IT Security
Stand up to spammers

IT Security

Some analysts estimate that spam now accounts for 75 percent of all emails. The sad truth seems to be that as firms strengthen their defences, the spammers respond by sending yet more rubbish.

As spam, viruses and denial-ofservice attacks combine to produce the mother of all headaches, unsolicited mail can no longer be ignored as an amusing, trivial matter that does nothing worse than take up a bit of bandwidth.

Spam threatens network uptime, and as spammers become increasingly sophisticated and devious, the threat will continue to grow. It is not helped by the fact that users’ indifference means unsolicited mail is being allowed to grow unchecked.

The seriousness of the problem is shown by the speed and determination with which Microsoft launched its lawsuits against some of the more prolific spammers. At least Microsoft realises – even if many corporates do not – that if spam continues to grow at present rates, it is only a matter of time before it silts up the entire internet.

Despite Microsoft’s efforts, however, the big problem is that spammers are virtually impossible to trace. They launch their attacks using spoofed addresses before moving on to another victim.

Legislation has been painfully inadequate. The US Can-Spam Act conspired with the European Privacy and Electronic Communications Directive to cause an increase in spam rather than a decrease. It doesn’t matter whether Europeans elect to opt in or opt out of email marketing because spammers are operating outside the law.

And anyway, spammers are not bound by national borders. If one country’s laws on unsolicited mail get too restrictive, they will launch their attacks from a country where there are no rules.

The proposal to create a .mail suffix must be a step in the right direction, but as with most initiatives to defeat spammers – who are a ridiculously intelligent bunch – it’s only a matter of time before they dream up ingenious ways of getting around it. They have already slithered their way around many filters by their clever use of good and bad text to disguise messages.

Faced with these dynamics it is painfully clear that the burden of responsibility for protecting the corporate network from spam is always going to fall on firms themselves. But anyone who believes that the problem will go away with a strategically placed content filter has their head in the sand. As with most things, technology is only part of the solution.

Companies need to draw up comprehensive security policies, deploy tools to enforce the rules, and educate users about best practice. Advising staff not to click on unsubscribe buttons, which only encourages spammers, has become a commonplace rule. But more guidance is needed on internet use.

With a raft of legislation on corporate risk waiting in the sidelines, firms that rely heavily on their core IT infrastructure might even consider introducing a separate, secure network for staff wanting to access the internet.

Many firms see content filters as an unattractive option, because they fear they will block legitimate content dispersed in mass mailouts. A good way to tackle this problem is to send users the blocked mail and tailor the system based on the resulting feedback. It’s time to give spam the attention it so richly deserves.