Let's face it – spam is becoming a serious problem. Just a year or two ago, it was a minor nuisance. I'd estimate that, in 1999, about 5-10% of the e-mail I received at my business and personal accounts was spam. This year, I'd place that figure at somewhere around 60-70%. Studies conducted by anti-spam companies confirm this figure, estimating that spam traffic might actually exceed legitimate e-mail in 2003. The concern doesn't even take into account that spam is often the delivery method for a host of viruses and Trojan horses. The potential cost to an organization in computing resources and lost manpower could be astronomical.
According to industry analysts, preventing spam is often being delegated to the security administrator. So, what is a security admin to do?
There are a few proactive measures that you can take to limit the impact that spam has on your organization. Let's take a look at four in particular:
- Perform reverse DNS lookups. The computing industry recognizes that spammers are bad. Most Internet Service Providers prohibit the transmission of spam in their acceptable usage agreements and will terminate the account of anyone who repeatedly breaks that agreement. Therefore, spammers take steps to hide their identities, such as using false IP addresses. Most modern e-mail servers allow you to automatically perform reverse DNS lookups to match IP addresses to domain names and reject traffic where this match fails.
- Use a black-hole list. A number of organizations, including the Mail Abuse Prevention System and the Composite Blocking List maintain lists of hosts that are known senders of spam. You may wish to use one of these "black lists" to filter out suspected spam. To achieve optimal results, you might want to conduct this filtering at the network perimeter to reduce the load spam places on your e-mail infrastructure. Alternatively, you could use a white list that contains a list of authorized senders, but that strategy didn't work out so well for AT&T.
- Conduct spam filtering at the server. There are a number of spam filtering packages available that work at the server level. These programs use varying algorithms to determine whether inbound traffic is spam and allow you to perform a variety of actions on it – ranging from simply ignoring it to flagging it for user action.
- Conduct spam filtering at the client level. If you're not willing to place the "what's spam, what's not?" decision at the server level, you might want to consider deploying individual spam filters at the client level for those users most impacted by spam. I've been using CloudMark SpamNet for some time now and have found it extremely effective with a very low false positive rate.
Unfortunately, there's no foolproof solution to the spam problem. It's the classic vicious cycle problem – as anti-spammers develop new technologies to defeat spam, spammers simply develop more clever solutions designed to defeat those technologies. However, if you take these basic steps, you'll be able to provide some level of filtering, reduce the overall burden on your network and users and, hopefully, increase the security of your network.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
