With more than 60% of e-mail now classified as junk, IT managers need a way to police incoming communications. Danny Bradbury has some answers.
Junk mail used to be purely a postal plague, but with the rise in electronic communications, e-mail servers are now bulging with garbage. Anti-spam company Brightmail, which operates a global network of spam probes, says that 62% of sent e-mail is spam. Product advertising, financial spam and pornographic e-mail make up 56% of all communications and scams, such as phishing, constitute 11%.
With more than half of all e-mail consisting of junk, network managers are being forced to pay more attention to spam and virus problems. Carole Theriault, security consultant at anti-virus company Sophos, says that approaches to protecting against viruses and spam are different.
It is easier to block viruses without accidentally stopping legitimate e-mail because viruses mostly contain some form of executable code. "Most anti-virus firms have a low number of false positives," she says. "You are looking at an industry where everyone can offer pretty equal virus protection." Consequently, anti-virus software is differentiated by ease-of-use and reporting capabilities.
Fighting spam is more difficult because unsolicited commercial e-mail does not generally attempt to compromise a machine with executable code. Real-time blacklists are one of the most common anti-spam techniques used by ISPs. These are lists of IP addresses maintained by independent third parties, detailing mail servers that handle spam irresponsibly. These mail servers may openly relay e-mail from senders not on their networks, although responsible system administrators are clamping down on this.
One disadvantage of real-time blacklists is that they can be too aggressive, stopping legitimate e-mail getting through.
Whitelists are an inverted version of blacklists. Instead of listing e-mail servers from which you will refuse mail, they list domains from which you will accept mail, on the assumption that you only want mail from people you know. For many businesses, this will not be acceptable. For example, applying a whitelist to an open sales enquiry e-mail address will result in too many false positives.
Spammers are constantly trying to evade such filters, so that anti-spam software has to use more complex algorithms to scan e-mail. Generally, the more techniques a system uses, the more reliable the result will be.
Analysis creates a score for an e-mail after performing dozens of tests. For example, lexical analysis, in which the language of an e-mail is analysed, can be combined with tests for HTML-based e-mail in which the layout of an e-mail is scanned for things such as web bugs. These are embedded HTML tags that access a third-party website, covertly confirming that the mail has been read.
Particularly worrying is the co-operation between the spam and virus communities. Some viruses create SMTP servers on the infected machine, which can then be used as gateways by spammers to distribute unsolicited commercial e-mail to others. Simply disallowing executable attachments is not enough; one recent version of the Bagel worm did not carry a payload, instead, it used a web bug to access a remote site via HTML, downloading an exploit to compromise the host machine.
Consequently, it is advisable to disable the display of HTML e-mail altogether on client machines and disallow executable attachments. Because compromised machines can be made to send e-mails themselves, subscribing to a real-time blacklist or using a gateway screening programme that blocks e-mail from dynamic IP addresses is a good idea. As dynamic IP addresses are mostly used on residential accounts, they should never be used by legitimate e-mail servers.
Appliances can be a simple way to build e-mail protection into a network. Companies such as Mirapoint provide sealed hardware boxes that connect to a website to update virus signatures and spam blocking rules. Senior technology consultant Jamie Cowper says his Razorgate boxes use an OEM version of the Sophos gateway product and a customised version of the BSD operating system.
The alternative is to outsource the whole thing. The Mailcontrol service from BlackSpider Technologies provides anti-virus, antispam and content management as a managed service, says chief executive John Cheney. It uses three different anti-virus products along with a heuristic engine that detects emerging trends in e-mail content. Service provider Nasstar provides something similar to small and medium-sized enterprises, says its chief executive Charles Black, who uses Mirapoint equipment at the back end.
In future, some industry players hope that more intelligent internet standards will help to eradicate spam. AOL is testing an authentication protocol called Sender Policy Framework, that ties identities to IP addresses so that they cannot be spoofed. Microsoft is testing its Caller ID, and competing standards called Designated Mailers Protocol and Reverse Mail Exchange hope to achieve the same end. All of them seek to address an inherent flaw in SMTP that makes it difficult to identify the real sender of a message.
However, with viruses now turning host machines into zombie SMTP servers, and with domain registration so cheap, it is likely that spammers will build their own relays using Trojans or simply abandon attempts to spoof mail origins altogether, says Cheney.
Caller ID protocols are not a silver bullet, he says. "We will see spammers buying domains, so we will know who sent the messages, but we still cannot stop them sending."
Clearly, as spammers and anti-spammers continue their cat-and-mouse game, the cleanest in-boxes will be those that use multiple techniques to scrub their incoming mail.
This was first published in April 2004