Getting Clueful: Five Things You Should Know About Fighting Spam
The battle for your users' e-mail inboxes probably will never end, but it's
not a failure of technology. Experienced e-mail and system administrators
share the key points they really, really wish you understood.
By Esther Schindler
February 15, 2007
When you started your e-mail client this morning, you were prepared for the
usual set of correspondence: your daily dose of corporate politics, a dollop
of technical emergencies and the background hum of projects under way.
Annoyingly, your inbox also contained a few messages advertising products
you would never buy, and perhaps a phishing notice warning that your account
was frozen at a financial institution where you don't have an account. Your
company has antispam measures in place; surely, the IT staff should be able
to keep this junk out of your inbox?
Perhaps they can, but the task of doing so has become much more difficult in
recent years, partly because 85 percent or more of all e-mail traffic today
is spam If you haven't been listening closely to the dark mutterings in
your e-mail administrator's office, you may have missed out on significant
clues about the nature of the problem and what the IT department can do to
address it. However, when you do listen to the technical staff, it's easy to
get lost in their arcane acronyms, such as SPF and RBLs, and you may drown
in more information than you really wanted to know.
To learn what's really happening in the technical trenches, we asked several
e-mail administrators to tell us about the key items-the single key item, in
fact-that they wish their IT management understood. If you read through
their wish list, you may be able to understand the nature of their
challenges and, perhaps, help them clean out your inbox.
In brief, says Keith Brooks, vice president at Vanessa Brooks, "Stopping
spam is a mixture of luck, intelligence, alcohol and planning." With luck,
he says, your CEO never hears about spam. "But without it, the CIO never
stops hearing about this issue."
1. Lose No Mail.
The primary directive, for e-mail admins, is "lose no mail." If that means
that an occasional spam message wends its merry way into users' mailboxes,
so be it. E-mail administrators would prefer that users encounter a few
annoyances than miss an important business message.
Dr. Ken Olum, a research assistant professor in the Tufts Institute of
Cosmology, also maintains the institute's computers. Olum explains, "The
most important thing is never to silently drop an important e-mail. If you
just drop it, your correspondent thinks you aren't answering on purpose or
forgets all about you. So suspected spam should always be rejected and never
dropped. Sequestering it is only slightly better than dropping it, because
you have to look through the sequestered spam, and most people don't
bother."
Nonetheless, many CIOs ask their IT department to keep the e-mail boxes
clear of anything offensive. Yet, according to Scott Kitterman of
ControlledMail.com, "I want zero spam and I want to never ever miss a
legitimate message" isn't feasible. Kitterman explains, "This is a risk
management practice, and you need to decide where you want to put your risk.
Would you rather risk getting spam with lower risk of losing/delaying
messages you actually wanted to get, or would you rather risk
losing/delaying legitimate messages with lower risk of spam? You can't have
both, no matter how loudly you scream."
Tom Limoncelli, author of The Practice of System and Network Administration
(Addison-Wesley) and Time Management for System Administrators (O'Reilly),
stresses that because fighting spam is not an exact science, there always
will be false positives and false negatives. The IT department has to cope
with this. Limoncelli had a CTO complain when he missed an important message
because it was caught in the spam filter. Says Limoncelli, "This system sent
him e-mail once a day with a list of his messages that had been blocked;
clicking on any of them 'releases' it from the quarantine. ... He wanted a
report for every message that was blocked. At least that was his initial
request; he then realized that he had asked for an e-mail to warn him of
every e-mail!"
2. There's No Silver Bullet.
In many areas of IT, the long-term solution is a simple one: Adopt the
single right methodology, hire the right consultant, buy the most
appropriate product. But your IT staff wants you to understand that spam
isn't a problem that can be solved with a single technology, a single
product or any one answer.
Vendors of spam-fighting hardware and software will tell you different-but
they're wrong. Bill Cole, senior technical specialist at T-Systems North
America, has been fighting spam for more than a decade. Everyone involved in
that fight, he says, dreams of the "Final Ultimate Solution to the Spam
Problem." But, he cautions, people who yearn for a single answer may fall
prey to a vendor's magical "answer," but "in a year or so, the magic is gone
and the spammers have adapted." Then, he notes, "managers get upset, a new
'solution' gets deployed, and the cycle goes around again."
Brad Knowles, a consultant, author, and former senior Internet mail systems
administrator for AOL, adds, "In almost all cases, the so-called 'simple'
answers are the ones that don't work. In fact, they're almost always the
ones that make the problem much worse than it already was. Since we've been
fighting spam for over a decade, pretty much all the good simple ideas have
already been thought of and implemented, and the spammers have already
worked around them."
Unfortunately, the result is that fighting spam is a complex endeavor. Says
Knowles, "You're probably going to have to use multiple solutions from
multiple sources. You're going to have to keep a constant eye on things to
make sure that, when they blow up, you find out as quickly as possible. And
you [need] multiple layers of business continuity plans in place to handle
the situation."
3. It's a Continuous Battle. Budget Accordingly.
Spammers succeed only when they get messages to user inboxes, so they are
motivated to counter any barrier between them and their intended recipient.
As a result, your IT department will never be done implementing solutions.
Points out David Linn, computer systems analyst III at Vanderbilt, "Spam
pushers update their tools as fast as the spam defenders work out a defense
to yesterday's attack type. This seems to be the thing that those who want
to buy an off-the-shelf solution and then forget about it least understand
and least want to understand. The very speed of innovation that makes
'Internet time' so attractive in other contexts is the enemy here."
Cole describes spam as mail that evolves and adapts and thus requires an
adaptive and evolutionary approach to defense. Spam cannot be handled as a
discrete project with a list of deliverables and a three-month project plan.
While you may initially have success by doing so, he says, "Expect to repeat
the exercise again next year, and the year after that, and on infinitely."
This is a major nuisance to managers, because they have to pay a staff of
high-skill people (either directly or indirectly) for ongoing open-ended
work. As Cole notes, "Like many other areas of security, it is a potential
bottomless pit for computing resources and the best technical staff and
hence for money, so drawing the lines on it are a managerial challenge."
Martin Schuster, in charge of IT at CenterPoint, argues the business case
for spam defense by extending spam fighting past technical and ethical
issues (such as, say, forcing everyone to use PNG instead of GIF, not use
special characters in file names, and so on). Schuster focuses on the
financial cost and motivations, from the cost of sending spam to the cost of
removing it (from infrastructure to manually deleting messages). He
comments, "Fighting spam costs money. If your mail server administrator
talks to you about fighting spam, and wants equipment and time to implement
it, listen to him. His haircut may seem weird, but he's talking about saving
money."
Adam Moskowitz, a Boston-area independent consultant and author of Budgeting
for Sysadmins, says, "If a sysadmin can't show that fighting spam is costing
the company money, then that sysadmin has no business talking to management
about the problem. If the sysadmin doesn't understand and can't demonstrate
how fighting spam affects the company's bottom line, upper management
certainly isn't going to be able to make the connection."
Does all this seem insurmountable, given your company's resources? If you
aren't willing or able to manage the e-mail and spam measures yourself,
outsource it. Plenty of hosted e-mail service providers can handle part or
all of a company's e-mail system. According to Limoncelli, "The spam system
has to be upgraded constantly. This can fill an entire full-time position.
If you don't have that kind of staffing, the best solution is to let someone
else handle it."
4. Understand the Basics of E-mail Technology.
Administrator Micheal Espinola Jr. says his primary wish is for "top
management to understand the mechanics of how e-mail works. Then, and I
believe only then, would they be able to grasp the concepts that elude most
users of e-mail." When management has the right information, Espinola
believes, it can make excellent decisions, but a lack of understanding can
severely hinder that ability. "If the admin is wasting time troubleshooting
or improvising because of subpar technology, it takes away from time spent
for the productivity issues of others."
This doesn't mean you have to become a guru on the subject; just learn
enough to understand what your e-mail administrator is telling you. Michael
Silver, network administrator at Parkland Regional Library, emphasizes, "A
great deal of difficulty arises when trying to address spam-and e-mail
problems in general-if the people involved don't have a good understanding
of how the mail system works, including a basic understanding of the
different protocols, services, etc. I don't expect [CIOs] to know the ins
and outs of configuring sendmail, but [they] should have a basic
understanding of terms like POP, SMTP, IMAP, MTA and MUA." Added an admin
named Eric, "If the CIO knows and understands the mechanisms of how e-mail
is received and sent, then explaining the need for additional servers,
bandwidth, storage, redundancy, etc., is accomplished much more easily. ...
Once you understand that, you get a very good insight in the shortcomings of
the SMTP protocol and how/why spam is becoming such a huge problem and cost
nightmare."
While most admins want you to understand e-mail basics to make it easier to
explain corporate challenges, sometimes it gets personal. Larry Ware,
Federal Signal Global Network Boffin, is frustrated by managers who don't
understand how the technology works. "They spent some money for some
software; why is spam still getting in? Even worse: Why did the system block
mail from my nephew? He is running a mail server on his cable modem; he
clearly knows how to set up a mail system, why can't you? Explaining why his
nephew's mail server is in dozens of public blocking lists for being a spam
cannon is a lot harder than you might think. How do you do it without
implying his nephew is an idiot?"
Another side effect of the lax understanding of e-mail technology is that
the entire system is misused, with spam only one tiny part. Stewart Dean, a
Unix system admin at Bard College, says, "The result is users who regard
e-mail as a sort of problematic tool that might as well be magic. Not
understanding it, they bang on it and misuse it in the most preposterous
ways." According to Dean, that's why your e-mail admin screams when users
attach a 200MB file to a mail message without knowing that it was 200MB or
even what 200MB means. Then those same users wonder why it doesn't go
through. Worse, they then repeatedly resend the message. Finally, Dean says,
"they get furious at IT that the goddamn magic isn't working."
5. People are Making Money on Spam. Respond Appropriately.
Most of e-mail administrators' time is spent dealing with technology issues
or trying to explain it to you in business terms. But for some, the issue is
a larger one: someone else's business model. They want you to understand
that spam is sent by an intelligent, adaptable and well-funded enemy. Some
admins believe that with corporate budgets and legal resources, it's even
possible to fight back.
Brent Jones, network technician at Smarsh Financial Technologies, wants IT
management to understand that someone is working very hard to destroy the
spam barriers administrators put in place. "There is a large financial
incentive [for spammers] to get their spam into your mailbox," he says.
"They will fight to get your eyes, and it costs them nothing to try
everything in the book."
Nor are spammers ordinary businessmen. Alessandro Vesely, a freelance
programmer and service provider in Milano, Italy, points out that "much spam
is the result of criminal actions, such as infecting IT systems and using
false identities. Technically, spam can be stopped if everybody else wants
to be responsible for what they send. What lacks is the political will to do
so."
Sam Varshavchik is an independent contract consultant who serves many of the
better-known financial firms on Wall Street. He believes strongly that "CIOs
should stop giving their business to Internet providers with a bad track
record of engaging in spam support services and instead encourage and
support-with their budgets-lesser-known but more socially responsible and
respected providers of data and Internet service." If CIOs instituted a
policy of disqualifying any vendor of Internet, data or communication
services that appears anywhere on Spamhaus's top 10 list
<www.spamhaus.org> from doing any business with the company,
Varshavchik feels, "the spam problem will pretty much disappear, mostly
overnight." Few CIOs who are considering vendors take the time to do so, he
says, and those few minutes can save an untold amount of grief.
Perhaps you'll take some of the e-mail admins' advice; perhaps not. But they
desperately wish that company management would support them in the endeavor
to clean up users' e-mail inboxes. Fritz Borgsted, a system engineer at
Unicorn Communications who also leads the development of ASSP (Anti-Spam
SMTP Proxy <assp.sourceforge.net/>, an open-source project), believes
that fighting spam reflects the quality of life in the digital age. Borgsted
says, "A mailbox without spam is like a private restroom; with spam, it
looks like a public one."
Source:
www.cio.com/technology/infrastructure/security/spam/five_things_about
_fighting_spam.html?CID=28830