220 likes | 469 Views
Best Practices in Spam Control The Problem Is Big and Getting Bigger Meta Group estimates at least 40% of email that reaches the enterprise is Spam Major email providers like AOL, MSN, EarthLink and Yahoo block up to 70% of the spam before it reaches the enterprise
E N D
The Problem Is Big and Getting Bigger • Meta Group estimates at least 40% of email that reaches the enterprise is Spam • Major email providers like AOL, MSN, EarthLink and Yahoo block up to 70% of the spam before it reaches the enterprise • Jupiter Research predicts that the number of unsolicited emails will reach 4.9 Trillion in 2003 • The average worker receives 13.3 spam messages a day
The Problem Is Big and Getting Bigger • Meta Group estimates enterprises spend $20 per user per year (or 10% of the total email budget) fighting Spam. • US Corporations will spend at least $120 million on anti-spam systems this year (some estimates are as high as $635M). • Estimates of the cost of lost productivity range from $8.9 billion to $87 billion a year in the US alone. • “The rate of Spam is threatening the viability of email as a communications medium” Kevin Doerr, Business Manager MSN. • “Spam is a thousand times more horrible than you can ever imagine. The entire Internet mail system is under a denial of service attack.” Barry Shein, President The World ISP.
The Problem Is Big and Getting Bigger Quarterly from March 2002 to June 2003, the peak number of daily spam emails detected and blocked by America Online. Source: AOL
Why Is It So Attractive to Spam? • It’s cheap • The research firm eMarketer estimates that it can cost as little as 0.00032 cents to send an email spam (that’s $3.20 for 1 million pieces of spam). • It works • With such a cheap way to reach a large number of people, spam needs to have an infinitesimal response rate to be financially viable.
How Do They Find You? • Public web pages • Special software can “harvest” addresses. • Dictionary attacks • Programs put together combinations (john101@aol.com , john102@aol.com, etc.), if you respond or in some cases simply open the email, the spammer knows it’s a valid address. • Online registrations • Sites with no privacy policy can share or sell your address to unnamed “partners”. Be sure to check the policy and opt out of solicitations. • Chat rooms
Is There Help on the Horizon? • Some marketing trade groups (e.g. Network Advertising Initiative Email Service Provider Coalition and Privacy Seal Group Truste) are attempting to “certify” legitimate companies and practices, but these seem unlikely to have much affect on the bulk of spammers who won’t voluntarily follow the standards. • There are legislative bills in process at both the state and federal level. The longest standing Federal bill is the “Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2001”, also known as the “CAN-SPAM” initiative. It bans the use of false or deceptive headers and provides users with an opt-out feature. Although it has potentially high fines for non-compliance, it is widely thought to have little chance of having a dramatic impact on spam.
It’s Not Easy Catching Spam It’s a dimension more difficult than anti-virus which is essentially a binary decision (is it a virus or not). Spam is more like triage, while there are some emails that are clearly spam and some that are clearly not spam, many are not so clearly black or white but gray. Spam can be categorized in four ways: Confidence games, pornography and unethical senders Chain letter, hoaxes and urban legends Legitimate offers from legitimate senders “Occupational spam” from your colleagues and business associates The job at the boundary is to separate the “good guys” (3 & 4), who should be using ethical practices that will allow you to unsubscribe, from the “bad guys” (1 & 2) who should be blocked.
Tuning Your Practices for Your Business • How much time and resource is it prudent to spend for a given level of spam reduction? • Is the prevention of spam the responsibility of the system administrator or the end user or some combination of both? • Should email identified as potential spam be flatly rejected, or just tagged as spam and routed accordingly? • Should systems administrators (yours or anyone else’s) who have misconfigured their systems to allow them to be used to relay spam be held responsible for any problems that result? • Should you reject email messages that are legitimate in content but that do not conform to known and accepted standards? (e.g. no subject line).
Tuning Your Practices for Your Business • Should you accept for delivery mail that does not have a valid reply information (either in the envelope or from address)? • What criteria should be met before an individual or ISP is justifiable classified as “spam-friendly”? • Are there specific words or phrases related to your business directly that might be blocked as spam (e.g. “breast cancer”)? • What about questionable language from customers? Block as spam? • What percentage of “false positives” can your business tolerate? • No current spam control methods can provide a 100% capture rate and a 0% false positive rate. With best of the rules based tools available today capture rates in excess of 85% will yield false positive rates of 5% or greater. (Gartner Research)
Tuning Your Practices for Your Business • Develop a comfort level and stage your implementation of spam control. • Use reporting to size the problem and test the rules you’ve built, you can mark the headers without actually blocking the spam and see how your rules will play out. • Quarantine before deleting until you’ve found the right mix between spam control and false positives.
System Approaches to Minimize the Problem • Rules Based Content Filters at both the ISP and Local level. • Can reduce the most blatant spam using (among other things) key words. • Only partially effective. • Can be difficult to set up and require constant attention. • Danger of false positives rises as the rules become more stringent.
System Approaches to Minimize the Problem • Bayesian filtering. • The filtering software “learns” about the individual user and can deduce the likelihood that a particular piece of email is or is not spam, by weighing various factors. • Can be very effective but works best at the individual level not at the system level.
System Approaches to Minimize the Problem • White lists/Black lists. • Lists of addresses of those you always want to accept mail from and those you never want to accept. Developed over time as you add false positives to White list and offenders to Black lists. • There are both free and pay services that provide updated Realtime Third-Party Black-hole lists (RBLs), which list spam friendly ISPs and open relays. These can help you stay abreast of the ever changing Black lists.
System Approaches to Minimize the Problem • Challenge Response. • When an email comes to an addressee for the first time the sender receives an email with a simple question or a link to a web page where the sender must go and type in the characters shown in an image. Since a computer sending the reams of spam can’t do this, it will fail to deliver the message. Once the person has met the challenge, all subsequent emails from that sender will go through (basically places them on your White list). • Not practical for all businesses. B2B maybe, B2C doubtful.
System Approaches to Minimize the Problem • Spam protection services (e.g. Frontbridge, Singlefin). • Your email is routed through the service, they screen the spam and deliver the other mail. • Any users who have had mail trapped are notified via email and are provided a method to review the email, confirm its spam or white list it and have it delivered. • Uses best of most of the approaches discussed on previous slides. Can check as many as 10,000 separate criteria for spam. • Gets you out of the spam prevention business. • Appears to be cost effective. • Does require active participation at the user level, especially at the start of the program.
System Approaches to Minimize the Problem • New approaches from email providers – Project Lumos • Rather than approaching the problem by trying to stop the spam, this approach tries to identify the good mail. • Microsoft, AOL, Yahoo and EarthLink are thought to be close to a “trusted sender” system announcement • The idea is to remove the “impunity of anonymity” for bulk emailing. Relies on bulk emailers voluntarily adopting a set of technical standards for adding information to the header portion of the message. • The ISPs would then adjust their mail servers to block any mail sent in bulk that does not include the information.
System Approaches to Minimize the Problem • New approaches from email providers - Project Lumos • To be certified bulk emailers would have to abide by good citizenship rules, such as providing easy ways for consumers to stop getting messages. • Also creates a scoring system that rates emailers based on number of complaints, too many and they turn them off. • Uncertified mailers are automatically blocked at the ISP. • Makes it relatively easy to tell who’s playing by the rules and who isn’t
System Approaches to Minimize the Problem • New approaches from email providers – Senders Permitted From (SPF) • Seeks to stop spammers from hiding behind fictitious Internet address or forging the addresses of others (Joe-jobbing). • Joe-jobbing is wide spread and troublesome because the only thing ISPs can do is turn off the account being Joe-jobbed even though that isn’t the spammer. • Under this system companies that operate outgoing mail servers would electronically “publish” the address of all confirmed machines that send mail from its domain.
System Approaches to Minimize the Problem • New approaches from email providers – Senders Permitted From (SPF) • When mail comes in the domain is checked against the address to see if it matches (aol.com email would have to come from aol for instance). • If the address is spoofed the email is blocked. • If an aol account holder is really spamming, they can be easily found.
Individual Best Practices • Don’t give your email address to organizations you don’t trust. • Read the terms of use. • Be sure you uncheck the boxes that okay sending you things. • Consider alternate email addresses for use online. • Don’t respond to spam, it just validates your address. • Report any spam you do get. • Educate. • Make sure your own system is properly configured and secured. • Keep your email clients patched and up to date. • Use a personal firewall. • Consider using Mail Client filtering, most clients have something built in.