on phrases such as “Get Rich Quick!” is no longer reliable, as many spammers now use HTML formatting tags to break up the message, disguising it from filters while leaving it readable to end-users.
To fight spam effectively, organizations must employ a multilayered approach that combines a broad set of techniques to turn spam’s own objectives, characteristics, and defenses against itself. No one method can do it all. By combining a variety of techniques, businesses can create an exceptionally effective antispam barrier that is custom tailored to the particular needs of the organization. Organizations looking to reduce spam must consider the following techniques.
A key objective of spammers is to avoid being traced. The more anonymously they can send e-mail, the more likely it is that they will be able to continue using the same systems and services they are using without threat of interruption. Connection filtering detects many of the methods that spammers use to avoid being traced and also includes mechanisms for blocking spam that comes from known spam senders. Connection filtering techniques identify spam by checking characteristics of the sending server and information presented by the sending server before it begins to transfer mail.
A common connection-filtering technique is the use of blacklists. These are maintained by various organizations and are generally used to track IP addresses used to send spam. Blacklists are often used to identify open relays, computers that allow anyone to send outbound e-mail. Relay prevention requires the e-mail server to know who is sending the message, or at least trust the IP address of the computer used to send the e-mail. A large portion of the spam sent daily uses an open relay to help spammers hide their identities.
Other connection filtering techniques include reverse lookups, verifying computer names, and verifying the from e-mail address.
After two mail servers establish a connection with each other, they initiate a dialog in which the sending mail server tells the receiving server who the next e-mail message is from, and to whom it is being sent. During this SMTP (simple mail transfer protocol) exchange, the receiving server employs filtering rules to stop spam before it is received into the organization’s mail system. SMTP filtering is similar to connection filtering, but it relies more heavily on the information provided by the sending server, rather than the TCP/IP connection information.
At this stage the receiving e-mail server can help prevent dictionary attacks, where spammers attempt to validate random e-mail addresses through the use of the verify command or by faking an e-mail to series of e-mail addresses.
Because the goal of all spam is essentially the same-selling or promoting a product or service-a great deal of spam content shares common characteristics. Certain words and phrases (“silk ties,” “eliminate debt”) appear with such frequency in spam that they can be used as excellent indicators of unwanted e-mail. Other characteristics are also reliable spam identifiers, such as a call to action (“Find out how, click here”) or even the ubiquitous removal notification “If you want to be removed from our mailing lists…” Content filtering takes the spammers’ need to promote and sell and turns it against them by analyzing the words, phrases, structure, and URLs contained in an e-mail message, hopefully separating spam from legitimate e-mail.
With Bayesian statistical filtering, the words in an incoming e-mail message are evaluated based on the frequency that they appear in spam and non-spam e-mail. A probability is then calculated on the likelihood of the e-mail being spam. The statistical filters can be updated with an organization’s own sample of good and bad messages to improve the accuracy of the filter. One particularly effective way of helping the filter “learn” is to update it with any spam that it failed to identify on its first pass. Very quickly, the filter will be able to improve its ability to accurately identify what constitutes spam for a particular business.
URL domain blacklist
The e-mail server searches through the body of the message for specific URLs that have been cultivated from a large sample of spam. This is a very effective way to identify spam since all spam has some call to action that typically urges the user to visit a Web site or another online resource.
HTML tag filtering
The e-mail server can look for and filter out specific HTML attributes commonly found in spam. Spammers often use HTML formatting in an attempt to circumvent a word, such as: VIAGRA. This results, to the naked eye, in a single word. For example, spammers may place an HTML comment in the middle case VIAGRA, to appear as two words (VIA and GRA) to the filtering software, but as a single word to the e-mail recipient. Often, the comments themselves contain neutral words that spammers intentionally use to throw off statistical filters.
Delivery rules are one of the oldest ways to filter spam, by looking for a specific phrase or combination of words in the body or subject of the e-mail. These techniques are not very useful against the modern spammer since their e-mail addresses, subject lines and message content are constantly changing. Delivery rules can be very effective against viruses and other threats that rely on sending vast numbers of the same e-mail message.
One of the most effective ways to stop spam is to educate end-users. Informed users are less likely to fall into common traps that spammers use to acquire e-mail addresses and sustain their business. Ensuring that everyone is aware of a few basic rules makes the spammers’ job more difficult, reduces inbound spam, and may even help curtail spamming as a practice:
— Never buy any product or service as a result of a spam message. Spammers only send spam because it is profitable.
— Do not use a valid e-mail address when posting to newsgroup list servers, chatrooms or bulletin boards. If giving an e-mail address is absolutely required, disguise it by removing the symbols. For example, instead of email@example.com use “jsmith at abc dot com”, which is much less likely to be automatically detected by e-mail address harvesting software.
— Do not reply in any way to spam. Once you reply, the spammer will know your e-mail address is valid and will share it with other spammers.
— Do not use your business e-mail address online unless you trust the organization collecting it and you know how it will be used.
— If possible, turn off your e-mail client’s ability to preview messages or disable outbound HTTP for the mail client.
— Forward spam to the IT department. IT staff will then be able to modify filters to catch similar messages in the future.
Preventing false positives
All anti-spam methods have the potential to occasionally flag a valid message as spam. Most e-mail servers provide a number of features to help prevent these false positives, while maximizing the amount of spam that is blocked:
— Skip authenticated users-the receiving e-mail server can allow all e-mail from authenticated users (users that provided a username and password during the SMTP transaction) to bypass the content filters. This is useful in many corporate environments where all users on the system are trusted to not send out spam. Service provider users’ intentions are not as clear and even e-mail from authenticated users on the server may need to be scanned for spam.
— White lists-all e-mail from a specific domain or e-mail address will bypass the filters.
— Trusted IP addresses-messages from a specific IP address will bypass the filters.
You’re ready to can spam
By using a variety of anti-spam techniques, businesses will minimize spam and its costs-reduced productivity, burdened IT resources, and end-user frustration. The important thing to keep in mind is to constantly monitor spammer techniques. Remember, they are crafty and constantly adapting to your efforts to stop them. By staying on top of spammer activities and adjusting your multi-method approach accordingly, you’re sure to stop spam in its tracks.
John Korsak is product marketing manager for Ipswitch’s messaging products, IMail Server and Ipswitch Instant Messaging.