Archives ||About Us || Advertise || Feedback || Subscribe-
-
Issue of May 2004 
-

  -  
 
 Home > Vendor Voice
 Print Friendly Page ||  Email this story

Spam mail

Slamming that Spam

If there's one thing your business doesn't need, it's Spam. It can affect productivity and erode profitability. But there are a range of anti-spam products and services to contain spam. by Peter Theobald

Spam is annoying and a menace of growing proportions. Everyone detests scrolling through an endless list of new messages, especially when most of these are unsolicited, and certainly not related to one's business. So how does one cope with this problem?

Spam means loss in productivity, though the loss cannot be accurately quantified in monetary terms. Let's take a hypothetical example and arrive at a ballpark. Consider a small company with 100 employees. Assume that, on average, each spends 10 minutes a day identifying and deleting spam (it's usually more). That's 1,000 minutes (16.5 man-hours) a day, or two man-months every month. At an average salary of Rs 15,000 a month, that works out to Rs 30,000 a month on manpower costs alone!

Factor in related costs (see table) and you'll discover that spam can eat away as much as Rs 5 lakh a year from your bottomline—that's Rs 5,000 per employee per year. That figure does not take into consideration hindrances like network congestion, choking of other important traffic, opportunity cost of lost time, virus problems introduced by spam etc. All in all, spam has become a problem no IT-savvy company can afford to ignore.

There are no clear-cut statistics on spam available, but estimates range between 10-25 percent of all e-mail traffic. Based on the content of an average user's mailbox, it could be as high as 50 percent, perhaps more. So why is there such a proliferation of spam?

It has much to do with marketing cost. From a spam marketer's point of view, the cost per contact using spam seems to be a lot lower than all other direct marketing methods. It costs very little to send out 1,000,000 (10 lakh) e-mails, and even if you take a response rate of one-hundredth of one percent, you still have 1,000 inquiries!

Curbing Spam

How then does one handle spam? One approach is the legal route, which has been tried in Europe. In the US an act has just been passed (S.877 / HR 2214), which is more popularly known as the “CAN-SPAM Act of 2003.” It attempts to regulate rather than ban spam outright.

But to be really effective, the effort to combat spam has to happen at multiple levels. At the ISP level, blacklisting IP ranges used by notorious spam operators—such as those listed in ROKSO (Register of Known Spam Operators)—is a good start.

At the corporate level, there are several things the mail/system administrator can do. He can stop his server from being used as an open mail relay by third-parties; he can enable automated checking of real-time black lists (from www.spamhaus.org), and install some anti-spam solution.

At the end-user level, common-sense safe computing practices can reduce the amount of spam you receive.

Anti-spam technologies

The signature based approach checks mail against a database of spam signatures and then acts against those that match. The earliest anti-spam technologies involved blocking certain e-mail addresses and/or domains. But this quickly became unviable as spammers kept changing or faking the source of their mails each time. This has evolved into blocking IP addresses used by spam operators. Spammers overcome this problem by either rotating their IPs or routing their mail through third-party IP's, by exploiting loopholes on their systems.

Now spam signatures include those of compromised public servers as well. This is basically a high-tech variation of the cat-and-mouse game.

A content-based approach tries to classify spam based on content. E-mails with subject lines and/or content like “Viagra” or “Lose weight” are tagged as spam. Spammers quickly found ways around this by spelling words differently (e.g. “V I a g r a” or “V1agra” or V*I*A*G*R*A etc), or by embedding HTML code or images inside the content. Another problem with this approach is that some companies (especially in verticals like healthcare and legal) cannot use these filters since they have genuine mails using these words. A lot of effort also goes into creating, modifying and fine-tuning these rules.

A heuristic-based approach tries to determine if a mail is spam based on an analysis of its characteristics at packet level and comparing it with prior analysis of earlier received spam mail. The Bayesian filter is a variation of this which involves doing a statistical analysis of a large body of spam mail and then using information derived from this to classify mail as spam.

Another new anti-spam approach includes attempting to recognize all the “click me” links (URL's) and “call me” phone numbers in spam messages. This is in some ways similar to current anti-virus technology, but requires that the spam tables (databases) be updated every few minutes to catch the latest spam campaigns. There are other methods like dropping mails except those of pre-approved senders, hash signatures, scoring a mail on spam characteristics.

Evaluating anti-spam solutions

A variety of anti-spam solutions are available in the market. The two broad categories are Products and Managed Services. Products are either perimeter based or desktop based. Perimeter based products involve installing some hardware or software on your network at its boundary—which intercepts all mail, cleans it of spam and then forwards it to your users. Desktop based products classify and segregate spam on the desktop. Managed Services on the other hand involve outsourcing your spam control to a third-party.

The advantage with a product is that you have full control over the anti-spam process. But it comes at a higher price and does not save bandwidth and storage costs—since all mail is downloaded to your organization anyway, before being handled. A service deals with the problem at source, so that only acceptable mail enters your organization. This results in higher cost savings (no investment in hardware or software; savings on bandwidth, and typically lower price points). But it involves routing your mail through one more hop, so latency and privacy issues do crop up. In general, large organizations prefer products while small and medium ones opt for services.

Each solution has its own pros and cons—evaluate them carefully. A common problem faced is the trade-off between accuracy and false positives. The accuracy of an anti-spam solution is determined by the percentage of spam mail it identifies. Any good anti-spam solution should net at least 90 percent of all spam. However, if the system is configured to be more sensitive, then more false positive are reported. False positives refers to the probability that a good mail gets marked as spam.

False positives are bad news for any business, since even genuine mail is lost as it has been classified as spam. A high false positive rate also means more wasted man-hours spent going through the spam mail folder every day, hunting for any mail wrongly identified as spam.

Look for a false positive rate of at least 1 in 1000 (0.1%) or better. That means the solution should deliver at least 99.99% of your good e-mails, losing at the most 0.01% of them.

Another key factor is the amount of change that has to be made to your mailing system to integrate the anti-spam solution. Look for a solution with a small footprint. Changes should be as high up in the hierarchy as possible. In particular, avoid a system that requires your end-users to change the way they have to check and send their mail.

A good anti-spam solution should have multiple levels of spam checking, using many or all of the technologies listed above. The solution should also have a “learning” module that enables it to improve its accuracy with time. This is normally achieved with a feedback mechanism, where you forward spam mail, missed by the system, back to it. It then analyzes the spam and tries to block similar ones in the future.

Ability to create personal blacklists and whitelists is also very important. The anti-spam solution should cater for easy creation and modification of these lists.

It is not possible to solve the anti-spam problem with 100 percent efficiency. Some spam always gets through. What you have to guard against is that the solution you go in for is not worse than the problem. This could well be the case if you lose good mail, or spend time, effort and energy in implementing, monitoring, fine-tuning and training users on the anti-spam solution. It then becomes an anti-spam problem rather than a spam problem!

The writer is CEO of IT Secure, a leading security solutions firm.

He can be reached at petert@itsecure.com

What end-users can do to reduce spam
  • If possible, use fake e-mail addresses at websites that prompt you to "Register to proceed"
  • Create a "throwaway" e-mail ID using a free e-mail service. Use this ID when surfing the Net, rather than your regular business ID.
  • Guard your mail ID - do not give it away to those whom you do not trust. Read the privacy policy of websites before giving them your mail ID.
  • Avoid posting your business mail ID on websites, chat rooms, e-newsletters, newsgroups, contact lists etc. Programs called mail harvesters crawl the Web "harvesting" mail IDs from such sources and putting these into spammers databases.
  • Never reply to spam - or try to unsubscribe following instructions in the spam mail. If you do so it confirms to the spammer that your mail ID is genuine. It is an invitation for more spam.
  • Never open spam mail - if it contains HTML code, it could again confirm to the spammer that you exist and are open to more spam.
  • When purchasing products on the Web, you are usually asked if you want to be notified of additional products and services. Opt-out of these where not necessary.
 
     
- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.