Junking The Junk: Staying Ahead Of Spam Attacks

The numbers speak for themselves: in 2005, junk mail accounted for nearly 60 percent of all emails, up from just 10 per cent in 2001. And this growth looks set to continue.

The problem is bad enough for people at home, with spam messages dropping regularly into personal email inboxes. At work, however, spam presents a much bigger problem, clogging up corporate servers and accounts and distracting employees from their work.

To address the issue, the vast majority of companies have implemented anti-spam technology, and many manage it internally. But spam is not constant – the goalposts are continually changing as spammers develop new and more innovative tricks to get past the filters. Organisations have to battle to stay one step ahead. Furthermore, the best technology in the world can only be as good as its users, and many businesses also have to battle to ensure end-users follow basic guidelines to minimise junk mail.

When spam first became a real problem it could, at that time, be categorised in one of two ways – it was generally either trying to sell you something, or con you out of something. Annoying though the notorious Nigerian 419 scams or the promises of low-priced medicines were, they essentially targeted human gullibility, rather than being serious security threats. More concerning, if less frequent, were the denial of service attacks large enterprises were subjected to, in which spammers tried to flood the company’s mail servers with junk, thereby making them crash.

But over the past year or so, it has become clear that the threat of spam is evolving to become much more of a problem. As people have learned how to avoid the initial scams and stopped falling for the “too good to be true’ offers, the spammers have evolved their techniques to incorporate areas such as social engineering to help them reach their ultimate target – the naive end-user.

To make things even worse, we have seen more and more spam that conceals even greater threats such as viruses, spyware and phishing. These blended attacks are taking the basic con tricks of previous years to the next level – and organisations must keep up.

An even clearer demonstration of how the threats are changing has been the recent attacks on mobile phones and similar devices. Spam and other email-borne threats are no longer confined to the PC. Messaging on mobile phones for example has replicated the development of email: from initially handling only plain text messages, they can now handle attachments, multi-media and even active content such as embedded scripts or Java code. For the spammers, this is a whole new temptation. It is an area where users don’t expect to be at risk from attacks, and many have a false sense of security and are happy to open any messages even if they don’t know the sender. It’s no wonder that spammers are beginning to target this type of technology.

This constant battle in which spammers develop new technology, that the anti-spam vendors then learn how to block, is continually repeated. The result is that almost as soon as spam filters are updated, they are out of date.

This means that to protect users effectively from spam, IT departments must constantly update their technology. The most common solutions come from vendors such as Symantec, MessageLabs and McAfee. These are all acknowledged leaders in their field, and constantly update their tools to try to stay ahead of the problem. They monitor spam on a global scale and use a number of different techniques to identify the latest messages, the mail boxes they are sent from, and the methods the spammers are using to try to get past the defences.

It is important that, when user organisations install these products, they don’t just forget about them. They must take full advantage of the service these vendors provide and make sure they benefit from the technical expertise and regular updates that are made available. These days, dealing with the problem of junk mail is less about the actual product selected and more about the levels and quality of support and service that accompanies it. Increasingly, IT departments have to justify the return on investment and total cost of ownership of the in-house security solutions they use, and they are expected to secure more by spending less. This often leads to them working with technology partners or systems integrators that can offer spam control on a managed basis, or even as part of a larger security solution.

When organisations do decide to outsource email security and spam filtering, they often see a number of distinct benefits. One is the ability to deal with threats on a 24×7 basis – spam is an international business and attacks can happen at any time. Resources need to be available so the software can be monitored, maintained and upgraded as soon as a patch is available, to prevent a threat that happens at midnight from infecting the whole company before 9am.

By working with technology partners in this fashion, organisations can focus resources on other essential areas, and feel reassured in the knowledge that they are secure. The other benefit that a managed security provider can offer is direct access to the developers at the vendor company. This means that they can influence a product’s development to ensure that it meets the needs of their clients, and often have more immediate access to details of the threats and upgrades, which they can quickly pass on to their customers.

Another reason for the trend towards working with providers who can manage the organisation’s security is the need for an increasingly sophisticated end-to-end approach that covers all aspects of security, from spam and viruses to wireless. As the nature of security threats change many companies are finding that point solutions just don’t meet their needs.

Finally, the right partner can help organisations meet industry regulations and ensure compliance. A number of countries and industries now require that companies archive their email, but in many cases these regulations are complex. A partner will bring a deeper understanding of both the legal requirements and the technological implications, and will be able to develop a more effective solution to help the company stay compliant, protecting them from increased costs, or even fines and jail sentences.

But even if a company has the best technology partners, the right anti-spam package and a fully integrated security solution, it still has to manage one area of weakness – its users. All too often, end users unwittingly bring about security breaches by opening virus-carrying emails, downloading infected files and failing to update anti-virus software – the list goes on and on. But when it comes to the battle to protect their inboxes from spam, users can also be a valuable asset. It is therefore essential that they are given training and that organisations have policies in place to help users manage spam correctly and, ultimately, reduce the amount of spam they receive.

Spam is a problem, but it is actually one that can be managed effectively. Organisations must make sure that their email management tools are part of a wider security solution – and many companies decide to outsource this management to another expert organisation. After all, it only takes one mail to get through, or one mistake from a user, for the damage to be done.

Ten tips for users to help reduce spam

1. Be very careful when giving out your email address: think before you subscribe to newsletters or give out your details on registration forms.

2. When you do have to give out your email address, always look for the option asking if you want to sign up for information from third parties – and say no.

3. Think about who you are giving your details to. You wouldn’t give out your home address or phone number to strangers so you must be equally careful with your email address.

4. Never reply to unsolicited mail, even if it is to unsubscribe. This validates your address and, as such, makes it much more valuable to companies that sell email lists. This also applies to the remove link that many spammers include. Ideally you should not even open mail that is unsolicited.

5. Help your anti-spam tool learn what is and isn’t junk. Identify false positives and inform it when it misses a piece of spam. This helps build up accurate black and white lists, and identifies the latest techniques spammers are using.

6. Never give out your corporate email address for anything that isn’t work related. Consumer services can be some of the most pernicious spammers around.

7. If you’re having significant problems with spam, talk to your IT department. They may be able to help with an alternative email address or set up rules that only allow emails from designated domains.

8. Don’t have email addresses on company websites so they can’t be harvested by spambots. Have an online form with a phone number instead.

9. Preventing spam requires a joint international effort, so report it by sending the message plus the full header of the email, to sites such as Spam Cop which can then add the sender to their black lists.

10. When using private email addresses, select an address that is difficult to guess, using a combination of letters and numbers.