Slamming that Spam
If there's one thing your business doesn't need, it's Spam.
It can affect productivity and erode profitability. But there are a range of
anti-spam products and services to contain spam. by Peter Theobald
Spam is annoying and a menace of growing proportions. Everyone
detests scrolling through an endless list of new messages, especially when most
of these are unsolicited, and certainly not related to one's business. So how
does one cope with this problem?
Spam means loss in productivity, though the loss cannot
be accurately quantified in monetary terms. Let's take a hypothetical example
and arrive at a ballpark. Consider a small company with 100 employees. Assume
that, on average, each spends 10 minutes a day identifying and deleting spam
(it's usually more). That's 1,000 minutes (16.5 man-hours) a day, or two man-months
every month. At an average salary of Rs 15,000 a month, that works out to Rs
30,000 a month on manpower costs alone!
Factor in related costs (see table) and you'll discover
that spam can eat away as much as Rs 5 lakh a year from your bottomlinethat's
Rs 5,000 per employee per year. That figure does not take into consideration
hindrances like network congestion, choking of other important traffic, opportunity
cost of lost time, virus problems introduced by spam etc. All in all, spam has
become a problem no IT-savvy company can afford to ignore.
There are no clear-cut statistics on spam available, but
estimates range between 10-25 percent of all e-mail traffic. Based on the content
of an average user's mailbox, it could be as high as 50 percent, perhaps more.
So why is there such a proliferation of spam?
It has much to do with marketing cost. From a spam marketer's point of view,
the cost per contact using spam seems to be a lot lower than all other direct
marketing methods. It costs very little to send out 1,000,000 (10 lakh) e-mails,
and even if you take a response rate of one-hundredth of one percent, you still
have 1,000 inquiries!
How then does one handle spam? One approach is the legal
route, which has been tried in Europe. In the US an act has just been passed
(S.877 / HR 2214), which is more popularly known as the CAN-SPAM Act of
2003. It attempts to regulate rather than ban spam outright.
But to be really effective, the effort to combat spam has
to happen at multiple levels. At the ISP level, blacklisting IP ranges used
by notorious spam operatorssuch as those listed in ROKSO (Register of
Known Spam Operators)is a good start.
At the corporate level, there are several things the mail/system
administrator can do. He can stop his server from being used as an open mail
relay by third-parties; he can enable automated checking of real-time black
lists (from www.spamhaus.org), and install some anti-spam solution.
At the end-user level, common-sense safe computing practices
can reduce the amount of spam you receive.
The signature based approach checks mail against a database
of spam signatures and then acts against those that match. The earliest anti-spam
technologies involved blocking certain e-mail addresses and/or domains. But
this quickly became unviable as spammers kept changing or faking the source
of their mails each time. This has evolved into blocking IP addresses used by
spam operators. Spammers overcome this problem by either rotating their IPs
or routing their mail through third-party IP's, by exploiting loopholes on their
Now spam signatures include those of compromised public
servers as well. This is basically a high-tech variation of the cat-and-mouse
A content-based approach tries to classify spam based on
content. E-mails with subject lines and/or content like Viagra or
Lose weight are tagged as spam. Spammers quickly found ways around
this by spelling words differently (e.g. V I a g r a or V1agra
or V*I*A*G*R*A etc), or by embedding HTML code or images inside the content.
Another problem with this approach is that some companies (especially in verticals
like healthcare and legal) cannot use these filters since they have genuine
mails using these words. A lot of effort also goes into creating, modifying
and fine-tuning these rules.
A heuristic-based approach tries to determine if a mail
is spam based on an analysis of its characteristics at packet level and comparing
it with prior analysis of earlier received spam mail. The Bayesian filter is
a variation of this which involves doing a statistical analysis of a large body
of spam mail and then using information derived from this to classify mail as
Another new anti-spam approach includes attempting to recognize
all the click me links (URL's) and call me phone numbers
in spam messages. This is in some ways similar to current anti-virus technology,
but requires that the spam tables (databases) be updated every few minutes to
catch the latest spam campaigns. There are other methods like dropping mails
except those of pre-approved senders, hash signatures, scoring a mail on spam
Evaluating anti-spam solutions
A variety of anti-spam solutions are available in the market.
The two broad categories are Products and Managed Services. Products are either
perimeter based or desktop based. Perimeter based products involve installing
some hardware or software on your network at its boundarywhich intercepts
all mail, cleans it of spam and then forwards it to your users. Desktop based
products classify and segregate spam on the desktop. Managed Services on the
other hand involve outsourcing your spam control to a third-party.
The advantage with a product is that you have full control
over the anti-spam process. But it comes at a higher price and does not save
bandwidth and storage costssince all mail is downloaded to your organization
anyway, before being handled. A service deals with the problem at source, so
that only acceptable mail enters your organization. This results in higher cost
savings (no investment in hardware or software; savings on bandwidth, and typically
lower price points). But it involves routing your mail through one more hop,
so latency and privacy issues do crop up. In general, large organizations prefer
products while small and medium ones opt for services.
Each solution has its own pros and consevaluate them
carefully. A common problem faced is the trade-off between accuracy and false
positives. The accuracy of an anti-spam solution is determined by the percentage
of spam mail it identifies. Any good anti-spam solution should net at least
90 percent of all spam. However, if the system is configured to be more sensitive,
then more false positive are reported. False positives refers to the probability
that a good mail gets marked as spam.
False positives are bad news for any business, since even
genuine mail is lost as it has been classified as spam. A high false positive
rate also means more wasted man-hours spent going through the spam mail folder
every day, hunting for any mail wrongly identified as spam.
Look for a false positive rate of at least 1 in 1000 (0.1%)
or better. That means the solution should deliver at least 99.99% of your good
e-mails, losing at the most 0.01% of them.
Another key factor is the amount of change that has to
be made to your mailing system to integrate the anti-spam solution. Look for
a solution with a small footprint. Changes should be as high up in the hierarchy
as possible. In particular, avoid a system that requires your end-users to change
the way they have to check and send their mail.
A good anti-spam solution should have multiple levels of
spam checking, using many or all of the technologies listed above. The solution
should also have a learning module that enables it to improve its
accuracy with time. This is normally achieved with a feedback mechanism, where
you forward spam mail, missed by the system, back to it. It then analyzes the
spam and tries to block similar ones in the future.
Ability to create personal blacklists and whitelists is
also very important. The anti-spam solution should cater for easy creation and
modification of these lists.
It is not possible to solve the anti-spam problem with
100 percent efficiency. Some spam always gets through. What you have to guard
against is that the solution you go in for is not worse than the problem. This
could well be the case if you lose good mail, or spend time, effort and energy
in implementing, monitoring, fine-tuning and training users on the anti-spam
solution. It then becomes an anti-spam problem rather than a spam problem!
The writer is CEO of IT Secure, a leading security solutions
He can be reached at firstname.lastname@example.org
|What end-users can do to reduce spam
- If possible, use fake e-mail addresses at websites that prompt you
to "Register to proceed"
- Create a "throwaway" e-mail ID using a
free e-mail service. Use this ID when surfing the Net, rather than your
regular business ID.
- Guard your mail ID - do not give it away to those
them your mail ID.
- Avoid posting your business mail ID on websites,
chat rooms, e-newsletters, newsgroups, contact lists etc. Programs called
mail harvesters crawl the Web "harvesting" mail IDs from such
sources and putting these into spammers databases.
- Never reply to spam - or try to unsubscribe following
instructions in the spam mail. If you do so it confirms to the spammer
that your mail ID is genuine. It is an invitation for more spam.
- Never open spam mail - if it contains HTML code,
it could again confirm to the spammer that you exist and are open to
- When purchasing products on the Web, you are usually
asked if you want to be notified of additional products and services.
Opt-out of these where not necessary.