Blocking Spam & Spyware For Dummies
By Peter H. Gregory
John Wiley & Sons ISBN: 0-7645-7591-0
Chapter One Spam and Spyware: The Rampant Menace
In This Chapter
* Understanding how spam and spyware affect the organization
* Fighting back
* Taking stock of your business
* Justifying a spam solution
* Choosing the right solution
* Making the solution work
You just got on the spam and spyware rollercoaster. In this chapter, you will whiz through a lot of topics at a high level. So please remain seated and keep your arms and legs inside the car at all times. Strap in and hang on 'cause you'll be plunging down the hills, whipping through the turns, and rolling around the loops.
In later chapters, you get a chance to slow down and soak up the details of all these topics, but this chapter's bird's-eye view is a good place to start if you're just beginning the task of blocking spam, spyware, or both.
Knowing How Spam and Spyware Affect the Organization
Because you're reading this book, you probably have a suspicion that spam and spyware are - or may be - affecting your business. If you have e-mail, chances are that spam is making an impact in your organization. And while employees in your business are surfing the Net, their workstations are becoming rotten with spyware that's doing who-knows-what. Knowing how the impact is manifesting itself is important if you want to get the upper hand.
Increasing e-mail volume
This is an understatement to be sure. Many studies conclude that the volume of spam entering most businesses hovers in the 70 to 80 percent range. Your e-mail servers are working hard to process inbound and outbound mail, and the majority of that inbound mail is putrid filth. If you're sufficiently privileged to be able to walk up to your e-mail server, that giant sucking sound you hear is the inbound spam choking the life out of your server.
Spam is consuming network resources, CPU resources, disk and network buffers, disk space - everything. If your e-mail server is sluggish, imagine how much faster it would run if you could eliminate 70 percent of the incoming traffic. On the other hand, if your e-mail server is able to keep up with the torrent of filth, it's because you bought a system far larger than should have been necessary, in order to manage the relevant business e-mail and the spam.
Everybody is in the same situation: Either they've had to invest more capital dollars in e-mail servers to keep up with the growing tide of spam, or else their mail servers are suffering under the workload.
If you are so well organized that you have statistics on inbound e-mail volume over a period of years, I'm willing to bet that you can see that the volume is increasing at a rate that significantly outpaces any increase in the number of employees in your organization.
Almost all organizations have their share of employees who are drowning in spam. Three to five hundred spam messages per day for some employees is not uncommon these days. Those employees come from every level in the organization, from executives to call center employees, and everybody in between. So what is it like for these employees? I have spoken to more than just a few; here is what some of them have to say:
"It takes me longer to get through my e-mail because I have to weed out all the spam first."
"I can't stand the porn - even the subject lines are lewd and offensive!"
"My spam filter at home frequently throws away messages from friends. I can't afford to have a spam program at work toss out important messages from customers or suppliers."
These comments point to some of the key problems that result from employees dealing with spam, which include the following:
Extra time spent sifting through all e-mail in order to identify and delete spam messages. This becomes increasingly difficult as spam messages look more and more like ordinary messages.
E-mail quota problems due to spam filling up users' mailboxes. This is especially troublesome for those who travel, unless they are able to log in almost every day and delete all the spam from their inboxes.
Loss of important business e-mail messages that were accidentally overlooked and deleted. Legitimate messages often get caught in the crossfire whether or not a spam-blocking solution is in place.
Phishing scam messages that look like they originated within the company or from a legitimate outside source. Sometimes, these scams result in virus infections, security breaches, fraud, and other issues.
Employees who are enticed to visit Web sites waste more time and increase the risk of security issues caused by the hostile code on Web sites.
Increased computer support costs. Employees who are plagued by spam and related maladies are certain to be calling the IT helpdesk more frequently than employees who receive little or no spam. You are fortunate if your helpdesk tracking data is granular enough to capture this information.
Unless you are in the upper echelon of IT organizations that measure and categorize every electron, the spam problem is more likely one that you feel in your gut. You know it's a problem, perhaps a big problem. If you're wondering how to quantify and justify a way out of your predicament, you'll find the answers in Chapter 4.
Exposing the business to malicious code
Through the year 2003, almost no spam carried malicious payloads such as viruses, worms, and Trojan horses. Spam was just spam. This changed in 2004 (how could you not have noticed?) with the apparent - uh, obvious - growing alliance between virus writers and spammers. Theirs is a symbiotic relationship: Spammers give virus writers the means to distribute their wares, and now spammers can do more than just send junk mail - they can control their victims' computers. I discuss this topic at length in Chapter 3.
Organizations with a sound antivirus infrastructure can take some consolation in the fact that their antivirus software will strip the malicious code from most inbound spam messages. Mail servers that are configured to strip executable attachments from incoming e-mail messages are contributing to the defense.
Worse yet, antivirus programs have been "looking the other way" when it comes to spyware. Spyware isn't stopped by most firewalls, mail servers, or antivirus programs, and often the flaws (in configuration, as well as vulnerabilities in design) let the spyware just waltz right in to end-user workstations to listen, snoop, and sometimes send data back to the hacker's home base. Spyware also raises support cost because much of it makes browsers unstable, and some spyware makes changes to Web browser configurations that users notice - like changing the default home and search pages.
But is it safe to assume that 100 percent of end-user workstations are adequately protected? You can fool yourself, but you can't fool me. Sobering lessons from the past should certainly convince IT professionals that a few viruses - and a lot of spyware - are getting through the defenses.
Face it: Spam is clogging the pipes and it has attitude, and spyware is just a little too nosey for most people to tolerate. An antivirus solution only handles one small aspect of the spam and spyware plague: It strips malicious code (most of the time), but does nothing about the growing volume of inbound e-mail, and it often lets spyware right through.
Creating legal liabilities
Aside from being among the unfortunate ones whose inboxes are hammered by spam every day, most legal departments have not yet addressed issues of corporate liability in connection with spam or spyware. That, however, is changing.
Subjecting employees to offensive language and images
An appreciable amount of spam is pornographic in nature, and this naturally means that employees who receive spam are going to get messages that contain content that is offensive to many people. And this is not just in the content of messages: Spammers are becoming more brazen and are including suggestive and offensive messages right in the subject lines. This is an irritant to many, but it's insulting and distressing to others.
Some spammers have been sending messages containing only graphic images as one method to dodge spam filters. For spammers in the business of distributing promotional messages for porn sites, this usually means that these images contain pornographic pictures. Depending upon how an organization's choice of e-mail clients, their default configuration, as well as how employees use them, this can mean that employees who get flooded with spam will be subjected to pornography and other offensive images.
In many instances, porn spam is sending some employees "over the top," resulting in grievances and even threats of lawsuits. Organizations that are doing little or nothing to stop spam probably do not have much of a defense, I am sorry to say. Employees who are distraught because of the offensive nature of spam have a strong case for relief. They also have my sympathy - I don't like the stuff either.
Leaking corporate information via spyware
Spyware collects information as relatively harmless as a user's surfing habits, and as harmful as key logging (spyware that records your keystrokes and sends the record to someone else). A corporate user's workstation with a working key logger can create liability if it captures a user accessing sensitive information, and the key logger's owner subsequently compromises that data.
Downstream liability if spam originates from company computers
Figuratively and literally speaking, spam messages have no return address, so it is difficult to pin the blame on those who originate the messages. However, if a company's own e-mail server or one of its end-user workstations was being used as an e-mail relay (a system that spammers use to "originate" their hordes of messages), other individuals or companies being subjected to this spam could build a legitimate grievance against the company whose computer is being used to relay spam.
A spammer can use a company's e-mail server as a relay if the e-mail server is still using old e-mail server software. In the old days, relaying e-mail through an e-mail server was a common practice for moving legitimate mail, but now only spammers utilize this now-antiquated function in order to cover their tracks.
An organization ought to know how to prevent its computers from becoming spam relays. Any organization that fails to fulfill its due diligence in this regard can be found negligent and be subject to civil lawsuits. Organizations that forward spam (or propagate other security threats) cannot completely escape culpability.
No Silver Bullets: Looking for Ways to Fight Back
Malware (which includes spam and spyware, but also viruses, Trojan horses, and really anything that you don't want running on your computer and would prevent if you could) is a complex problem that comprises threats and issues on many levels, and no single remedy can eliminate it. Your best defense against spam and spyware is defense in depth, which is much like the multiple layers of defense of a medieval castle.
A castle may have a moat (a body of water surrounding the castle), with a hungry moat monster swimming around. The castle also has a drawbridge, heavy gates, high walls, and places where archers can shoot arrows at attackers and others can pour boiling liquids on would-be attackers who make it across the moat. This castle has many layers of defense. Should any one or more of these layers fail, other layers continue to provide protection.
Similarly, you can best stop (it would be more accurate to say "slow down") the harmful and annoying effects of spam by using a variety of remedies, which I introduce in the following sections. Chapter 13 is dedicated to this topic and offers even more details.
By themselves, some of the remedies I discuss will, to some degree, hinder the effectiveness or penetration rate of malware. Together, they represent a multilayered defense that provides a good level of resistance against spam and spyware.
Adding a spam blocker
A key component of your defense is a spam blocker, more often called a spam filter, which you purchase from an outside vendor. These solutions all use the same basic features to identify and weed out spam:
Vendor-supplied filtering rules and signatures: Computer code and a list of known spam patterns (like fingerprints) that the spam-filtering software uses to identify messages as spam.
Enterprise filtering policies: Centrally managed configurations that reflect the company's needs. User preferences: User-definable settings that tell the spam filters about spam that individuals find especially irritating, as well as options on how the product behaves on users' workstations.
User blacklists and whitelists: Lists of known bad addresses (that go in the blacklist), and addresses from outsiders whose incoming messages should never be tagged as spam (whitelists).
Quarantines: The holding places where spam messages are stored until individual users can look to see if any good messages were accidentally blocked by the spam filter.
Figure 1-1 shows how a typical anti-spam application works. Exactly how each application performs these functions varies considerably from vendor to vendor. The following steps explain what's going on in Figure 1-1 in more detail:
1. Inbound e-mail arrives at the anti-spam application.
2. The anti-spam application examines the message and compares its contents with enterprise filtering policies, vendor-supplied filtering rules, end-user preferences, blacklists, and whitelists.
3. The application uses the comparison to decide what to do with the message:
If the message is permitted to pass, the application forwards the message to the enterprise mail server, which will in turn route it to the recipient's mailbox.
If the message is not permitted to pass, the anti-spam application will check to see if the recipient has a quarantine. If the recipient does have a quarantine, the anti-spam application will put the message there. If the recipient does not have a quarantine, the anti-spam application will delete the message.
4. When the end-user logs in and runs her e-mail program, she will look at messages in her inbox.
If there are any messages there that should be classified as spam, the spam application usually provides a way for the user to specify that fact so that similar messages will be rejected in the future.
I discuss wrongly identified messages (false positives and false negatives) and how to handle them in Chapter 11.
5. If the end-user has a quarantine, she will also have to examine it from time to time to make sure that there are not any messages there that should not have been blocked.
If there are any desired messages (false positives) in the quarantine, the user tells the anti-spam application that any messages from the sender should be accepted; that e-mail address will be placed in the user's whitelist. Usually the anti-spam application will also forward the message to the user's normal mailbox so that she may open, read, reply, and store it using her e-mail program.
Excerpted from Blocking Spam & Spyware For Dummies by Peter H. Gregory Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.