Anti-spam (2006)

Spam is a real nuisance. It fills up mailboxes and obscures mail you actually want to read. Individuals can do quite a bit to reduce the irritation, and ISPs are also grappling with the problem, filtering spam before it ever reaches the user.

However, enterprises still have to deal with the very real costs involved. The more time an employee spends wading through and deleting spam, the less time they can spend on productive work, and that does nothing to improve the bottom line.

Although estimates of the proportion of spam in email traffic vary, the one thing that emerges from it all is that the problem is not going away. Phishing attacks are a further complication. While not strictly spam, it shares some characteristics. Systems are now starting to offer methods to help manage this aspect of email.

Although ISPs offer anti-spam filtering as a service, this might not be acceptable to a business – some commercial traffic might be filtered out because it has some of the characteristics of spam. Some businesses would prefer a solution they controlled themselves so they could be sure essential messages were not being filtered out before they ever received them.

While most company’s mail servers offer some filtering tasks, a dedicated system offers advantages both in organisation and processing capabilities. A separate device can provide extra processing power to handle the increased workload that would otherwise require an upgrade to the server system.

The range of control mechanisms available is increasing. There are several blacklist sites offering information about known spam sources. These sites can be extremely effective in identifying known sources, but new sources occur every day and the lists need to be constantly updated.

There are also whitelists that contain the addresses that are known to be acceptable. These are generally used to allow trusted traffic to bypass the other checks, reducing both delays and the load on the system.

There are several scanning options available, often including scanning content for key words and phrases. Another option is verifying that the email sender actually exists – some spammers falsify a return address to avoid being blacklisted. Problems can occur when the falsified address is the genuine return address of an innocent third party. The spam passes these checks, is detected by the content scanning mechanisms, and the return address can find itself on a blacklist.

Our test system consisted of an internal network with various systems attached. We used the sendmail program running under RedHat Linux 9 as our “company” mail server and created some test user accounts to be targets. The test message traffic was produced using Perl scripts running on a Windows 2000 workstation, masquerading as an external mail server, and contained a mixture of genuine spam and normal traffic.

The traffic was designed to provide something for the test products to work with. We were not setting out to generate a rigorous test of their spam filtering capabilities, since this would not be possible in an isolated network.

While the systems all had access to the internet, neither our target server nor our traffic generator would ever appear on an external blacklist site, and this would have an adverse effect on any system using blacklisting as a part of its spam filtering techniques.

We set the devices up according to the manufacturers’ recommendations, using internal network addresses. All the equipment was connected through a dedicated Gigabit switch, and any internet connections were routed through a secondary firewall.

We looked for the ability to filter email in both directions. There is growing concern about company mail systems being used for criminal activities or simply as a way of passing on sensitive data. Inbound spam generates the most concern because it wastes the most time and resources, but outbound mail can be even more damaging. A company might find itself on a spam blacklist because its network has been used to send out spam.

We looked for systems that used a combination of techniques to handle spam. These were likely to trap more of it than one offering fewer options, although the effectiveness of the techniques used was more important than the numbers involved.

We looked for reporting and alerting options, and for the ability to separate monitoring and reporting from the administration and control functions. Although these functions may all be handled in one place, it is often desirable to divide these functions between several sets of network staff for security and efficiency.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.