It's amazing how enterprise spam filters work: An email is checked for legitimacy many times before it arrives...
at its destination. The mail server checks that you're allowed to send it via its service and probably also checks whether it is part of a suspiciously large number of emails, which may indicate that you're spamming. The receiving mail server will check a variety of properties before it allows the message to enter the recipient's mailbox; is the sender's email or IP address on a blacklist and are the subject and content indicative of spam?
Mail filters block emails based on matching keywords and expressions as well as statistical analysis, such as the naive Bayes classifier, to calculate whether an email is spam. Bayesian spam filtering can even be trained on a per-user basis, learning what a user's typical emails contain. Image filtering is used to detect skin tones and specific body shapes (normally associated with pornographic images). Gmail also performs optical character recognition on mid- to large-sized images. When an email is downloaded by your email client, this too checks it to see if it matches any of the client's filters that are both automatically and manually configured. Yet despite all these filters, we all still receive varying amounts of spam.
Spammers use various techniques to avoid these filters. They reduce the effectiveness of Bayesian spam filtering by including large amounts of legitimate text to decrease the email's spam score, which is the number most spam analysis programs give each message based on its spam-like characteristics. Text can also be replaced by images or drawn using rows of Xs. Although blacklists are of some help, they require a lot of time to maintain, as spammers use hundreds of thousands of compromised machines to send their spam, meaning the list is always playing catch-up. Whitelists, on the other hand, tend to be too restrictive, often blocking genuine inquiries or emails from new contacts.
Despite numerous laws and regulations restricting or outlawing spam, it still remains economically viable for spammers as they have no real costs, illegally using the resources of ISPs for free. While spam remains profitable, the industry will continue to spawn ingenious methods for getting through the filters and checks aimed to stop them.
The role of catching the majority of malicious spam, that is spam associated with malware or fraud of some kind, has fallen to the major ISPs and email service providers, as they have the resources and traffic control to intervene. Spam throttling, whereby the bandwidth and resources assigned to processing possible spam is greatly curtailed, has a direct effect on a spammer's operations. Making it unprofitable is the only solution to reducing the scale of the spam problem. But, prevention can only go so far; one man's spam is another's important message.
Despite their limitations, organizations still need to run gateway-based email filtering software; otherwise, the flood of spam would truly swamp their users. Gateway-based filters include a quarantine option, which can reduce both the distraction caused by spam and the chances that a genuine email is lost. Users should be trained to mark unwanted email as spam instead of just deleting it. This will allow their mail client to treat similar emails as spam in the future. For smaller organizations, one option is to forward all emails to corresponding Gmail accounts to take advantage of the Gmail filters.
Sadly, the killer app for beating spam has yet to be invented. Although antispam vendors are usually quick to adopt new approaches for fighting spam, lately they have tended to be variations on familiar themes. Spam is going to be with us in the future, so one of the best ways to tackle it is for every organization to ensure their computers have not been compromised to send more spam. A Microsoft report last year put the U.S. as the biggest host of zombie or compromised computers in the world, and some are enterprise endpoints.
Many organizations fall short in preventing spam or unauthorized content from leaving their own network, and the fines and consequences for data breaches can be worse than the unwanted email. This is an area that shouldn't be overlooked in the battle to control spam.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com's contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com's Security School lessons.