Spam control: Check IT List

I'd guess that at least 85% of my own incoming e-mail is spam. I think this may be an anomaly, given that my e-mail address is posted in various articles I've written on the Internet, but I know the "national average" isn't much better than this.

Phishing scams, malware attachments and the diversion of antispam IT resources have made spam a major information security issue. The new Can Spam Act isn't quite as effective as its supporters had hoped it would be.

So what can you do? Well, unless we give up on e-mail altogether, we'll likely never be able to rid our computers of it. However, as I've learned in recent years, the following tips can certainly help block -- and in some cases prevent -- the majority of it. None of these tips will likely be effective by itself but, when combined, you'll be able to set up a solid spam defense that can make a difference.

1. Establish and enforce policies for using business e-mail. Decide how lenient you want to be when it comes to employees using your business systems for personal use. A good way to get spam coming into your corporate systems is for employees to access their personal e-mail and forward along jokes, urban legends and other propaganda that shows the business account as the sending address. This junk can get forwarded along indefinitely and end up in the spammers' hands. If you wish to allow this, at least require employees to use their own personal accounts. Also, show them the blind copy feature in e-mail clients so if they do forward junk mails using your corporate identity, at least the privacy of all the recipients can be protected. As uncomfortable as it may be in an SMB, be sure to get your employees to sign off on your acceptable usage policies, keep track of what your employees are doing and discipline users who violate policies.

2. Educate employees on secure e-mail usage. Another good way to get on spam lists is when employees post messages on public Web, e-mail and Usenet discussion groups using their corporate e-mail address. The spammers have tools to harvest e-mail addresses directly from these postings. It's okay to post messages, just educate and encourage everyone to change their e-mail addresses by adding extra letters, spaces, numbers and then instruct people who want to reply what to do to remove the bogus characters.

3. Reformat or remove e-mail addresses from your Web site. Similar to the message postings I mentioned above, when you have e-mail addresses on your Web site, they can be harvested by the spammers, as well. You don't have to remove any or all addresses, just be careful which ones you list (one or two generic contact addresses vs. all employees) and what format you put them in. Instead of posting e-mail addresses in their native format (e.g., user@your_domain.com), consider putting spaces around the "@" sign or using "& #64;" instead of "@" and "& #46;" instead of "." in your addresses. These are simply special HTML character codes that can trick some of the automated harvesting engines. This isn't foolproof, but it can add an extra layer of protection.

4. Never respond to messages to get off their spam list. Another tip to share with your employees is to never respond to the "if you wish to be removed from this mailing list, click here" links within spam messages. They never work and are simply a way for the spammers to verify that you have a valid e-mail address. Another way of "responding" that you may not know is even taking place is when you allow HTML-formatted e-mails. Quite often, spammers use "Web bugs," which are simply invisible graphics images that load when the e-mail is loading. This loading process contacts the spammers' systems to let them know which of their junk messages have been viewed by the spam victim.

5. Use disposable e-mail addresses if necessary. If you must register with a lot of Web sites or post a lot of messages with your e-mail address, you can use a disposable e-mail address or a third-party filtered account for spam protection. Check out Emailias, SpamMotel and the highly popular Despammed.com offerings.

6. Filter spam at the e-mail server or beyond. The best way to block spam is to cut it off before it gets to your users. This can be done at the network perimeter (via an e-mail firewall or proxy) or at the server level using a cost-effective spam filtering system such as NetIQ's MailMarshal or Barracuda Networks' Spam Firewall. For SMBs with little or no internal IT resources, I often recommend going with an ASP-based solution such as those offered by Singlefin or eDoxs. These solutions prevent spam from ever entering your network and are very easy to manage. Also, check with your Internet service provider to see if it offers spam-filtering options.

7. Consider additional desktop filtering if you need it. External, network perimeter or server-based spam filtering may not be a good option for you. Or you may want to add an additional layer of filtering. If so, check out one of the desktop-based spam filtering solutions such as MailFrontier Desktop and Cloudmark's Spamnet.

8. Use several filtering methods. Regardless of where you perform your spam filtering, make sure your solution supports the various filtering methods available. Methods to look for are blacklist and whitelist filtering, e-mail header filtering, signature filtering, heuristics filtering, content filtering and Bayesian filtering. By using multiple filtering methods, you greatly increase your odds of being able to filter out the junk.

9. Close open e-mail relays. Many e-mail servers are configured to relay all e-mails (legitimate and spam) by default, which is a major contributor to the spam problem in the first place. These open relays let spammers send messages through your e-mail server; this not only uses up your network resources, but also makes the spam look like it's coming from you. Check out Abuse.net or use a simple utility such as Sam Spade to test your server and find out if it's able to relay external messages.

10. Let users have some control. Spam management is the only area that I ever recommend giving users some semblance of control. Spam filters are not perfect and filter legitimate e-mails. Someone has to manage this to ensure valid business communications aren't lost. If you're the one trying to sort through all messages stopped by spam filters, you likely won't have time to do much else during the day. Look for spam filtering solutions that let users go in and sort through their own junk. They'll have a better eye for finding legitimate messages, they'll feel empowered and you can spend time doing better things. Also, have a procedure in place so that users can report spam and you can in turn report it to your ISP or the Feds at FTC.gov.

Kevin Beaver is founder and principal consultant of the information security services firm Principle Logic LLC, based in Atlanta, where he specializes in information security assessments and incident response. He has more than 16 years of experience in IT and is the author of several books on information security including the new title Hacking For Dummies by Wiley Publishing. Kevin can be reached here.

Rate this Tip To rate tips, you must be a member of SearchCIO-Midmarket.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Information security management for the midmarket Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Gartner: Vetting security of third-party partners in five steps Business software for the midmarket How to create and measure success of a SharePoint governance program Involving users in business intelligence strategy key for success Successful SOA means a long process made of small projects Key IT software solutions: Making smart choices in tough times Business intelligence vendor comparison: Gartner analyzes the big four SaaS project costs in detail: The payoff isn't always in cash CIOs share SaaS contract advice on pricing, customization and more How to build an effective corporate performance management strategy SharePoint alternatives seek to fill in the gaps Packaged social network platforms help manage, grow online communities Email and messaging for the midmarket Midmarket data center management guides: Tips and best practices CIO's cost-cutting measures include move to Gmail Midmarket firm harnesses email communication as part of disaster plan Arts center's network infrastructure hits right note with Wi-Fi, FMC When Microsoft shuts you down and other IT horror stories CIOs, unified communications and the lost art of conversation Fixed-mobile convergence saves firms costly mobile phone charges CIOs grapple with tying Wi-Fi, VoIP into unified communications plan Unified communications: Savvy business move or security meltdown? Unified communications security: How safe is it? RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.