With more than 60% of e-mail now classified as junk, IT managers
need a way to police incoming communications. Danny Bradbury has
some answers.
Junk mail used to be purely a postal plague, but with the rise in
electronic communications, e-mail servers are now bulging with
garbage. Anti-spam company Brightmail, which operates a global
network of spam probes, says that 62% of sent e-mail is spam.
Product advertising, financial spam and pornographic e-mail make up
56% of all communications and scams, such as phishing, constitute
11%.
With more than half of all e-mail consisting of junk, network
managers are being forced to pay more attention to spam and virus
problems. Carole Theriault, security consultant at anti-virus
company Sophos, says that approaches to protecting against viruses
and spam are different.
It is easier to block viruses without accidentally stopping
legitimate e-mail because viruses mostly contain some form of
executable code. "Most anti-virus firms have a low number of false
positives," she says. "You are looking at an industry where
everyone can offer pretty equal virus protection." Consequently,
anti-virus software is differentiated by ease-of-use and reporting
capabilities.
Fighting spam is more difficult because unsolicited commercial
e-mail does not generally attempt to compromise a machine with
executable code. Real-time blacklists are one of the most common
anti-spam techniques used by ISPs. These are lists of IP addresses
maintained by independent third parties, detailing mail servers
that handle spam irresponsibly. These mail servers may openly relay
e-mail from senders not on their networks, although responsible
system administrators are clamping down on this.
One disadvantage of real-time blacklists is that they can be too
aggressive, stopping legitimate e-mail getting through.
Whitelists are an inverted version of blacklists. Instead of
listing e-mail servers from which you will refuse mail, they list
domains from which you will accept mail, on the assumption that you
only want mail from people you know. For many businesses, this will
not be acceptable. For example, applying a whitelist to an open
sales enquiry e-mail address will result in too many false
positives.
Spammers are constantly trying to evade such filters, so that
anti-spam software has to use more complex algorithms to scan
e-mail. Generally, the more techniques a system uses, the more
reliable the result will be.
Analysis creates a score for an e-mail after performing dozens of
tests. For example, lexical analysis, in which the language of an
e-mail is analysed, can be combined with tests for HTML-based
e-mail in which the layout of an e-mail is scanned for things such
as web bugs. These are embedded HTML tags that access a third-party
website, covertly confirming that the mail has been read.
Particularly worrying is the co-operation between the spam and
virus communities. Some viruses create SMTP servers on the infected
machine, which can then be used as gateways by spammers to
distribute unsolicited commercial e-mail to others. Simply
disallowing executable attachments is not enough; one recent
version of the Bagel worm did not carry a payload, instead, it used
a web bug to access a remote site via HTML, downloading an exploit
to compromise the host machine.
Consequently, it is advisable to disable the display of HTML e-mail
altogether on client machines and disallow executable attachments.
Because compromised machines can be made to send e-mails
themselves, subscribing to a real-time blacklist or using a gateway
screening programme that blocks e-mail from dynamic IP addresses is
a good idea. As dynamic IP addresses are mostly used on residential
accounts, they should never be used by legitimate e-mail
servers.
Appliances can be a simple way to build e-mail protection into a
network. Companies such as Mirapoint provide sealed hardware boxes
that connect to a website to update virus signatures and spam
blocking rules. Senior technology consultant Jamie Cowper says his
Razorgate boxes use an OEM version of the Sophos gateway product
and a customised version of the BSD operating system.
The alternative is to outsource the whole thing. The Mailcontrol
service from BlackSpider Technologies provides anti-virus, antispam
and content management as a managed service, says chief executive
John Cheney. It uses three different anti-virus products along with
a heuristic engine that detects emerging trends in e-mail content.
Service provider Nasstar provides something similar to small and
medium-sized enterprises, says its chief executive Charles Black,
who uses Mirapoint equipment at the back end.
In future, some industry players hope that more intelligent
internet standards will help to eradicate spam. AOL is testing an
authentication protocol called Sender Policy Framework, that ties
identities to IP addresses so that they cannot be spoofed.
Microsoft is testing its Caller ID, and competing standards called
Designated Mailers Protocol and Reverse Mail Exchange hope to
achieve the same end. All of them seek to address an inherent flaw
in SMTP that makes it difficult to identify the real sender of a
message.
However, with viruses now turning host machines into zombie SMTP
servers, and with domain registration so cheap, it is likely that
spammers will build their own relays using Trojans or simply
abandon attempts to spoof mail origins altogether, says
Cheney.
Caller ID protocols are not a silver bullet, he says. "We will see
spammers buying domains, so we will know who sent the messages, but
we still cannot stop them sending."
Clearly, as spammers and anti-spammers continue their cat-and-mouse
game, the cleanest in-boxes will be those that use multiple
techniques to scrub their incoming mail.
