Here are a few of my favourites.

Spam Isn’t a Problem Anymore

Every now and then a journalist will write a column declaring that spam is no longer a problem for the internet.  Their argument is usually based on their own individual experience, and usually includes a description of a complex series of forwarding addresses through multiple services and add-ons before a message actually arrives in their inbox.

Then they add a caveat like “And for the handful that do slip through…”

Unfortunately for businesses a complex solution that can’t scale is no option at all, especially one that still lets the spam through despite all that effort.

I Don’t Give Out My Email Address

This myth usually lasts as long as it takes for the first spam email to arrive at that email address, which is quickly followed by shock and outrage (and wild accusations that their ISP “sold” the address to a spammer).

The only type of email address that will never receive spam is the one that doesn’t exist at all.  No matter how diligently you work to keep your email address private there are multitudes of ways in which it can still end up getting spammed, such as malware on your computer, someone else disclosing it inadvertently, or various attacks where spammers discover the address through dictionary guesses, brute force, or directory harvesting.

The 100% Effective Anti-Spam Technique

If I had a dollar for every time I heard “Nobody would get any spam if we all just…” I’d be retired on the beach by now.  The anti-spam silver bullet doesn’t exist.  Grey listing, fake MX records, and challenge-response systems are often touted as the ultimate solution to spam, but each has flaws either in practicality, scalability, or long term effectiveness (if we all start using the same “perfect” trick, spammers will just find another way).

Anti-Spam Shouldn’t Cost Money

I can only assume this springs up from some kind of resentment over paying for solutions to a problem you didn’t cause, but then again isn’t that the case with most problems?

At any rate, some of my peers in IT opt for a home brew anti-spam solution that bolts together various free components into one overall solution.  Unfortunately for the masses this approach isn’t always possible, because any anti-spam solution is a trade-off between performance, effectiveness, administrative effort, and cost.  Particularly in medium to large environments if you take away the costs and you are most certainly either sacrificing performance or effectiveness, or increasing the amount of administrative effort involved.

There is a reason the anti-spam industry is as commercially successful as it is – people will pay for a solution that reduces spam in a cost effective way.

We’ll Never Stop Spam Completely

Despite my rebuttal of the myths above I do honestly believe that one day we’ll stop spam completely.  I understand that this will take a massive shift in the way that businesses think about email as a marketing channel, a genuine focus by online services to stop abuse, and an unprecedented level of cooperation between global legislative and law enforcement bodies, but I think that one day the cost and risk of being a spammer will be so great that it will die off as a threat to our businesses and way of life.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

5 Top Spam Myths that Still Haven’t Changed

Although the technique falls under one general description, there are many different implementations of block lists that can be used to make different determinations about whether an email is spam or not.

Some of the different techniques include:

• URI lists – these are lists of domain names and IP addresses that have been used as hyperlinks in emails that lead a victim to a malicious website, for example a bank phishing scam
• Open Relay lists – these are lists of mail server IP addresses that have been discovered as open relays and can be (or have been) used by spammers to send emails
• IP lists – aside from open relays an IP address that has directly been a source of spam, or is highly likely to be a source of spam (eg an ISP’s customer IP blocks)

The mechanism for each is basically the same – the mail server inspects the SMTP connection, or email message, that it is receiving.  It then queries one of these block list providers with the URIs or IP addresses, and if it registers a hit it then takes the configured action (usually to drop the email).

With so many different block list providers and different techniques the obvious question is whether more than one provider should be configured on the email server that is responsible for blocking spam in your organization.  Naturally this depends on the specific organization and which services are being used.

The biggest benefit to using more than one block list provider is that there are more chances to detect spam thanks to a greater diversity of lists being queried.  If you’ve ever had to troubleshoot a deliverability issue by investigating whether a mail server IP is on a block list you would have discovered that of the dozens of lists available not all of them will give the same result for a given query.

Using multiple block list providers also protects you from the scenario in which the provider is unavailable, which could lead to spam entering your organization when it can’t be checked.

However the biggest drawback is that every additional list provider that you configure means additional resources are consume for every email that is checked, both in terms of server processing and network bandwidth.

This trade-off between effectiveness and performance is one that should be seriously considered, as well as monitored on an ongoing basis.

An alternative solution is to use a provided that aggregates multiple techniques into a single service.  This is common for most commercial anti-spam solutions, which will be pre-configured with a vendor-supplies block list service that offers the best trade-off between performance, effectiveness, and also reliability.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Should You Use More than One Blacklist to Prevent Spam?

That’s an interesting approach, definitely the least administrative effort in the sense that they never have to hunt down why an email was blocked, or retrieve it from quarantine for an end user.

But like many “quick fix” solutions it adds other problems to the mix, because the Junk Email folder is part of the user’s mailbox stored on the Exchange server.

First let’s think about what we know about the volume of spam on the internet today.  Most reports put it at 90-95% of total email traffic.  My own customers’ stats back that up, so let’s just assume for now that 90% is a good estimate.

I also often find when planning Exchange deployments that incoming external email accounts for about 20% of total email traffic.

So in an organization with 100Gb of mailbox databases, 20Gb of that could be email that was received from outside of the organization.  If that 20Gb only represented 10% of total incoming mail (i.e. 90% is spam), then the organization could receive as much as 200Gb of email instead of 20Gb by allowing all of spam to reach the Exchange server.

So at this point of the demonstration, we’ve got an Exchange server now hosting twice as much email data than it otherwise would because it is being allowed to receive and store all of the spam emails as well.

Not only does it need to store it on disks, it also needs to back it up every night to disk or to tape, adding to the cost of those storage mediums as well.

Most customers I talk to are at least a little bit sensitive about how much storage capacity the Exchange servers consume.  Very few of them have limitless storage to throw at email, and most of them apply storage quotas to mailboxes to manage growth.

That brings us to the next problem – all that spam is going to cause end users to exceed their storage quota much faster.  Either you have to annoy the end users with more frequent cleanup requirements, or you will have to increase the quotas (and therefore accept all that additional storage burden).

Outlook itself has no automatic clean up options for Junk Email, unlike say the Deleted Items folder.  The end user will either get frustrated with having to check all of that Junk Email for genuine items before deleting them, or will just select them all and delete in one go (which defeats the purpose of giving them the spam to sort through in the first place).

You could solve those issues with archiving, but really all you do is shift the storage problem over to your archiving system.

I don’t see this solution as a very good one.  I definitely would not advise anyone to take this approach to managing spam for Exchange Server environments.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Keep Spam Out of Exchange Server

Although in many cases spam and viruses go hand in hand, there are still some viruses that have no spam-like characteristics and therefore must be defended by genuine antivirus measures.  I recently worked with a customer who was surprised that their server-level antivirus was finding viruses in emails that had already passed through an external hosted filtering service.

Aside from email-borne viruses there are also non-email vectors for viruses and malware to attack an Exchange server.  Once the malware is on a server or computer on the network it can be used to attack other devices or even send out spam itself.

So with all of that in mind here are some strategies for protecting your Exchange environment from virus infection.

Hosted or Gateway Filtering

The best place to stop an email-borne virus is before it reaches your Exchange servers.  To do this requires either an externally hosted service that all of your email is routed through, or a server that sits in front of the Exchange servers (for example in the DMZ or as an edge/gateway device) to check all mail as it arrives.

A benefit of filtering email before it arrives on the Exchange server is that the resource-intensive virus scanning can occur on a dedicated device without impacting the performance of Exchange.

There are also a much larger range of products and services available for this type of protection, as compared to the number of products that can be installed on an Exchange server in an integrated manner.

Transport Layer Filtering

When an email enters the Exchange Organization it is first received by either an Edge Transport or Hub Transport server.  The Edge Transport role is a dedicated role, while the Hub Transport role can co-exist with Mailbox Servers.  But the modular nature of Exchange server roles means that for the sake of this part of the discussion you can just consider them separate.

An email has to traverse at least one Transport server before it reaches mailboxes.  In larger organizations it will traverse several.  Transport servers typically have lower general workloads than other server roles, and so this makes the Transport layer another ideal place to perform antivirus scanning of email.

Database Layer Filtering

Once an email has arrived in a mailbox it is subject to database level filtering.  This level of filtering tends to be the most costly in terms of server resources, because the Mailbox server typically has a higher workload on it than other server roles.

However an advantage of scanning for viruses at the database level is that scheduled scans can be run over the database to check for any viruses that may have passed through other protection layers before the antivirus signatures were updated to detect them.

Server Filtering

Although some administrators will disagree I tend to prefer installing antivirus agents on the Exchange server to protect from virus threats.

Because the server is subject to the security of other devices on the network there is always the risk that another infected machine could try to exploit an operating system vulnerability on the Exchange server and spread the infection.

Whenever you are installing antivirus software on Exchange servers you simply need to be aware of the exclusions that are recommended by Microsoft to prevent any performance issues with Exchange itself.

Client Filtering

The last piece of the overall solution is client-level filtering.  Similar to server filtering this involves the installation of antivirus agents on the client computers in the network.  However it can also include additional add-ons and plugins that integrate with the email client to prevent viruses from infecting the computer or being spread via the email application.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Antivirus Protection for Exchange Server 2010

The risk of internal email abuse may seem low but for some organizations the risk is actually quite significant.

For example, schools have a duty of care to protect their students from harassment and bullying from other students, not just from people outside the network.  Similarly, some global organizations find that cultural differences between staff in different parts of the world open up the possibility of someone taking offense to what is written in an email.

Very few products exist to prevent these problems, and those that do are not always easy to implement in a complex network.  Placing a filtering system in between every possible sender and recipient on the network would be complex and costly.  And routing all email through one centralized filtering system would introduce delays and the risk of a single point of failure.

Even Exchange Server’s own anti-spam filtering can’t help.  If you recall from my previous post on how the Exchange anti-spam SCL works, any email between mailboxes in the same organization is given an SCL of -1, meaning “trusted”.  So no SCL-based filtering decisions can be made.

However Exchange Server 2010 does make it possible to filter certain email content using Transport Rules.  The benefit of this feature is that it is organization-wide, meaning you configure it centrally, but the configuration takes effect on all Hub Transport servers in the organization, meaning it operates in an efficient, distributed manner.

Using a Transport Rule for this type of content filtering involves setting up the following rule configuration:

• Conditions that identify messages sent from Internal senders to Internal Recipients
• Conditions that identify certain words or phrases in the email subject, body, or attachments
• An action to take on email matching the above criteria
• Any exceptions to that rule

Implementing a rule like this involves the creation of a list of words or phrases that are considered to be inappropriate for email communications within the organization.  It might take some imagination to come up with a thorough list that includes a variety of misspellings as well.  If there is a history of such problems in the business then those cases could be mined for specific words and phrases as well.

When this list has been created it can be incorporated into the Transport Rule as specific words and phrases, but the most effective method would be to use regular expressions to define the blocked content.

I recommend before implementing any rule such as this that you first test it in a separate test environment, or when first adding it to the production network do not set a blocking action on the rule for the first few weeks.  Instead let the rule blind copy any email that matches the list of words and phrases to another mailbox where the emails can be checked to determine the rule’s accuracy and effectiveness.

In summary, when the risk of internal email abuse is recognised it is possible to address the problem with Exchange Server 2010 Transport Rules.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Preventing Internal Email Abuse with Exchange Server 2010

SCL stands for Spam Confidence Level.  It is the “score” that Exchange Server anti-spam assigns to an email based on the email’s contents.  This score is then used to make decisions as to how to handle suspected spam based on the thresholds that the Exchange administrator configures.

The SCL score is calculated and assigned by the Content Filter Agent, which examines all of the content within an email message to look for patterns that indicate spam.  Once the SCL score has been calculated it is added to the message header.

In this snippet of an example message header you can see the SCL score of 7 has been applied.

X-MS-Exchange-Organization-SCL: 7

How the SCL is Used by Exchange Server

The SCL score can then trigger certain actions to take place.  The Exchange server can take the following actions based on the SCL:

• Delete – the message is deleted with no notification to the sender or recipient.
• Reject – the message is rejected with a notification to the sender but not the recipient.
• Quarantine – the message is quarantined in a specified mailbox with no notification to the sender or recipient.  Typically only email administrators can access the quarantine mailbox.
• Junk – the message is delivered to the recipient’s Junk Email folder.

SCL scores range from 0-9 with 0 meaning not likely to be spam, and 9 meaning very likely to be spam.  There is also a -1 score for trusted email messages.  A -1 SCL would apply to email messages sent between recipients of the same Exchange organization, or messages from external senders that have been whitelisted in some way.

The SCL threshold is then configured for each of the actions.  However it is important to understand that the actions are assessed in a certain order.

1. Delete is the first action to be assessed.  If the SCL is equal to or higher than the Delete threshold then the message is deleted.  If not, or if there is no Delete threshold configured, then it is passed to the next assessment –  reject.
2. Reject is the second action to be assessed.  If the SCL is equal to or higher than the Reject threshold then the message is deleted.  If not, or if there is no Reject threshold configured, then it is passed to the next assessment –  quarantine.
3. Quarantine is the third action to be assessed.  If the SCL is equal to or higher than the Quarantine threshold then the message is quarantined.  If not, or there is no Quarantine threshold configured, then it is passed from the Hub Transport server to the Mailbox server.
4. The Mailbox server then applies the Junk Email threshold if one is configured for the organization or for the recipient of the email.  If the SCL exceeds the Junk Email threshold it is delivered to the Junk Email folder of the mailbox and the recipient is able to access it via Outlook.

Getting the SCL Thresholds Right

When you understand the processing order for the different actions that can be taken based on SCL you can see how important it is to get your configuration correct.  There is no point having a Junk Email threshold of 7 if the emails are going to be deleted for an SCL of 6.

Delete and Reject thresholds should be configured to delete the most likely spam.  Quarantine is optional and I personally find it quite cumbersome to manage, so I prefer not to enable it at all and instead use the Junk Email threshold to put management of less likely spam within reach of the end user.

It is also important to understand that the Content Filter Agent only deals with spam that has already made it past earlier, more deterministic test such as Connection Filtering which blocks SMTP connections from known spam sources.

The Connection Filter Agent will often remove as much as 95% of spam so the Content Filter Agent becomes a fine tuning process to remove as much of the remaining 5% of spam from inboxes without causing an unacceptable number of false positives.

Other Uses of the SCL

The SCL can also be used as criteria for Transport Rules on the Exchange server.  One way to make use of this is to create a Transport Rule that blind copies all email that meets or exceeds a certain SCL to another mailbox.  The contents of that mailbox can then be used to assess how many false positives the current configuration might be generating and make some fine tuning adjustments.

Another alternative would be to configure a Transport Rule that appends a disclaimer to all emails that are going to trigger the Junk Email threshold.  The disclaimer text can explain the process that end users can go through to whitelist a trusted sender so that future emails are not treated as spam, without them having to contact the IT help desk for support.

In summary, having a detailed understanding of the SCL and how it is used in Exchange Server anti-spam will allow an email administrator to get good performance from their anti-spam deployment.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Understanding the Spam Confidence Level in Exchange Server

To achieve this most organizations will simply provision a backup internet connection for their network.  This connection can either be activated during an outage of their primary link, or be configured as a secondary route that will be automatically used if the primary route is down.

Although this seems like a simple win it can cause problems with email delivery because of IP reputation issues.

You need to be sending email fairly consistently from an IP address in order to maintain a decent reputation for that mail source. If you treat a second location as a cold standby, only used when your main ISP breaks, expect to see serious delivery problems as you migrate across to it.

In other words unless you are continually sending email out both of your email routes you might create new problems for yourself when you start using the backup connection.  So what is the solution?

Better to spread load across both locations, to keep both sets of addresses “warm”

Load Balancing Outgoing Email with Exchange Server

A common misconception is that outbound email can be load-balanced for Exchange simply by provisioning two equal cost Send Connectors, either using DNS to route directly or routing via a smart host for each Send Connector.

However this is not true.

If multiple equal cost connectors are available to route email, E2007 Routing picks one of the connectors deterministically… Mail will not be load balanced among multiple equal cost connectors.

When the cost of the Send Connectors and the proximity to their source servers are the same, Exchange will simply choose the one with the alphanumerically lower connector name, and will not load balance the outgoing email across both connections.

The correct solution is to deploy a single Send Connector with multiple smart hosts.

If the smart hosts are on your own network then they are configured to route to the internet via their respective ISP connection.

Or if the smart hosts are actually hosted by the ISP then the Send Connector simply specifies the IP addresses or DNS names of the smart hosts, and the Exchange source servers would need static routes configured to be able to reach each smart host over the correct ISP connection.

When multiple smart hosts are configured on a single Send Connector the outgoing email will be correctly load balanced.

If a smart hosted SMTP Send Connector has multiple smart hosts defined, load balancing and fault tolerance are accomplished using these smart hosts.

In summary, to achieve outgoing email load balancing with Exchange Server 2007 and 2010 without creating delivery problems due to IP reputation:

• Do not configure multiple equal cost Send Connectors
• Do configure a single Send Connector with multiple smart hosts

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Avoiding IP Reputation Problems with Redundant Mail Paths

Organization-Wide Anti-Spam Settings

At the organization level there are several anti-spam settings that can be applied.

SCLJunkThreshold – This is the Sender Confidence Level (SCL) score that will cause an email to be delivered to the Junk Email folder of a mailbox instead of the Inbox.  SCL is scored from 0-9 with 9 being the most likely to be spam.  By default the SCLJunkThreshold is set to 4.

[PS] C:\>Get-OrganizationConfig | fl SCLJunkThreshold

SCLJunkThreshold : 4

There are also a series of SCL thresholds configured on the Content Filter Agent.

[PS] C:\>Get-ContentFilterConfig | fl *SCL*

SCLRejectThreshold     : 7
SCLRejectEnabled       : True
SCLDeleteThreshold     : 9
SCLDeleteEnabled       : False
SCLQuarantineThreshold : 9
SCLQuarantineEnabled   : False

With the default settings shown above a spam message that scores an SCL higher than 7 will be rejected by the Transport server.  A spam message that scores an SCL higher than 4 but not more than 7 will be sent to the mailbox Junk Email folder.

Mailbox-Level Anti-Spam Settings

These anti-spam settings can also be configured on a per-mailbox basis.

[PS] C:\>get-mailbox Alan.Reid | fl *spam*,*SCL

AntispamBypassEnabled  : False
SCLDeleteThreshold     :
SCLDeleteEnabled       :
SCLRejectThreshold     :
SCLRejectEnabled       :
SCLQuarantineThreshold :
SCLQuarantineEnabled   :
SCLJunkThreshold       :
SCLJunkEnabled         :

When configured at the mailbox level the settings take precedence over the organization-wide settings.

For example, if the organization has the SCLDeleteThreshold disabled it can be enabled for a specific user.

[PS] C:\>set-mailbox Alan.Reid -SCLDeleteEnabled $true -SCLDeleteThreshold 9

[PS] C:\>get-mailbox Alan.Reid | fl *spam*,*SCL*

AntispamBypassEnabled  : False
SCLDeleteThreshold     : 9
SCLDeleteEnabled       : True
SCLRejectThreshold     :
SCLRejectEnabled       :
SCLQuarantineThreshold :
SCLQuarantineEnabled   :
SCLJunkThreshold       :
SCLJunkEnabled         :

Note that when enabling a delete, reject, or quarantine for a mailbox you must also specify a threshold between 0-9 at the same time if one has not previously been configured for that mailbox.

Another example would be a user who is requesting a different junk threshold than the rest of the organization if too many spam emails are still reaching their inbox.

[PS] C:\>set-mailbox Alan.Reid -SCLJunkEnabled $true -SCLJunkThreshold 3

[PS] C:\>get-mailbox Alan.Reid | fl *spam*,*SCL*

AntispamBypassEnabled  : False
SCLDeleteThreshold     : 9
SCLDeleteEnabled       : True
SCLRejectThreshold     :
SCLRejectEnabled       :
SCLQuarantineThreshold :
SCLQuarantineEnabled   :
SCLJunkThreshold       : 3
SCLJunkEnabled         : True

There is also the option to bypass anti-spam filtering for a mailbox completely.  This would be useful for scenarios such as sales or customer service mailboxes where you do not want to risk legitimate email being blocked.

[PS] C:\>set-mailbox Alan.Reid -AntispamBypassEnabled $true

[PS] C:\>get-mailbox Alan.Reid | fl *spam*,*SCL*

AntispamBypassEnabled  : True

When a mailbox has the anti-spam bypass enabled this isn’t reflected in the organization-wide configuration.

[PS] C:\>Get-ContentFilterConfig | fl BypassedRecipients

BypassedRecipients : {}

However you can still locate all such recipients when needed using this shell command.

[PS] C:\>Get-Mailbox | where {$_.AntispamBypassEnabled -eq $true}

Name                      Alias                ServerName
----                      -----                ----------
Alan.Reid                 Alan.Reid            ex1

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Configuring Exchange Server 2010 Anti-Spam Settings for Individual Mailboxes

The attachment filter is available in the Edge Transport server role for Exchange Server 2010. The Edge Transport server is designed to be an internet-facing email gateway, usually located in the DMZ of a corporate network. It allows an organization to block spam and viruses, as well as make filtering decisions based on content and other message attributes.

The attachment filter agent is installed and enabled by default on Edge Transport servers.

[PS] C:\>Get-TransportAgent

Identity                                           Enabled         Priority
--------                                           -------         --------
Connection Filtering Agent                         True            1
Address Rewriting Inbound Agent                    True            2
Edge Rule Agent                                    True            3
Content Filter Agent                               True            4
Sender Id Agent                                    True            5
Sender Filter Agent                                True            6
Recipient Filter Agent                             True            7
Protocol Analysis Agent                            True            8
Attachment Filtering Agent                         True            9
Address Rewriting Outbound Agent                   True            10

You’ll notice it is one of the lowest priority filtering agents on the server. This is because other agents such as the Connection Filtering agent can detect and block spam using more efficient decision making criteria such as the IP address of the sending server.

There are three ways to filter file attachments:

• By filename (eg trojan.exe)
• By file extension (eg *.vbs)
• By file MIME content type (eg application/hta)

When an attachment meets the set criteria there are then three actions that can be taken:

• Block the entire message including the attachment. A notification is sent to the sender with the reason for the message being blocked.
• Remove the attachment and allow the message to continue through. The attachment is replaced by a text file explaining that the action has occurred.
• Delete the message and attachment with no notification to sender or recipient

There are two additional configuration options for filtering actions:

• When an entire message is blocked the rejection email can be customized
• Any filtering rule can be configured with an exception for specific Connectors on the Edge Transport server (eg a secure Connector to a trusted partner)

Examples of Attachment Filter Configuration

The attachment filter comes pre-configured with a reasonable sized list of file extensions and a handful of MIME types. The default configuration is to strip those file types.

[PS] C:\>Get-AttachmentFilterListConfig
Name                : Transport Settings
RejectResponse      : Message rejected due to unacceptable attachments
AdminMessage        : This attachment was removed.
Action              : Strip

You can add additional filter entries as required. For example, to add a MIME type for PDF you would run this command.

Add-AttachmentFilterEntry –Name application/pdf –Type ContentType

Next you can configure the filtering rule to block all messages instead of just stripping them.

Set-AttachmentFilterListConfig –Action Reject –RejectResponse
 “The email you sent contained an attachment type that is not permitted.
  Your message has not been delivered.  Please remove the attachment before
 resending your message.”

Downsides of Exchange 2010 Attachment Filtering

Although it provides effective filtering of file attachments a downside of this implementation is that it is an all or nothing approach. There is only one attachment filtering rule configurable on the server, and the only deviation from that rule is to exempt certain Connectors from it.

There is an argument that granularity is not necessary for this feature, and that an organization can set a single “banned attachments” policy without needing to be specific about which messages are only stripped and which ones are outright blocked. However many organizations prefer the flexibility of multiple rules.

Another downside is the limited capability to scan files contained within compression formats, with only .zip and .lzh formats supported by the built-in attachment filter. There is also no option to deal with encrypted files, for example password protected Zip files.

Overall the feature is reasonably effective, a little cumbersome to configure and manage, with a few frustrating downsides mentioned above.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

How to Block Dangerous File Attachments with Exchange Server 2010

Catch all addresses are popular in a few different scenarios and for a few different reasons.

Common Uses of Catch All Email Addresses

Small businesses often use a catch all email address rather than configure separate sales@, service@, news@ and other common email addresses.

Similarly, many businesses use a catch all as a means to avoid missing potential sales opportunities if someone was to email a non-existent address.

Catch alls are also sometimes used to prevent email sent to misspelled email addresses from being rejected.

Why You Should Not Use Catch All Email Addresses

Catch all email addresses also have some downsides.  A catch all mailbox is going to receive a lot of multi-purpose email such as sales enquiries and support requests, and so it may become difficult to sort and prioritise new emails.

The catch all mailbox will also naturally receive email that may be private correspondence to an individual within the organization, but that had a misspelled email address.  Instead of privacy or confidentiality being maintained by rejecting the misspelled email address so that the sender is made aware of their error, it is instead delivered to the catch all mailbox which may cause an information leak.

One of the biggest problems that the use of catch all email addresses poses is that of preventing spam.  One of the techniques for reducing spam is to block emails that are sent to non-existent email addresses in the organization.  As soon as you implement a catch all address you can no longer do this recipient filtering, because the two methods are at odds with one another.

The result is often a catch all mailbox that receives a lot of spam, again making it more difficult to sort and prioritise the email in that mailbox.

But in addition to that, all of the emails that are no longer blocked by recipient filtering now need to be accepted in full and processed by the email server with full content filtering (a more resource intensive operation than recipient filtering).

This extra load on the servers can become a very serious performance problem.  When a spammer is targeting your domain and blasting emails to thousands of randomly generated email addresses, not being able to block all of those non-existent recipients because of the use of a catch all address could cripple the server’s performance as it accepts and scans each individual message in full.

Instead of using catch all email addresses a business is much better off having a simple, managed communication plan for their externally facing email address such as sales@.  By keeping these to a minimum number of well-known addresses, they can each be properly configured within the email system without requiring a catch all.

Similarly, rather than try to use a catch all mailbox to solve the problem of misspelled email addresses, configure the most common misspellings of a person’s name as an alias address instead, and allow the remainder to be rejected by the email server so that the sender is aware of the mistake and can correct it.

It is tempting to use catch all email addresses to prevent missing emails but the problems that they cause are greater than those they solve.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Why You Should Not Use a Catch All Email Address

The Email Security Matters blog notes a German court has ruled that home users could be fined for malicious or illegal acts that take place on their unsecured wireless network.  The focus at the moment seems to be on illegal downloads, but other issues such as spam could just as easily be thrown into the spotlight.

Fined for Being a Victim?

The implications for business are serious enough to take some notice.  Even the lawmakers who do make an effort to combat spam face the massive difficulty of enforcing their local laws across numerous international jurisdictions.

Faced with those challenges law enforcement may turn their attention to homes and businesses that are, by ignorance or laziness, allowing their computers and networks to be used as spam conduits.

I do sometimes wonder if spam would be taken more seriously if a server owner could be fined for their server being overtaken by spammers, or an ISP fined and shut down (not by upstream providers, but by legal or regulatory intervention) for sending spam.

Criminal liability is one thing, but precedents for civil liability could also be set.  Imagine a world where one company sues another for the malware or spam outbreak that originated from their networks and cost time and resources to combat.

Who is Really Liable for Spam?

But in reality where does the liability begin, and where does it end, if not with the spammer themselves?  Is the home computer user responsible for their computer becoming part of a botnet?  Or is the browser developer who allowed the cross-site scripting attack, the operating system maker for permitting the machine to be taken over, the antivirus vendor for not stopping the malicious code from executing, or the ISP for not detecting and blocking the resulting spam?

Spam Insurance?

Imagine if businesses were eligible for partial rebates on certified anti-spam products, with the funding for the scheme coming from the fines being handed out by the government to the originators of the spam.

To qualify for the rebate a business can self-certify by providing proof of the purchase and ongoing maintenance of a recognised security product.  Similar to the varying levels of trust available in commercial SSL certificates, certified products may even come at a higher price to justify the additional testing and approval process with regulatory bodies.  The price might also include a form of “spam insurance” that covers a capped liability against criminal and civil actions.

Sounds far-fetched?  It might just be a necessary step to stop spam.  With multi-jurisdictional challenges, new online communications platforms, evolving threats, and annual statistics that suggest that the spam war is at best an ongoing stalemate, perhaps it’s time to kick things into the next gear and incentivize households and businesses to take more action to prevent their computers from contributing to the problem.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Will Businesses Need Spam Insurance One Day?

An example of defence in depth would be a perimeter network firewall, a secondary firewall, third tier firewalls at branch offices, and maybe even client firewalls.  If one firewall fails, or is circumvented somehow, another one potentially saves the day.

It is a good concept but it naturally adds complexity to any environment.  And when applied to email spam and virus protection the complexity sometimes undermines the effectiveness and efficiency of the system.

Why Defence In Depth for Email Threats?

Quite a few years ago IT departments had a problem.  Email viruses would sometimes get through their servers and infect the network.  It happened when your server did not receive a new signature database from the vendor in time to stop the infection.

There were two underlying weaknesses with the older generation of email security products.  Firstly, they updated usually only once per 24 hours.  Secondly, they utilised a single engine for scanning emails for threats.

Under those conditions it made sense to deploy more than one product in a multi-tiered fashion, so that more than one detection engine could inspect the content.  If an outbreak did occur, you hoped that one of your vendors would get an update out fast enough to stop it.

Too Much Complexity for Today’s Business

The defence in depth strategy for email security is less attractive these days.  Server consolidation is in vogue both for cost reduction and because of “green IT” initiatives.  But more importantly, the best email security products now ship with multiple detection engines included in them.

So instead of multiple products on multiple servers, you can deploy several detection engines within a single product on a single server.  The number of actual engines in effect is only limited by your choice of email security product, and by the power of your server.  But with computing power a relatively low cost these days, running two or three detection engines on a single host is easily within the reach of most businesses.

Most products are in themselves a defence in depth solution anyway.  A single product can perform RBL lookups, sender verification, recipient filtering, reputation checks, URL filtering, and content filtering all within the one package, with no need to deploy multiple products to gain all of those security features.

For those companies still holding on to a defence in depth strategy the final argument is that of complexity.  The more servers you have in your email transit path the more points at which a failure can occur.  And the more security products you have in the mix the harder it is to apply a consistent security policy across the network, and the more places you need to look for missing or quarantined emails.

There is no ‘set and forget’ anti-spam solution, but you still want it to be as low maintenance as possible.  So adding complexity for no gain is not a strategy to stick with any longer.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Should You Use More Than One Anti-Spam Product?

The reality is that not all anti-spam techniques are suitable for all occasions, and often require specific configuration or tuning to suit a given environment.  Here are some examples:

Recipient Filtering

This technique makes the assumption that email that is sent to a non-existent address is likely to be a spammer trying a dictionary attack, and should therefore be rejected.

However that assumption does not take into account some valid scenarios, such as:

• Email servers that are accepting email for other organizations and relaying it to them. In these cases the recipient does not exist in the first organization, but does exist in the second organization.  The first organization therefore must accept emails even for recipients that are invalid in its own organization.  This is quite common for two organizations going through a merger process.
• Companies that want to make use of a “catch all” mailbox to receive misspelled or incorrectly addressed email that might be critical to their business, such as sales and customer service enquiries.

Content Filtering on Specific Keywords

About 10 years ago it was very common to do anti-spam filtering by using a list of specific keywords and phrases.  Some organizations try to continue this technique even today, and it can work well, but in some industries it is impractical or impossible to block certain keywords that most people would associate with spam.

• Pharmaceutical companies and their partners would not want to block the names of certain products, even though those product names are frequently used by spammers selling counterfeit versions of them.
• A jewellery business cannot treat the word “Rolex” in emails with the same level of suspicion as other businesses.

Blocking Top Level Domains

There are statistics that show that certain top level domains are frequently used when sending spam emails.  A business that deals only within their own city or country has little to lose by blocking those top level domains from sending them emails; however a global corporation cannot do the same thing without potentially cutting themselves off from entire markets.

Worse, if a global corporation are themselves using multiple email domains they could potentially cut off parts of their business from communicating with each other, if this sort of blocking was applied too strictly.

One Size Fits All

Instead of looking for a “one size fits all” anti-spam solution you should instead look for a flexible, highly configurable product that can be tailored to suit your specific business environment.  When a solution is properly implemented and configured it is far more effective than blindly following other people’s version of “best practice” for preventing spam.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Anti-Spam is Not One Size Fits All

The spam filter is made up of several individual components that each performs a specific role in detecting and preventing spam from reaching mailboxes.

These are the Exchange 2007 spam filter agents listed in the default order of priority on a Hub Transport server.

• Connection Filter
• Content Filter
• Sender Id
• Sender Filter
• Recipient Filter
• Protocol Analysis

Although the priority can be modified it is generally best to leave it in the default order.

Connection Filter

The Connection Filter Agent is responsible for assessing incoming email based on its connection characteristics, such as the sender’s IP address.  The Connection Filter is configured with IP block lists and IP allow lists, either manually or by configuring a block list provider.

Connection filtering is the most computationally effective way of stopping spam from botnets and insecure email servers, which is why it is the first priority for the Exchange 2007 spam filter by default.

The Connection Filter Agent has two actions it can take on incoming email – reject or accept.

Content Filter

The Content Filter Agent in Exchange Server 2007 is based on the Intelligent Message Filter technology first seen in Exchange 2003.  When an email message has passed the Connection Filter Agent it is checked by the Content Filter Agent for known spam content, using heuristic scanning and a database of known spam patterns based on spam submissions from Microsoft partners and customers.

The Content Filter Agent can also be manually configured to block certain words or phrases, or to exempt certain email addresses from content filtering.

The Content Filter Agent has three actions it can take on incoming email that has been detected as spam – delete (silently drop), reject (notify sender), or quarantine.

Sender Id

Sender Id is an email authentication protocol that aims to prevent spoofing and phishing by verifying that a sender is authorized to send for that domain name.  Though it is widely adopted it is not a standard and so can’t always be relied upon for spam prevention.

The Sender Id Agent has three actions it can take on incoming email that fails validation – delete, reject, or stamp and continue.

Sender Filter

The Sender Filter Agent simply allows the administrator to specify a list of sender email address to block.  However there are two actions it can take on incoming emails sent by someone on the list – reject, or stamp and continue.

Because of the wide use of address spoofing in spam this feature is more useful at stopping deliberate harassment or abusive emails from a specific individual.

Recipient Filter

The Recipient Filter Agent can be used to block incoming emails sent to certain recipients; however a more useful feature is the ability to block emails sent to recipients that don’t exist.  This works hand in hand with an Exchange 2007 spam filter feature known as “tar pitting” to stop directory harvest attacks.

Protocol Analysis

The Protocol Analysis Agent underpins the Sender Reputation feature of the Exchange 2007 spam filter.  This feature combines its own assessment and testing of a sender along with IP reputation information from Microsoft to determine whether a particular sender should be blocked or treated with suspicion.

Sender Reputation can be configured to a threshold at which a sender is considered suspicious and is blocked.  The duration of the block is also configurable, and is set to 24 hours by default.

Other Exchange 2007 Spam Filter Features

The Content Filter Agent offers the option to quarantine suspected spam to a mailbox.  Only one quarantine mailbox can be configured for this and there is no self-service option for end users to manage their own personal quarantine items.

Exchange 2007 also ships with a series of scripts that can be used for basic reporting of the spam filter’s performance.  This reporting is all done via shell commands and there are no graphical reports generated.  There is also no report access for non-administrators, making it impossible for managers and other staff to be able to access reports on their own.

Overall the Exchange 2007 spam filter offers the basic features required to protect an email server spam.  However the configuration of some items is limited, it has none of the end user self-service options that keep administrative overheads down, and it lacks important features such as Bayesian filtering which can make more intelligent decisions about an organizations email usage to increase the accuracy of its spam detection.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Exchange 2007 Spam Filter Overview

1. What your customers (people) think of you
2. What other systems (computers) think of you

In an environment such as the internet where everything that is said or done lives on forever, protecting company reputations becomes a top priority and must be taken seriously.

Outsourced Marketing and Shifting Blame

Even today with spam volumes reaching record levels year after year companies will dismiss the opinions of experts and customers alike and use email to send marketing information to people who never asked for it.

The companies don’t necessarily do it themselves; sometimes they farm it out to a marketing firm or pay affiliates for lead generation.  This allows the company to claim their innocence in the face of spam allegations caused by aggressive affiliates.

Damaging Customer Reputation

Does this excuse work on the average person?  We’re all used to seeing spam dressed up in legitimate company logos and branding.  The experts might know better, but unless the spam contravenes the law in that jurisdiction and a public fine and reprimand is given most customers won’t know better.

Except when the spam is sent directly from the company to their customers.  This has been the recent trend in which companies believe that opt-out email marketing is acceptable practice, and that an email address acquired through any means is open for unsolicited communication.

This is the type of email marketing that damages company reputations, even just one customer at a time.

Damaging Systems Reputation

The other reputation you damage by directly spamming customers is with other computer systems on the internet.  As Microsoft’s Terry Zink states:

90% of spam can be caught with IP reputation and another 5% with URL reputation

In other words, if an email comes from an IP address that is a known spam source, or contains URLs to a site associated with spam, it has a higher chance of being blocked by anti-spam systems.

This approach to fighting spam makes email marketing a big challenge in the technical sense.  Your company sends email to the internet in one of three ways:

• Directly out via your own public IP addresses
• To a hosted email gateway service that then sends onwards from their IP addresses
• From a hosted email service provider that sends directly from their own IP addresses

If you spam a customer directly you run the risk of your IP being blocked by other email systems.  This will impact the delivery of all of your business emails, which is a very serious impact.

If you spam a customer via a hosted email gateway service, they run the risk of their own IP addresses being blocked.  Which is why they will react quickly to any complaints by other parties, and often rate limit your email traffic or even cut you off completely.  Again this is a very serious impact.

A hosted email service provider has some additional protection for both you and themselves, as long as they require double opt-in for mailing lists.  This ensures that a person has gone through a deliberate two step process to subscribe to a mailing list and is therefore less likely to have been added against their will.

Protecting Both Reputations

For customers who want to engage in email marketing the right way they should be aware of the risk of damaging their reputation and safeguard against it.

Smaller companies can use email service providers to ensure double opt-in is used, and restrict access to customer address lists to only those people who need to use them.

Larger companies may need to integrate their email marketing into an existing CRM system which usually means sending via their own IP addresses or a hosted email gateway.  In those cases restricting access to that system and ensuring only necessary staff can access and use the email addresses.

If outsourcing to a marketing firm is required then choose your partner carefully to ensure they will act ethically and legally to protect your reputation, and be prepared to take full responsibility if they don’t.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Email Marketing and Protecting Online Reputation

“We are getting spam from postmaster addresses and we don’t know why.”

This complaint has a multitude of variations but we tend to label the problem as “postmaster spam”.

Simply put, postmaster spam is any spam email that comes from a postmaster email address, whether it is the postmaster for your own domain or for someone else’s domain.

The postmaster address performs a critical role in email communication and its presence and use is prescribed in the RFCs for the SMTP protocol.

“Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox “postmaster” as a case-insensitive local name.”

…and…

“SMTP systems are expected to make every reasonable effort to accept mail directed to Postmaster from any other system on the Internet.”

Who is the Postmaster?

The postmaster address is usually the source (or “from”) address for system generated emails such as non-delivery reports, although some email servers allow a different address to be used.

But this common usage, combined with the RFC requirements, creates a series of problems.  Spammers know that the postmaster@ email address is almost always going to be valid, and email servers often treat email from postmaster@ email addresses as more trusted.

Postmaster Forgeries

One way in which spammers try to exploit this is by forging the sender address of spam to make it appear that it is coming from a postmaster@ address for a well known domain name.  This is an effective technique because most email users have received genuine NDRs in the past and have at least some idea that a postmaster@ address is valid and trustworthy.

Because the human element of this exploit is so weak the best defence against this technique is to detect and block the spam before it reaches the intended victim.  Anti-spam techniques such as connection filtering, content filtering, and Bayesian filtering are effective in stopping this.

Backscatter Spam

Another way spammers create “postmaster spam” is by causing NDRs, also known as backscatter spam.  With this method a spammer will send email with forged sender addresses to various email systems, and when it is sent to non-existent addresses the receiving server sends back a NDR from their postmaster@ address to the forged sender address.

The person whose email address was used as the forged email address then receives the NDR, usually along with the original spam content attached or embedded.  This technique is often successful because email systems don’t want to block important non-delivery reports.

Some anti-spam products specifically include protection for this type of NDR backscatter spam through a combination of technologies.  There is also an emerging technique appearing in some products that uses a header tag for all outgoing email.  When an NDR comes back from an external source it can be checked for that tag.  If it exists and matches a known email that was sent, then the NDR can be trusted and allowed back in to the email system.  If the header tag does not exist then it is likely that the email originated elsewhere, probably from a spammer, and can be considered less trustworthy and subject to different filtering rules.

Other Postmaster Problems

The two problems that are mentioned above mostly impact end users, those who we are trying to protect from spam threats.

But another issue also exists, and that is spam addressed to the postmaster@ address itself.  Because of the importance of the postmaster as prescribed in the RFC it is common for it to be exempt from any form of filtering or protection, to ensure it receives 100% of important email addressed to it.

Fortunately although this opens the door to spammers, the postmaster@ mailbox is usually only accessed by experienced administrators who are less likely to be tricked into opening spam or clicking on a phishing link.  And in extreme cases the RFC does permit blocking of particularly bad sources of spam to the postmaster@ address.

And for our customers we are able to prescribe quality solutions to the problem of postmaster spam by implementing effective anti-spam systems on their networks.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

How to Prevent Postmaster Spam

In the US the CAN-SPAM act of 2003 (the acronym drawn from the bill’s full name “Controlling the Assault of Non-Solicited Pornography And Marketing”) effectively legalized spam by applying three basic requirements to commercial emails:

• Visible and operable unsubscribe mechanism, with requests honored within 10 days
• Accurate content such as From: fields and subject lines, and includes a legitimate physical address of the advertiser
• Not sent via open relay, does not contain false headers, and is not sent to harvested email addresses

Some organizations have taken this legal standard and run with it, sending commercial email to addresses obtained through bought lists, co-registration, incentive offers, and other innocuous means such as when filling out forms or dropping business cards into prize draws at conferences.

And to comply with the unsubscribe requirements they use onerous mechanisms for unsubscribe requests instead of simple one-click methods.

And while doing all of this they insist that it’s not spam.  After all, the law says so.  It’s just perfectly legitimate email marketing.

You Don’t Get to Decide

I’m sorry, but you don’t get to decide that.  And by “you” I mean businesses.  Businesses and their marketing departments who look at email as a fast, convenient way to reach a lot of people with their very important messages.

Now for the purposes of this discussion I’ll make some definitions clear.  I’m not talking about the kind of spam that botnets send out to try and trick people into buying fake pharmaceutical goods or a counterfeit watch.

I’m talking about UCE – unsolicited commercial email.  The kind of email you get when a company decides to add you to their marketing newsletter without you ever requesting it, and without a double opt-in process.  The law might say this isn’t spam, but every customer I talk to says it is.  And guess who gets to decide that?  The customer does.

Opt-In vs Opt-Out

In the world of email marketing there are two ways to building a mailing list.  In a recent blog post the Harvard Business Review sums these up nicely.

Responsible consumer marketers have adopted an “opt-in” e-mail policy for determining who receives their marketing messages. Unless customers give the marketer permission to contact them, the marketer leaves them alone.

There are two types of opt-in – single and double.  A single opt-in is when you provide your email address and are immediately subscribed.  A double opt-in is when you provide your email address, and then receive a confirmation message usually containing a link to click on to verify your request.

Single opt-in is open to abuse because you can be added to a list by someone else without your knowledge.  Double opt-in is the standard amongst ethical email marketers.  It is what 100% of customers tell me they prefer.

Opt-out on the other hand is the opposite.  And scarily the Harvard Business School blog makes the case for it.

Many B2B marketers abide by a similar policy, but they don’t have to — and shouldn’t. In fact, I’d argue, your business customers generally would prefer the reverse: an opt-out arrangement in which you send them messages unless they say “stop.”

See the problem here?  Combine opt-out email marketing with weak legislation like CAN-SPAM and businesses see how they can send you UCE and everyone should be happy about it.

Permission Marketing

The entire concept of opt-out flies in the face of permission marketing, the term coined by marketing guru Seth Godin.  For email marketing this basically means that the marketer won’t send you emails until you have given permission for them to do so.

Marketers need to pay close attention to the permission they are given before they decide what they will send to prospective customers.

The permission can be explicit (signing up to a newsletter), or implicit (providing an email address when downloading trial software).

The scope of implicit permission also changes depending on the situation.  A business card handed to a sales rep at a convention implies permission for personal communication from that sales rep.  It doesn’t imply permission to add the person to a global marketing list that receives all of the company’s marketing materials.

Listen to Customers

Your prospective customers are sending you indirect messages about how they view spam.

• Fighting spam is a multi-billion dollar a year industry
• Nobody complains they aren’t receiving enough email
• Everybody complains when they receive something that annoys them
• Anti-spam vendors and ISPs offer no deliverability assistance to email service providers who do not require double opt-in

Customers have decided what spam is and an eco-system of ISPs, ESPs, and anti-spam vendors works every day to support them.

Listen to your customers, and don’t think you get to define what is and isn’t spam.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Who Gets to Decide if it’s Spam? Not you, Mr Marketer

Typically an antispam product will offer four ways of dealing with spam once it has been detected:

• Deliver it
• Quarantine it
• Redirect it
• Drop it

Each action has its own benefits and drawbacks in an Exchange Server environment, so let’s take a look at those here.

Deliver It

This action delivers the email to its original intended recipient.  While this might seem like a pointless option (why would you want to deliver spam once it has been detected?) usually it is used in conjunction with some other action, such as tagging the subject line or message header with a spam tag.

The tag then allows spam messages to be identified by other servers or applications that can filter based on that tag.  For example, Outlook has Inbox Rules that can be configured to handle all items tagged as “spam” in a certain way, such as moving them to a special folder.

One scenario in which this is beneficial is when the anti-spam system does not have an end user self-service quarantine feature.  With this technique spam can be checked and false positives can be recovered by the end user out of their own accessible area, reducing administrative effort in responding to queries from users about missing email.

The downsides to this are that it puts potentially malicious spam within reach of the end user, who may click a link to a phishing site or take other undesirable action.  It also makes it necessary to store all spam in the Exchange Server databases, rather than keep it separate (or block it entirely).  This wastes storage not just on the server disks, but also in backups as well.

Quarantine It

This action moves the spam item to a special quarantine area and does not deliver it to the intended recipient.  Most anti-spam systems have some form of quarantine system available in them.

The benefit of this action is that it prevents end users from being exposed to spam emails, and also keeps the spam items out of the Exchange Server databases.

The downside to this is when an end user has not received an email they were expecting they will need to check the quarantine for it.  If there is no self-service quarantine available then the email administrators will need to spend time helping the user with their query.

Redirect It

This action redirects the spam email to a different email address than the intended recipient.  In Exchange Server this is how spam quarantine is made possible, by redirecting to a special quarantine mailbox.

This is basically a poor man’s quarantine option, with all of the downsides mentioned above, but with the added downside of still storing spam within the Exchange Server databases.

The fact that it stores it within a mailbox does open up the possibility of granting users access to that mailbox to check for their own spam, but the interface for this is not very intuitive and exposes all spam items to the user, not just their own spam items as a genuine self-service feature does.

Drop It

This action rejects or deletes the spam item and does not deliver it or store it anywhere.  From a performance and storage point of view this is usually the best option.

However the downside is that the action is permanent.  If a genuine email is falsely identified as spam and deleted, that email can never be recovered and would need to be resent by the sender.

Hybrid Approach

The best case scenario is using an anti-spam system that permits a hybrid of the above actions to be taken on spam depending on the “certainty” of it being spam.

Mail from IP addresses that fail an RBL lookup can safely be dropped because these are almost certainly spam sent by botnets.

Emails detected as spam with high certainty after a full content inspection should be quarantined separately to the Exchange databases, and ideally in a self-service quarantine area to reduce support effort for false positives.  This keeps the most malicious spam away from end user inboxes.

Emails that have a lower certainty of being spam, or are “suspected spam”, can be delivered with a tag that will put the items in a special folder that users can check in Outlook.  Used in conjunction with retention policies this folder can be configured to only keep a short history of emails, so that it does not become a storage burden.

Finally, some special cases may emerge where spam or suspected spam needs to be redirected to a different recipient for inspection, auditing, or some other response that is required by the business.  One example of this would be an administrator who wants to check what is and isn’t being detected as spam in order to tune the anti-spam system or notify the vendor or detection issues.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Pros and Cons of 4 Ways for Handling Detected Spam

A study by security researchers has found that only 14% of Generation Y (adults aged 18-24) rate identity theft as their top security risk.

The company says:

The fact that 18-24 year olds have different attitudes towards security and are much more open about putting their personal details online, heightens their vulnerability to theft.

Cyber criminals are focussing a lot of attention on social media sites because they are such a target rich environment, while at the same time they often have the least security measures in place to prevent their users from becoming victims of an attack.

This  month Facebook users were subject to a massive spam run that sent fake password reset messages to millions of users.  The attack is intended to infect the victim’s computer with a Trojan horse to steal passwords, data, and put the computer under the control of a botnet.

These types of blended attacks are also becoming more personalized, using the information about themselves that people make public, as well as more targeted, as seen in the Google hack in which specific individuals were targeted due to their proximity and relationships with the key people who would have access to the data sought by the attackers.

One security professional writes:

“Obviously, the security risks abound in this area and it is up to security professionals to embrace new working ways whilst still ensuring that organisation’s information is protected.”

So what can organizations do about it?

Identify and Understand

To deal with any risk it must first be identified and fully understood so that effective measures can be introduced to mitigate it.  A thorough understanding of new threats to businesses is the first step to take.

Implement Solutions

Once the risks have been understood the business must take ownership of them.  Instead of relying on third parties like Facebook and Twitter to protect users, implement solutions that will protect your business.

Educate Staff

Technology can only solve a part of the problem.  Completely blocking useful web services that employees rely on for communications could do your business more harm than good.

Instead use a combination of technology and end user education.  Teach employees about the risks that they face when using social networks and other web services, particularly when they are discussing the company or sharing business information.

Just as cyber criminals use blended attacks businesses must use blended solutions that can protect them without removing the valuable ways that new generations are using the web.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Weakest Link is Getting Weaker

The reason behind it is simple – spammers use spiders (much the same as search engines do) to crawl web pages looking for email addresses in the familiar something@something.com format.  When they find one they will add it to their address database and start sending it spam.

It’s true, and if you were to list your email address on your website it would quickly be discovered and you’ll start receiving spam.  Of course it’s also true that most email addresses will receive spam shortly after they are created thanks to the many ways in which spammers find your email address.

The 4 techniques proposed by Techbusy.org fall into either the “security by obscurity” category (also known as “things that make you feel more secure but really don’t help”), or the “makes it harder for real people to email you” category.

The former is wasted effort, and the latter is not good for businesses who want to hear from potential customers via email.  So let’s take a closer look at the 4 tips.

Write it differently – This means writing the address in a non-standard way, such as paul[@]exchangeserverpro[dot]com.  The idea is that by avoiding the @ symbol a web crawler won’t detect that it is an email address.

This technique is poor in two ways – firstly, spammers aren’t silly and will look for other text patterns that indicate it is an email address.  Changing @ to [at] is pointless if the crawler also looks for [at].  Secondly, it means a customer has to interpret your obscured email address into its real form and manually type it out, rather than just being able to click a link to send you an email.

Display it as an image – This means making an image such as a JPG that contains the email address and embedding that in your web page.

This technique is also poor in two ways – firstly spammers now use character recognition software in their harvesting arsenal and so can read text in images as well (just as anti-spam products can).  Secondly, you are once again making it harder for customers to email you.

Obscure it with Javascript – This means using a special script in the HTML web page that will display the email address to web browsers but hide (or obscure) it in the underlying HTML code.

This technique is at least friendly to your customers who want to email you.  Unfortunately it is ineffective against any moderately sophisticated web crawler.  Often the script will fall back to a plain text version of the email address for visitors without Javascript enabled, in order to maintain accessibility.  This also tends to include the spammer’s crawlers.  Sometimes the fallback version is obscured with [at] but as mentioned earlier this is also quite ineffective.

Use a CAPTCHA – This means hiding some or all of the email address until the visitor solves a CAPTCHA challenge.

CAPTCHA is a popular spam prevention method on most web forms such as the signup form for a free webmail service.  The idea is to present a challenge that an automated process cannot defeat, but is intended to be easy for a real human to defeat.

Unfortunately CAPTCHAs are often broken by spammers either by cracking a flaw in the underlying code, by reading the CAPTCHA text with character recognition, or simply by tricking other humans into answering them.  On the other side of that are some CAPTCHA systems that are so sophisticated that spammers cannot defeat them, but this also makes them more difficult for humans which once again can impact your customers.

So for all 4 of these tips there seem to be either serious downsides or they are simply ineffective in stopping spammers.  You might be wondering then how you can go about protecting email addresses while still making it possible for customers to reach you.

In a previous post I suggest the use of contact forms.  These forms can have strong anti-spam features built into them, such as blocking form submissions from the same sorts of IP addresses that you find on email block lists such as Spamhaus.

If you must publish email addresses on a web page where spammers can discover them, you should certainly invest in effective anti-spam filtering for your network.  A good anti-spam product will block spam no matter how the spammer discovered your address in the first place.  Implementing such a system will be of far more benefit to your email users than simply trying to obscure email addresses on web pages.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

4 Ways to Protect Email Addresses on Websites, That Don’t Really Work