• United States

Who’s minding the spam filter?

Oct 13, 20034 mins
Enterprise ApplicationsMalwareSecurity

* Keeping the bad e-mails out and letting the good ones in

This newsletter goes out to tens of thousands of subscribers every week.  There’s no telling how many of those individuals actually receive the newsletter because spam filters could be blocking its delivery.  Even I didn’t get my copy one week because I had used a commonly trapped key phrase in the article.  My company spam filter screens for that phrase and dumps offending emails into a spam folder, even though, in this case, the incoming mail was definitely not spam.  (I’d tell you what that phrase is, but then THIS newsletter would get trapped again!)

That begs the question, who is minding the company spam filter?

The recent explosion in spam and e-mail-borne viruses has made a spam filter an absolute necessity for every company with an e-mail system.  But this type of software is not a “set it and forget it” tool.  Since the nature of spam is always changing, an administrator needs to work with the spam filter on a regular basis to make sure it’s doing what you want it to do.

The most critical time for monitoring the filter is right after you install it. Watch it closely for a few weeks and figure out what addresses and domain names need to be white listed or black listed.  You’ll also need to compile your list of key phrases that should trigger the filtering action, and update that list frequently as e-mail content changes.

If the filter has the ability to automatically delete mail identified as spam, I recommend you not do this until you are fairly confident of what the filter is trapping.  Instead, send the suspect mail into a spam folder and screen it regularly to see if it should really be there.  Chances are that 99% of the mail going to that folder deserves to be there, but the other 1% might be valuable mail that should be forwarded to the rightful recipient.

However, do clean out the trapped mail often.  Back in August when the Sobig virus was going around, my small company’s spam filter was taking in hundreds of copies of the virus each hour.  Within days, we had 100,000 items in our filter and they nearly crashed the server for taking up so much disk space.   I can imagine the impact that large enterprises must have felt.

I look at the mail caught by the filter a couple of times a week.  Legitimate mail that is most likely to find its way into a spam filter seems to be mass mailings of newsletters like this one.   The filter doesn’t like the fact that a newsletter often contains remote images, or that the e-mail has different SMTP TO: and MIME TO: fields in the email address.  Now those are settings that I could tweak in my filter, but changing them would let a lot of undesirable mail pour in.  This is where the administrator has to be observant and figure out how to white list something based on a domain name rather than a content rule or a behavioral rule.

As spam filters get better, spammers get savvier.  Unfortunately, the legitimate e-mail writer doesn’t clue in to how to write his messages to avoid getting trapped.  That’s why it’s important to monitor your filter often, and constantly tweak your lists and rules.

Be sure to read Network World’s recent review of 16 anti-spam products (  This report lists the seven most effective filtering products in terms of a low instance of false-positive results (i.e., not calling e-mail “spam” when it really isn’t).  As the reviewer points out, you need to be more concerned with the legitimate mail that gets trapped than the genuine spam mail that gets through.

Linda Musthaler is vice president of Currid & Company.  You can write to her at