Staunching spam

An IT pro talks about the tricks spammers use to evade anti-spam filters and recommends countermeasures.

Anti-spam systems can help reduce the onslaught of unwanted e-mail, but wily spammers are a step ahead with new tricks for evading filtering software and devices. Network World recently asked its own senior network engineer, Peter Hebenstreit, for insight into what IT executives can do to keep spam out of corporate in-boxes.

How do spammers get past the systems most companies have employed to stop spam?

There is a way around most every method of blocking spam - at least today - and, sadly, many companies don't, or won't, employ the resources required to block spam. If you do try to block, here are some of the ways that spammers get past basic filters: The first is HTML comment fields. By breaking up the content of the e-mail into what appears as gibberish to the human eye, an HTML message can sneak through filters with no problems and still deliver their message to your users.

Take a common example: e-mail regarding the sale of Viagra. We all block on the word Viagra, but if in the HTML source is <!--xyzx-->v<!--xyad23-->i<!--acijadf-->a<!--kljadf-->g<!--90234-->r<!--234jkaljds-->a<!--asdfjea-->, a basic program is not going to realize that this source will display the word Viagra.

The other primary way they bypass basic filters is to create a message with a .jpg or .gif image with text embedded in the image, rather than including text. I see this most often in pornography and insurance offers. Basic content filtering does not work in this case. The latest revisions of most anti-spam software are capable of looking for these characteristics within e-mail messages, whereas older filters looked strictly at text content. There are also applications that use advanced algorithms that go deeper into the e-mail to track the patterns of spam, and hopefully learn or update themselves as spam is received by corporate mail gateways. And further, there are applications that can take a snapshot of spam and look for identical or similar e-mails and stop them.

An almost-surefire way to avoid spam, or at least make it very easy for an anti-spam application to catch, would be to only accept text messages, but that is usually unrealistic in today's e-mail communication. It would not eliminate the problem, but spam could be flagged more easily by even the lowest level anti-spam application.

What are the most common mistakes companies make that make it easier for spammers to plague them?

Outside of distributing e-mail addresses so that spammers' lists get larger, it's an issue of training users on how to deal with spam. Once a user legitimizes his e-mail address there is no hope to ever get off spam lists. There is no avoiding spam, there is only a course of action to take once you receive it: You can hit the delete key, or you can report the supposed sender to their ISP. Both are extremely costly, both on the network appliances and the time employees spend dealing with it.

Also, companies need to utilize some type of anti-spam software. Blacklists are not enough to stop spam because there are ways around them. Out of the box, products with almost no administration easily can stop 70% of spam these days. Although you have to pay for the software, most anyone can justify the investment by the cost-savings.

How do you envision spamming techniques evolving?

Spammers will react to the techniques anti-spam vendors take to block them. Short of trying to beat these systems with content-type alterations to the e-mail, spammers also try to send mail directly to systems that are on the back-end of the network and bypass the filters. This could fall under the category of mistakes made by companies, leaving these systems still accessible to the Internet, but there are some business case scenarios that require doing so.

There is also potential for spammers to find loopholes in the programs that would enable spoofing, or find their way onto whitelists instead of blacklists by including information that corporations have set aside as legitimate, and therefore have created rules to ensure the delivery of such e-mail. For instance, an insurance company is never going to block mail that contains the phrase "insurance quote." Spammers could put a tag in the HTML going to this firm that said "insurance quote" regardless of the actual content. Assuming spammers found another way around a heuristic checker, then there is no plausible way to block that mail from reaching the organization without very advanced filtering.

Spam continues to evolve in ways that we only know after it has been done. Just as in security technology, although many bugs are caught before a product ships, it's not until it reaches the mainstream that another slew of leaks and holes are found. There are a great deal of creative people, driven by a capitalist market that always will try to find a way around anything we put in place. You just need to be able to react quickly to their latest findings.

What can individual users do to prevent spam from clogging up mailboxes?

Users need to be trained on and aware of how to deal with spam. Companies need to publish standardized policies on how to handle spam. Change your e-mail addresses and start fresh. Don't subscribe to anything you don't truly need. Use a separate account for your newsletters, online purchases and any other Web site/form that requires you to enter your e-mail address. Never click on any hyperlink within a piece of spam. Avoid using a preview pane in your e-mail client. And don't bother unsubscribing to anything that is not 100% legitimate.

These really are the only ways I see to limit the amount of e-mail without implementing a filter, either desktop- or server-based.

What can network executives do to minimize spam in a corporate setting?

Implement a strict corporate e-mail policy that for starters allows the application to be a bit more stringent in e-mail-checking. This is going a bit overboard, but if you had a policy that employees could not swear in e-mail, then you would be able stop any e-mail that contained any type of vulgar or explicit comment. Harmless personal e-mails between friends and colleagues create the highest rate of false positives in spam filters, short of newsletters. This increases administration costs of any anti-spam product a great deal.

Next, implement a spam filter technology that is not only good today, but also shows growth and improvement through vendor willingness to adapt their technology and filters as the environment changes.

Some anti-spam firms rely solely on one type of engine to stop spam. Get one that uses five, 10 or unlimited, and let the corporate e-mail administrators determine which ones they wish to use, as only they know the type of e-mail traffic the end users need to see on a daily basis.

What things are IT pros doing to prevent spam that simply don't work and are a waste of time?

Finding something that works effectively and efficiently is key. There are plenty of things that work, but their cost in time and money is far too high. Simple content checking, which is what we used to use, worked to some degree but at a high cost. There are smarter applications available today, and they should be used.

Ignoring this problem also will not help. Hoping that legislation is going stop or even slow down spam is nothing more than wishful thinking.

Learn more about this topic

Buyer's Guide: Anti-spam products

We test 16 anti-spam products in a real-world net. Network World, 09/15/03.

Gearhead on spam

Mark Gibbs provides a spreadsheet to help you calculate the cost of spam to your enterprise. Network World, 09/15/03.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies