|
10 Tips for Fighting Corporate Spam |
|
|
|
||
|
Implementing a server-side spam-blocking
product should be your first step toward fending off junk e-mail. Beyond
this, the IT department can take steps to reduce the volume of spam entering
your company: 1.
Write down the company's policies on e-mail and Web usage and make sure
employees read them. Provide detailed instructions for how employees should deal
with inappropriate e-mail. A good policy also specifies whether employees can
sign up for newsletters and Web sites that require e-mail addresses. All
employees should sign the policy agreement. 2.
Tell employees that they should never respond to spam, even to be taken off
the mailing list, as this is often just a way for the spammer to confirm that
an address is real. 3.
Don't post clear links to your employees' e-mail addresses on your Web site.
Instead, mung them, or display them in a way that a
machine cannot read. One way to do this is to publish them as John_Doe[at-sign]microblob.com
or John_Doe@ microblob[REMOVE
THIS].com. Always include instructions on how to use these addresses.
Guidelines on how to do this are at http://members.aol.com/emailfaq/mungfaq.html. 4.
Limit or even disallow personal e-mails—especially those e-greeting cards!
You may consider prohibiting the use of profanity, as this can greatly help
with setting up your filtering tool. 5.
Require employees to mung their e-mail addresses—or
use alternative addresses—in newsgroup discussions and any online chatting. 6.
Don't use guessable e-mail addresses like firstname.lastname@company.com.
Instead, add a random number to names. This makes it harder for spammers to
guess the addresses. 7.
Set employees' Web browsers to the recommended security level. If the
security level isn't stringent enough, bots may grab employees' e-mail
addresses when they visit Web sites. 8. Make
sure your firewall is configured to block all unrequested
traffic. 9.
Install antivirus protection at the gateway, server, and desktop levels.
Viruses can mess with your e-mail setup. Use an antivirus product from a
different vendor at each level: If one solution doesn't catch an intruder,
another may. 10.
Make sure your mail server isn't acting as an open relay. Find out how at http://mail-abuse.org/tsi/ar-fix.html. |
||
|
Mail Servers Play Catch-Up: Built-In Antispam
Tools |
|
|
|
||
|
No room in the budget for a full-fledged antispam product? You can block a modicum of spam simply
by changing settings in your e-mail server. The latest versions of the most
popular e-mail servers, Lotus Domino 6 and Microsoft Exchange 2000 Server,
offer a few tools for blocking spam. Still more tools will be available in
Microsoft's Exchange follow-up, code-named Titanium, due this summer. Domino 6, released in October, lets you block
spam using real-time black-hole lists, or RBLs. An
RBL, such as the Mail Abuse Prevention System (http://mail-abuse.org), is essentially a catalog of IP
addresses from which spam messages have been sent in the past or that
currently are open relays, which spammers frequently use as conduits for
their messages. By making a few changes to Domino's
configuration document, you can set the program to reject all messages from
addresses on a particular RBL. Or, if you're worried about rejecting more
than just spam—many legitimate businesses unwittingly configure their servers
as open relays—you can take alternative action when e-mail arrives from
addresses on RBLs, like creating a log of such
messages or tagging each one to warn recipients that it may contain spam.
Unfortunately, many industry analysts don't recommend RBLs
for fighting spam—especially as the sole strategy. Exchange can't tie into RBLs
as easily as Domino does, but it does let you block spam using other methods.
You can set up a makeshift RBL, for instance, telling the server to block all
messages that come from certain IP addresses or that are
sent to more than a given number of people. And you can perform a reverse DNS
lookup on each message, checking to see whether the message's IP address can
be matched to a valid host name. For a discussion of how to prevent spam
using Exchange alone, go to http://support.microsoft.com/default.aspx?scid=kb;en-us;319356. Much like Domino, Titanium will let you check
messages against public RBLs. It will also provide
several hooks into its antivirus API that will let seasoned programmers
easily build their own antispam tools. Unless you
augment your e-mail server with your own antispam
tools, it isn't likely to block much of the spam streaming into your
organization. Spammers have learned to work their way around RBLs and reverse DNS lookups. But for those who can't
afford a standalone antispam product, Exchange and
Domino offer at least some protection. |
||
|
Know Your Enemy: How Spammers Operate |
|
|
|
||
|
Spammers gather e-mail addresses wherever they
can—Web sites, Internet white and yellow pages, newsgroups, chat rooms,
mailing lists, and domain registrations. They trick your browser into
revealing your e-mail address without your knowledge, con you into giving it
out via chain letters and bogus offers, and dupe you with e-mail containing
scripts that send back not only your e-mail address but also your entire
address book. Or they simply guess at addresses and eliminate any that
bounce. If they're lazy, they just buy a mailing list from someone else who
uses these techniques. A spambot is a tool
that starts with a Web search, scrapes all the e-mail addresses from the
first page it finds, and then follows links to related sites, collecting more
addresses as it goes. Site owners can protect themselves from spambots by redirecting them to a page that's free of
e-mail addresses. For details, see www.turnstep.com/spambot. Chat rooms are paradises for spammers, who use
specialized harvester programs for AOL chat rooms and profile lists. AOL
names are considered desirable, because the service appeals to Internet
newcomers, who are more likely to respond to spam and less likely to have antispam solutions in place. For harvesting e-mail
addresses of more sophisticated users, spammers scour public lists of domain
registrations. Browsers can also be tricked into revealing
your e-mail address as you surf. JavaScripts can
instruct your browser to send e-mail with your address to a specified
location. Some browsers give your address to every site you visit. To see
whether yours does, go to www.privacy.net/analyze. Once a spammer has a list of addresses, the
next challenge is to send lots of e-mail to all those addresses. The problem
is twofold: The spammer has to find an SMTP server that can handle the mail
and hide his identity to avoid repercussions. Spam is prohibited by virtually
all ISPs, and spammers will lose their accounts if they're caught. Hiding your identity by falsifying header
information is illegal in many states, and several federal laws are being
considered to make it illegal nationwide (see www.spamlaws.com for
details). But identity hiding is nevertheless supported by many bulk e-mail
programs. Using others' mail servers without permission will also be illegal
if Congress passes the "Can Spam Act," but spammers can currently
buy programs that search the Internet for open relays or buy lists of
open-relay IP addresses. Open relays are unprotected servers that send out
e-mail from any source. The sender doesn't have to identify himself either
through his IP address or the newer authentication technique based on
usernames and passwords. One option is to set up a desktop mail server.
There's even a company that offers an address harvester as a companion to its
desktop mail server. An easier but more expensive approach is to use one of
many bulk mail services with their own mail servers. These companies offer
mailing lists for purchase and IP addresses that can't be traced back to a
spammer. With each customer blasting out millions of
e-mail messages on a regular basis, how do bulk e-mail services handle the
load? Some of them use special-purpose e-mail server appliances that can send
out as many as a million e-mail messages an hour—the equivalent of ten
traditional servers. A mass e-mailing can be either perfectly benign
or completely offensive. Unfortunately, the tools that are good for the first
kind work just as well for the latter. |
||