Closing the door on junk emailers

There's only one thing worse than getting a piece of junk mail through your letterbox and that's getting one that lands right on your desk. One of the most irritating things about unsolicited commercial email (also called UCE or spam) is that you pay for the privilege of downloading it.

The cost of spam to British businesses is considerable. An independent report, conducted by Benchmark Research and released two years ago by Novell, revealed that spam costs UK plc £5bn every year. The most popular spam is commercial, touting products or services. Get-rich-quick schemes, pornography and chain letters also ranked highly on the list, according to the report.

The cost of spam rises as it penetrates the business: if you can catch it early enough the cost will be minimal, but if it reaches your end users, then many of them will inevitably read it, consequently affecting their productivity. The key is to implement best practices to stop spam as early as possible.

Relaying bad news
One of the major mistakes that companies make in the battle against spam is to leave their email servers open to relay attacks. These attacks involve the illicit use of a company's email server as a forwarding mechanism for spam mail.

A relay-friendly email server was originally designed to enable legitimate mail users to forward their email using the server as a facility. Unfortunately, such relays are also a useful mechanism for spammers to cover their tracks. Spammers can use these servers to send email in bulk without giving away their identities.

This has two disadvantages for the company running the server. The first is that the company will bear the cost of sending multiple emails - often in their thousands - on the spammer's behalf. The second is that because the spam will have originated from the company's domain, it will become a target for angry emails from people who have received the spam and wish to be removed from the recipient list.

Richard Jones is senior developer at BiblioTech, a company that runs a free email service, which last week won a ground-breaking legal battle in the US against junk email. He explained that closing open relays is a vital part of any anti-spam strategy. This involves making sure that all your software is up to date and correctly configured. Older versions of many popular software packages - including some groupware mail servers - have open relaying set as a default out of the box, leaving you vulnerable. This is a particular problem with the popular Sendmail email server.

Other, less obvious practices can also cut down your vulnerability to spam. Monitoring your end users' activities on the internet is a good idea. If staff are posting to news groups using their corporate email address, for example, then they are leaving themselves wide open to unsolicited email. Automated programs designed to search the news groups for valid email addresses, called spam bots, will catalogue such addresses and inundate them with spam.

Putting the bot in
Similar problems can occur if you put an email address on your company website. Many companies will use the 'mailto:' URL to link to multiple names within the organisation, so that people can send emails directly to, say, the marketing department, the sales manager, and even in smaller organisations, board level management. Bots will pick up this information and feed it into a spam list.

One way around the Usenet spamming problem is to simply put asterisks around, or in, your email address, with instructions for genuine correspondents to strip these out manually. This is not appropriate for a website, however. Spambot (www.spambot.com) is a service that will provide you with a specific user ID upon registration, which you can then use in lieu of an email address on your website or within Usenet. When someone clicks on this ID online, it either redirects the browser to a 'mailto:' URL, or allows them to enter an email into a specially designed web page. The free service therefore prevents spambots from reading your email address.

If spam does get through in spite of such services, then replying to it - even if it is only to request removal from the list - is the best way to ensure that you continue to receive such mails, because it lets spammers know that your account is active. It's best to advise your end users not to send any replies at all.

Unfortunately, with the advent of HTML, acknowledgement of receipt has become even more of a problem, according to Brian Dorricott, managing director of email server and anti-spam software vendor, Gordano. "An example of that is when you are sent a URL that has pictures embedded," he said. "Some spammers use that to work out when you have read the mail."

When the embedded pictures download, this shows the spammer's server that your entry on the email distribution list is valid.

Filtering through
After educating your end users, you can take technical precautions both on the desktop and on the server. Systems administrators can subscribe to the Real-time Blackhole List (RBL), run by the Californian not-for-profit organisation known as the Mail Abuse Prevention System (MAPS). This is a service that regularly blacklists email servers that send large amounts of spam. If a server is placed on the blacklist, it becomes impossible for it to send mail to the email server of any organisation that subscribes to the RBL.

This means that the RBL is effectively a barrier between its subscribers and spam-friendly servers. MAPS does not distinguish between those servers that send spam intentionally and those that are being used as a relay by spammers. It will nevertheless advise owners of these servers on how to stop the problem occurring again.

One of the major problems with such a service, however, is that it cannot be very granular, explained Terry Harnet, systems developer at ISP UKOnline. Because it is easy for spammers to set up accounts very quickly (and now for free), it would be of limited use to block mail from a single address.

However, it would be counter-productive to block whole domains. If, for example, your company deals with multiple freelance workers who maintain accounts on AOL, then blocking AOL because of spam sent from that domain would make it impossible for your freelance staff to communicate with you online. Nevertheless, it is useful for making some smaller ISPs and corporate email users more aware of spamming.

Another option for systems administrators and network managers intent on minimising the spam problem, is to implement a rules based filtering system. Various tools are available for doing this at a server level, which can, at the very least, perform searches based on subject headers and body text. Typical filtering rules would include searching for multiple dollar signs and exclamation marks within a header, for example.

However, such software also has its disadvantages. Richard Jones argues that although he uses some rules successfully on his equipment, it is difficult to keep up to date. The spammers are constantly changing the types of message titles that they use to persuade recipients to read their mails.

Many such filtering rules are available for desktop mail clients as well. Microsoft Outlook, for example, will filter junk mail for you. This is even less workable, however, because it makes it even more difficult for systems administrators to apply a universal set of filtering rules across the organisation. If end users begin to define their own rules, they may accidentally exclude legitimate email from their inboxes, with disastrous results.

Combining methods
Rob Peterson, lead engineer with eSoft, a company providing out-of-the-box anti-spam products, said that because rules filtering and RBL checking both have their drawbacks, the best way to guarantee stopping as much spam as possible is to employ both of them. He estimates that you can rid yourself of up to 90 per cent of spam by combining these approaches.

Choosing your ISP carefully is another way of cutting down on potential spam problems. Ideally, your ISP should be only too willing to help you trace the source of any spam that you receive.

Many ISPs will also subscribe to services such as RBL, in a bid to stop much of the spam getting to your server. If your ISP does this for you, it will help free up your internet connection, meaning that you won't have to pay to download as many unsolicited emails.

Not all ISPs will do this, however. UK Online won't, for example. Harnet said: "You have the overheads of doing a reverse DNS, checking that the IP address isn't spoofed, and then checking the entry against the list. We handle a lot of emails for all of our customers. People would start to complain if they were delayed by more than a few minutes."

If, after all your efforts, you continue to be spammed, there are still many steps that you can take to discover the source of the mail. This will enable you to help put the spammer out of business. A good working knowledge of email headers and SMTP is useful, and for an in-depth guide, check out the email section of www.stopspam.org. Dealing with such spam manually takes time and patience, however, and busy systems administrators may not have the resources.

An excellent alternative is the free spam analysis and reporting service at www.spamcop.com. This commendable website enables you to paste the headers and body text from spam into a form for online analysis. It then parses the headers to find out the real sender of the email, and generates a spam report.

The real key to stopping spam, of course, is to use a combination of methods. Contributing to the anti-spam movement by catching any stray spam manually and taking advantage of services such as Spamcop will make it harder for spammers to ply their wares online.

However, technical tools alone will not save you from junk email; educating your staff and making them more aware of the potential dangers associated with posting online will also dramatically cut down your corporation's vulnerability.