Spam within the enterprise has undoubtedly evolved from an annoyance to a critical business problem. No approach to spam can work in isolation as unlike viruses, no single technology is able to stem the tide. I believe that by utilising the following top ten techniques an organisation can arm itself successfully against the menace of spam.
Diversity - The cocktail approach.
Identification is the first step towards stopping spam, unlike viruses there is no one solution that blocks all spam. What is needed is a cocktail approach whereby companies employ multiple techniques including heuristic analysis and real-time collaborative filtering tools.
Flexibility - Different strokes for different folks.
A common problem is the varied definition within companies as to what exactly spam is. For one organisation bulk emails may be seen as a nuisance whilst being essential for others. Antispam solutions must allow administrators to enforce these different rules and even allow them to apply different rules to different users. Ideally, an organisations spam solution will include an integrated policy manager, which enforces corporate policy across the entire email system and allows different rule sets for different users and groups.
Expertise - Know thy enemy.
Spammers are constantly improving their methods, particularly as corporations have finally begun to fight back. Vendors must be able to develop and deploy policies, signatures, keywords and values to corporations using their solution. Only by constant improvement can any solution continue to be responsive to spammers even in the face of new threats.
Authentication - can I see some ID, please?
Spammers invest a great deal of time and effort into concealing their identity and the origination point of their attacks. Fortunately, this leaves telltale signs behind. A good tool should be capable of authenticating the DNS address of the sending server. If reverse DNS Lookup fails to authenticate the domain of an incoming connection, it could indicate a hijacked server. This can be valuable data in identifying spam.
Collaboration - United we stand, divided we fall.
Companies should take advantage of collaborative Internet community efforts in order to define new signatures and policies. Any effective solution should make use of these efforts to define signatures and policies for effectively blocking spam. To fail to do so makes a solution incomplete. The best vendors work closely with leading researchers and collaborative initiatives to ensure up to date, relevant responses to spam threats.
Learning - Fool me once, shame on you. Fool me twice, shame on me.
Spammers are relentless. With their email blasts costing next to nothing, they have every reason to repeatedly launch the same attack. As frustrating as it is to receive spam, it's even more frustrating to receive the same spam again and again. New rules must be automatically created as new threats emerge to prevent similar spam in the future and/or allow end-users to assist in catching spam.
Review - See for yourself.
Organisations should empower employees to review and provide input on messages in their quarantine queue, while staying within overall administrator oversight. A significant challenge for administrators in charge of corporate anti-spam solutions is managing end-user expectations and concerns. Upon introduction of an anti-spam solution, end-users will have concerns about legitimate mail being blocked. A true enterprise solution must include tools that allow administrators to provide access to quarantine queues for some or all users, allowing users to feel confident about messages that have been blocked.
Automation - An administrator's best friend.
Achieving and maintaining high spam blocking rates with low false positives is a constant battle. In order to ensure that administrators are not forced to invest too much time in the fight, a strong solution for spam must be capable of maintaining efficiency regardless of administrator intervention. Automatic rule generation, where rules are created without administrator intervention and whitelisting of trusted users will improve detection rates and decrease false positives "on the fly."
Security - Look at the big picture.
Protect the entire email system from email-based attacks. Your entire email system is a target, not just for spammers, but also for hackers and intruders. Even spammers will hack, primarily to "harvest" email addresses sitting on mail servers and gateways. A legitimate enterprise email system needs to account for these vulnerabilities and be capable of protecting at least itself and ideally the entire email system from these attacks.
Profile - Bad stuff out, good stuff in.
The ongoing challenge for corporations battling spam is the tradeoff between high detection rates and high false positive rates. Until recently, this relationship was fixed. As your detection rate increased, so did your false positive rate. The only way to break this model, achieving high detection rates while minimising false positives, is to deploy a solution that can make complex, multi-faceted decisions about spam. By using such a profiling system, administrators can aggressively pursue spam blocking without the risk of losing legitimate email.
A comprehensive anti-spam solution.
Administering all ten techniques to control spam effectively can quickly become unmanageable. Today, organisations are attempting to prevent spam with only one or two of these techniques, resulting in poor detection and high false positives. A complete solution should be built upon all of the principles discussed above. By providing this protection at the gateway, in a hardened, attack resistant appliance platform, overall enterprise security will improve.
Colin Gray is VP and MD, EMEA for CipherTrust.
