Junking the junk: staying ahead of spam attacks

Edwin Hageman, managing director BT Global MSSP. 

In 2001, junk mail accounted for approximately 10 per cent of all email traffic. Now it's closer to 60 per cent. Spam has become so prevalent that not even the most die-hard fan of Monty Python - whose famous sketch was the source of the name - finds spam funny any more. 

No wonder then that most organizations have some form of anti-spam filter in place - often managed internally. But spam is not a static issue.

New developments make it a constant challenge to keep up with the spammers and, ideally, stay one step ahead. Furthermore, the best technology in the world comes to nothing if end users do not follow basic guidelines for keeping junk mail to a minimum. 

There were, initially at least, distinct categories of spam. Generally the emails tried to sell you something, or con you out of something. 

More maliciously, corporations could be subjected to denial of service attacks - attempts to cause their mail servers to fail by flooding them with junk mail. 

Annoying though the Nigerian scam or the promises of very cheap patented drugs were, they essentially preyed upon human gullibility, rather than creating security problems.  

But spam is changing, becoming more intelligent and aggressive. As their targets become wise to their original tricks, spammers are continually adopting ever more sophisticated methods of social engineering to continue their trade.

Increasingly, spam has become intertwined with more dangerous threats such as viruses, spyware and phishing. These blended attacks can be regarded as a more 'grown up' version of the basic con tricks of previous years. 

And, just as we get to grips with the problem on desktop PCs, mobile phones and personal devices have become targets in their own right. 

Mobile phone messaging has developed in much the same way as email: from handling only plain text messages at the start, they can now support attachments, multi-media, and - more recently - active content such as embedded scripts and Java code.

They are a tempting target for spammers so attacks on these devices can only be expected to increase. 

As the anti-spam vendors update their software, the spammers themselves are constantly evolving their tools and techniques, devising new methods to reach the end user. 

Consequently, almost as soon as spam filters are updated, they are out of date. Combating spam effectively requires ongoing effort, it's not something that can be set up and forgotten about.

Pitted against the spammers are companies like Symantec, MessageLabs, McAfee and so on, acknowledged leaders in their field.

They have substantial organizations behind them that monitor spam on a global scale, using a wide variety of techniques to identify the latest messages, the mail boxes from which they are sent, and the techniques used by spammers to slip through the filters.  

For organizations that have installed products from one of these vendors, the key is to ensure they benefit fully from the technical expertise and regular updates made available to them. However, addressing spam has become less about the choice of product and the features, but more about the support and service that accompanies it.

As companies start to become more aware of the total cost of ownership of in-house security solutions and would like to secure more by spending less, they are increasingly turning to technology partners and systems integrators that can offer spam control on a managed basis. 

The benefits of outsourcing email security, including spam control, are clear. First of all, spam is an international business, and attacks do not come at the convenience of a nine-to-five IT department. Resources need to be applied so the software can be monitored, maintained and upgraded on a 24/7 basis. 

If a new spam threat is identified at midnight, the damage can be done long before the company opens for business the next morning.  

Technology partners can provide this constant support in a far more cost effective fashion, leaving organizations free to focus resources on other essential areas. As they have direct access to the developers at the vendor company, they can influence a product's ongoing development, ensuring it meets the real-world needs of their clients. 

They also tend to have much quicker access to details of the latest threats and the upgrades to counter them - details they can quickly pass on to the end-user organizations. 

As the nature of spam changes and it becomes integrated with other sources of risk, many companies will find that a point solution is no longer sufficient. 

An increasingly sophisticated end-to-end approach that covers all aspects of networks security - including wireless - is a more effective method of combating these 'blended' threats. 

Again, technology partners that offer comprehensive security services can prove to be the more effective option, incorporating anti-spam measures into a wider enterprise security programme. 

Finally, the right partner can help a company address the issues associated with industry compliance. Recent laws in several countries require organizations to archive email, either explicitly or implicitly. 

The regulations are often complex, increasing the chance of misunderstandings that can increase costs or, at worst, result in fines and jail sentences. 

A partner will bring a deeper understanding of both the legal requirements and the technological implications and will be able to develop a more effective solution to help the company stay compliant. 

But even with the right anti-spam package, the right technology partners and a totally integrated security solution, one weakness still remains: the user. Fortunately, with the right policies in place, individuals can also be a valuable resource in the fight against spam. 

It is, therefore, essential that the provided solution delivers the necessary end point control functionalities to set policies for the users. On top of that it is vital that individuals are educated about the best way to respond to spam, and what they can do to minimize the amount of junk mail that is sent to them.   

Companies need to ensure that their anti-spam solutions are operating within a wider security solution, and need continuous support and user compliance to optimize their effectiveness - and for many organizations it is a sensible choice to outsource this management.

Spam has become ever more pernicious and potentially damaging and it only takes one mail to get through, or one mistake from a user, for the damage to be done.  

Ten tips for cutting down spam 

  1. Take care when giving out your email address: think twice about subscribing to newsletters or providing your email address on registration forms unless essential. 
  2. When you give out your email address always look for the option to sign up for information from third parties - and say no! Signing up for these is an open invitation to spammers. 
  3. Consider carefully who you are giving your information to. You wouldn't give out your home address or phone number to random strangers so be equally careful with your online address.  
  4. Never reply to unsolicited mail, even if it is to unsubscribe. This validates your address and makes it much more valuable to companies that sell email lists. This also applies to the remove link that many spammers include. Where possible do not even open mail that is unsolicited. 
  5. Help the anti-spam tool to 'learn' about what is and isn't junk. Identify false positives and inform it when it misses a piece of spam.  This helps build up accurate black and white lists, and identifies the latest techniques spammers are using. 
  6. Never give out your email address for anything that isn't work related. Consumer services can be some of the most pernicious spammers around. 
  7. If you're having a significant spamming problem, talk to your IT department. They may be able to help with an alternative email address or set up an address that only allows emails from designated domains. 
  8. Remove email addresses from company websites to prevent them being harvested by spambots. Have an online form instead plus a phone number. 
  9. Preventing spam requires a joint international effort, so report spam, by sending the message plus the full header of the email, to sites such as www.spamcop.net which can then add the sender to their blacklists. 
  10. When using private email addresses, select an address that is difficult to guess, using a combination of letters and numbers. 

January 2006

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.