Fighting spam the old-fashioned way

Supplement technology with policies and practices that help curtail unwanted e-mail.

While trying to deflect the barrage of spam that hits corporate in-boxes on a daily basis is a task best left to technology, there are some basic guidelines IT managers can set for their users to help cut down on the amount of unwanted e-mail a company receives.

Analysts and corporate managers agree that attempting to stop spam without the proper software, appliances or services is just too daunting a job for mere humans. However, many companies are reluctant to install spam filters for fear the technology mistakenly will quarantine or delete crucial e-mails, resulting in frustrated users and perhaps missed business. Only about 30% of companies today have anti-spam technology in place, says Sara Radicati, analyst with The Radicati Group, and that’s in large part because of the fear of false positives.

Technology aside, IT managers can take steps to reduce spam, ranging from basic end-user education to setting company-wide policies regarding how an employee’s computer and corporate e-mail address are used. And because no anti-spam product can block every piece of spam that enters an organization’s network, even companies that use spam filters can benefit from a few simple policies to help users deal with the unwanted e-mail they still receive.

Establishing written Internet-usage policies – including e-mail guidelines – should be a priority in any IT organization, says Jason Sosinski, IS security administrator with ARS Service Express, a heating and cooling services company headquartered in Memphis, Tenn.

“The actual act of writing a policy is necessary . . . without it, when you need to inform an employee of their inappropriate behavior and/or terminate their employment based on their Internet usage, you will have no grounds to stand on,” Sosinski says.

Such e-mail policies “are really very important components [in the fight against spam]. In the past, users have been a bit too casual with their Internet use,” Radicati says. However, she warns managers to tread carefully when trying to establish hard-and-fast rules regarding e-mail. “It’s a very difficult, gray area. Maybe someone’s getting an e-mail about airline discounts that once in a while might be useful for a business trip. However, it is legitimate to make employees aware they should use their computers and work time for business-related activities,” she says.

Increased vigilance

At Allen Matkins law firm in Los Angeles, fighting spam has on occasion been the topic of monthly training sessions the IT department holds with its 500 users. Even though the company uses FrontBridge Technologies’ anti-spam service, director of technology Frank Gillman wants employees to know how to deal with the few spam messages that make it through to their in-boxes and address questions users might have regarding their home computers. “We’ve done training sessions on spam [to tell users] why they are getting those messages,” Gillman says.

Users at Allen Matkins are instructed to forward any spams they receive to the Federal Trade Commission’s e-mail address for reporting unwanted e-mail (uce@ftc.gov). “Users always seem to feel better about that. They feel like they are being proactive” in helping fight spam, Gillman says.

The law firm also uses content-filtering software from WebSense to prevent employees from visiting Web sites featuring adult content while at work. “It’s really more part of our sexual harassment policy; if we’re going to promote a healthy workplace, then we should put controls in that eliminate that content,” Gillman says.

Some experts say limiting the types of Web sites that employees can visit helps cut down on the amount of spam a company receives by reducing how often users might enter their e-mail addresses to receive newsletters or other mailings. That limits the availability of their e-mail addresses to spammers. Gillman says his firm hasn’t analyzed whether or not blocking employee access to adult sites has had that effect, but adds it’s another good reason to limit users’ Web surfing.

Educating users to the tricks that spammers employ can help prevent spam from spreading through an organization, says Tony Falzon, director of research and Internet services at Wayne State University’s computing and IT department in Detroit. Wayne State uses Mirapoint’s anti-spam software to protect its 55,000 e-mail users, but Falzon’s department still sends out periodic bulletins to its users informing them of spam and virus tricks.

Most e-mail users already know not to respond to obviously fraudulent solicitations, such as get-rich-quick schemes or pleas to send account information to a Nigerian bank.

But what many users don’t know is when they attempt to remove themselves from an e-mail list by hitting a “remove me” link embedded in a spam message, the request is often ignored and their e-mail address is automatically added to additional spam lists, Falzon says.

While reputable businesses will respect a recipient’s “remove me” request, users should be sure they’re responding to a mailing they requested in the first place. “If the e-mail comes from a sender you don’t know, never, ever respond,” Falzon says.

In theory, e-mail users should soon see a reduction in the amount of unwanted commercial messages flooding their in-boxes, thanks to the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act that Congress passed earlier this month. The bill, which President Bush is expected to sign into law before year-end, takes an opt-out approach, meaning businesses can send unsolicited commercial e-mail as long as each message includes a mechanism for recipients to request not to receive more.

Through the opt-out mechanism, e-mail users will be able to take their names off of mailing lists; however, critics of the CAN-SPAM bill say tracking down senders who don’t respect opt-out requests will be difficult since many spammers operate from overseas.

Another step companies can take to help reduce spam is to encode the employee e-mail addresses posted on their corporate Web site so that spammers’ spiders – software programs that search the Web for e-mail addresses – can’t recognize them.

“A lot of spam that hits companies comes from having Web sites with e-mail addresses of corporate employees that get scraped by spiders,” says Amit Asaravala, editor of Spamotomy.com, an anti-spam online resource with product directories and news. “You can use Javascript and HTML encoding so these spiders can’t as easily scrape the e-mail addresses. The e-mail address looks normal and acts normal [to Web site visitors], but from the back end you just see code.”