Choosing the Right Defenses
Jan E. Eighme
JULY 2006 - Spam—unsolicited
bulk e-mail—is a problem that affects businesses of
all sizes. The Federal Trade Commission estimates that in
2004 spam made up 83% of the e-mail traffic in the United
States. Left unchecked, spam can have a detrimental effect
on a company’s bottom line. Valuable time will be wasted
sorting legitimate e-mail from junk. Additional network infrastructure
may be needed to accommodate an ever-growing volume of spam.
Customer relations will suffer if legitimate e-mail is mistaken
for spam and discarded. Viruses transmitted via spam may damage
a company’s computers. Morale may be lowered if employees
are exposed to hateful, violent, or pornographic spam. A hostile-work-environment
lawsuit may be brought against a company if employees are
repeatedly exposed to offensive spam. The direct and indirect
costs of spam can be substantial. There are, however, a number
of spam-fighting techniques that businesses can use to reduce
the costs of spam.
Spam If You Can
avoid as much spam as possible, a company must strive to
keep its e-mail addresses off the mailing lists compiled
by spammers (distributors of spam). A study done by the
Center for Democracy and Technology found that spammers
compile their mailing lists primarily by using address-harvesting
programs to collect the e-mail addresses found on public
websites. The study also found that writing an e-mail address
in a slightly unconventional way can fool address-harvesting
programs. For example, writing out the @ symbol in an address—abc
at cpafirm.com—substantially reduces the probability
that the address will be harvested from a webpage.
ways of keeping e-mail addresses off spammer mailing lists
include minimizing the number of e-mail addresses posted
on the company’s website; avoiding the use of short,
easy-to-guess e-mail addresses; embedding e-mail addresses
in an image on the webpage; designing the webpage so that
e-mail addresses are hidden until a visitor clicks on a
link; and instructing employees, especially those who are
receiving large amounts of spam, to guard their addresses.
Employees should not use a business e-mail address for personal
use or post it on discussion groups or other places where
spammers are likely to harvest it. If an employee’s
company e-mail address ends up on a spammer’s mailing
list, the employee should not respond to spam; any reply,
even an opt-out request, will confirm to the spammer that
the address is valid. The result could be even more spam.
very small companies, a spam-avoidance strategy may be all
that is needed to keep spam under control. Most companies,
however, will need to combine a spam-avoidance strategy
with spam-filtering software or a service provider to achieve
Do Spam Filters Work?
single spam-filtering methodology is 100% effective; therefore,
good spam-filtering software and services typically use
a combination of methods. Four of the most commonly used
spam-filtering methods are:
understanding of how these methods work can decipher confusing
sales jargon and help users select the spam-filtering software
or service that is most appropriate.
analysis uses rules, sometimes numbering in the thousands,
to detect spam. For example, an e-mail message from a “spam-friendly”
country would violate a heuristic filter’s place-of-origin
rules and be assigned a point value as a result. Additional
rule violations, such as the use of the words “click
here,” excessive use of dollar signs, and all capital
letters in the subject line, would result in the assignment
of more points. If the message’s point total exceeds
a value set by the company as its spam threshold, the message
is classified as spam.
filter compares the words in a sample of a company’s
received spam to a sample of its legitimate e-mail. Each
word in the two samples is scored based on how frequently
it appears in the spam sample versus the legitimate e-mail
sample. For example, words that appear only in the spam
sample receive a high score, those that appear only in the
legitimate e-mail sample receive a low score. The compilation
of word scores is used to evaluate incoming e-mail. When
an e-mail message arrives, an overall score is calculated
based on the message’s word scores. If the score is
above the spam threshold that the company has set, the message
is classified as spam.
matching utilizes decoy e-mail accounts that are established
and monitored by the spam-filtering software or service
provider. These accounts serve no other purpose than to
collect unsolicited bulk e-mail, so the messages they receive
are, by definition, spam. As messages come into the decoy
accounts, they are “fingerprinted” (i.e., uniquely
identified), and the fingerprints are stored in a database.
The fingerprints of incoming e-mail messages are compared
to those in the database. If an incoming message’s
fingerprint matches one in the database, the message is
classified as spam.
analysis examines e-mail transmission characteristics to
determine whether an e-mail is spam. For example, if a sender
transmits a high volume of e-mail in a brief time period,
spam-filtering software or a service provider may conclude
that e-mail from the sender is spam. Other transmission
characteristics indicative of spam include sending e-mail
to an excessive number of invalid e-mail addresses and routing
e-mail in a way that attempts to conceal the sender’s
software, gateway software, and managed service providers
are the primary spam-filtering options (see the Exhibit).
A discussion of each option, including guidelines to help
choose between them, is presented below.
software. Small companies may find that desktop
spam-filtering software, which is installed on users’
PCs, is their best option for blocking spam. For under $50
per desktop, a company can install software that catches
approximately 90% of spam and experiences a false positive
(legitimate e-mail being mistaken for spam) less than 4%
of the time. Because spammers are constantly changing their
tactics, desktop software should be regularly updated to
maintain its effectiveness; many software providers offer
subscriptions for online updates.
software provides end-users with a great deal of control
over e-mail filtering. End-users can usually “whitelist”
e-mail addresses and domains from which messages should
never be blocked and “blacklist” addresses and
domains from which messages should always be blocked. In
addition, end-users can often tweak a filter’s rules
to match their preferences. For example, if a rule assigns
points to e-mail messages that originate in a spam-friendly
country, an end-user who has clients or colleagues in this
country can turn the rule off or reduce its point value.
software also gives end-users substantial control over the
handling of their spam. An end-user can decide whether spam
should be deleted, “quarantined” in a separate
folder, or tagged and delivered. The action can also be
contingent upon the e-mail’s relative spam score and
the company’s spam threshold.
organizations may find that desktop software lacks the centralized
control, scalability, accuracy, effectiveness, and reporting
capability they need. They may also find that desktop software’s
training and support requirements place too much of a burden
on IT personnel. In addition, because desktop software allows
malicious spam to reach end-user desktops before the filtering
takes place, larger companies may decide that this option
will not adequately protect the network from the problems
that malicious spam can cause.
who decide desktop software is the right choice should look
for a product that adds its controls to an e-mail program’s
toolbar, uses Bayesian filtering, and is frequently updated
online. Useful features include buttons that add e-mail
senders to a whitelist or blacklist, a quarantine that deletes
messages after a user-determined time period, and a control
that adjusts the software’s filtering aggressiveness.
Popular desktop-software vendors include MailFrontier, McAfee,
Sunbelt Software, and Symantec.
software. Larger organizations will probably
decide that desktop software cannot meet their spam-filtering
requirements. Gateway software intercepts spam at the e-mail
gateway, the point at which e-mail enters a firm’s
computer network from the Internet. There are two primary
gateway-software options: server software and appliance
software. Server software is installed on a company’s
e-mail server (a central computer that receives e-mail and
distributes it to end-users’ PCs). Appliance software
comes preinstalled in a self-contained hardware unit, known
as an appliance, that sits between a company’s e-mail
server and the Internet.
filtering at the e-mail gateway, administrators can manage
an organization’s spam-filtering policy rather than
have end-users create policy through their desktop software.
This is not to say that gateway software necessitates a
“one size fits all” filtering approach. Many
products offer management tools that allow a company to
customize its spam policy for different groups and individuals.
These tools can lessen the expense of administering gateway
software and create greater end-user satisfaction.
software running at the e-mail gateway allows for advanced
filtering techniques, such as signature matching. On average,
a gateway-software product will catch approximately 95%
of a firm’s spam and experience a false positive as
rarely as once per 10,000 messages. Beware that greater
accuracy may come at the expense of spam-blocking effectiveness.
Making it easier for legitimate e-mail to pass through a
spam filter can also make it easier for spam to slip through.
Many organizations, however, are willing to put up with
a modest amount of spam in exchange for a high probability
that legitimate e-mail will be delivered.
are drawbacks to gateway software. The cost of ongoing administration
can be substantial. It does nothing to reduce the volume
of incoming e-mail. And companies with scarce resources
may not be able to afford the upfront costs. Regardless
of its drawbacks, gateway software is the only practical
option for larger companies that desire an in-house solution.
should ask the following questions before purchasing gateway
software: Does the product provide statistics on the types
of spam received and who is receiving it? Can filtering
emphasis be adjusted so that offensive spam, such as pornography,
is filtered more aggressively than nonoffensive spam? How
easily can end-users find messages that have been accidentally
blocked? Popular vendors of gateway software include CipherTrust,
Proofpoint, SonicWall and Symantec Brightmail.
service providers. Managed service providers
(MSP) are for organizations that prefer to outsource the
chore of spam filtering rather than deal with it in-house.
They are an accurate, hands-off solution that appeals to
both larger and smaller entities, although very small companies
may find them to be too expensive.
intercept spam before it reaches a company’s computer
network by diverting the firm’s e-mail to a secure
data center where a number of techniques—common ones
being traffic-pattern analysis, heuristic analysis, and
signature matching—are used to weed out spam. Legitimate
e-mail is then passed along to the company’s mail
server, while spam is usually quarantined at the data center
they process millions of e-mail messages each day, MSPs
are very good at spotting emerging spam threats. In addition,
they are easy to set up, prevent malicious spam from entering
a company’s network, store e-mail messages in the
event a company’s e-mail server goes down, and are
able to handle the increased volume of e-mail that a growing
entity may experience. Furthermore, MSPs have virtually
no upfront costs, and ongoing administration expense is
organizations fear that using a MSP could compromise the
privacy of their clients and business partners. MSPs are
responding to privacy concerns by offering to sign nondisclosure
agreements. In addition, some MSPs are using pass-through
technology that allows them to forward legitimate e-mail
almost instantly. The result: Legitimate e-mail is not stored
on disks, and it spends very little time in a data center.
reliability of MSPs is also a concern for some. If an MSP
goes down, e-mail may be delayed or, worse yet, lost. Consumers
may decide to select an MSP that has received an unqualified
SysTrust, WebTrust, or SAS 70 Type II attestation report,
which warrants that an MSP has passed rigorous tests to
determine whether appropriate controls are in place and
operating effectively. These tests provide reasonable assurance
to current and potential subscribers that an MSP operates
in a stable and secure environment.
subscribers should look for an MSP that allows end-users
to determine some of their own spam settings, establish
a whitelist, and set up a personal quarantine area. Leading
MSPs include MessageLabs, Microsoft Exchange Hosted Filtering,
MX Logic, and Postini. A frequently updated buying guide
that contains prices and features of MSPs and gateway software
is located at
the Door on Spam
are similar in one respect to polluters: If no obstacle
is placed in their path, they bear only a small portion
of the overall cost of their actions. Spam-fighting techniques,
such as spam avoidance, desktop software, gateway software,
and managed service providers, make it harder for spammers
to deliver their messages. This obstacle increases the spammers’
costs. If, for example, spam-filtering software can reduce
the amount of spam that reaches an e-mail inbox by 90%,
a spammer must now incur the cost of sending 10 messages
to get a single message into an inbox. If filtering software
can reduce the amount of spam by 95%, the cost of sending
spam has increased by a factor of 20.
the use of spam-fighting techniques grows, as new techniques
are developed and old techniques are perfected, one can
hope that the cost of sending spam will increase until it
eventually becomes prohibitive for most spammers. Just as
good defense wins football games, good defense can win the
battle against spam.
here to see Sidebar.
E. Eighme, CPA, PhD, is an assistant professor who
teaches accounting information systems in the department of
accountancy of the Richard T. Farmer School of Business, Miami
University, Oxford, Ohio.