1. No category

Antispam

Antispam
- A Guide from The Confederation of Danish
Industries and ITEK
Introduction
Many companies are victims of SPAM. The amount of SPAM has increased a lot during the last few
years. By now it is estimated that SPAM costs the Danish society approximately 7 billion DKK every
year. Also, SPAM makes the employees uncomfortable using their email, surfing the internet or using
other message related applications. The Danish marketing law was finally changed according to an EU
directive in the summer of 2003. This is the reason why The Confederation of Danish Industries in
collaboration with the trade organization, ITEK, have given much attention lately on how to fight the
problem of SPAM.
In December 2003 we published a set of very operational guidelines on how to fight SPAM. The
guidelines are aimed especially on SME-companies, which do typically not have much knowledge on
IT and no special knowledge on IT-security related topics. The guidelines include:
·
a description of SPAM
·
an estimate of the extent of the problem in Denmark
·
recommendations on how to regulate user behaviour
·
recommendations as to which technical measures could be implemented
·
a description and discussion of the Danish marketing law
·
a summary of possible measures
The purpose of the guidelines is simply to reduce the amount of received SPAM by taking a few
corrective behavioural and technical measures, i.e. the main focus of the guidelines is on operational
aspects. In relation to the current international work on SPAM the guidelines fulfil the need for
awareness and education among companies, and informs of the current Danish legislation with the goal
of preventing companies from being spammers by accident.
The guidelines have been agreed upon by some of the biggest international Danish companies - as well
as some prominent Danish SME's. Users of various kinds of IT-systems and Danish and international
vendors of IT-systems and anti-SPAM systems have all been involved. Also, the guidelines have been
approved and recommended by the Danish National Council for IT Security, http://www.rfits.dk.
The guidelines were originally written in Danish. The current edition is a direct translation of this
Danish edition. This means that most of the documents referred to are also Danish. From an
international point of view this is of course very unfortunate. However, we believe that the general
conclusions and recommendations are not influenced by this fact. The behavioural and technical
recommendations are applicable everywhere! For the most part, the recommendations
are also technology neutral. We do not wish to recommend neither special technical platforms nor
applications. Finally, with reference to the marketing law we have only reflected on the marketing law
as it is. In this context, we do not recommend a special regulatory regime such as opt-in or opt-out.
The Confederation of Danish Industries and ITEK have focused on many different aspects on ITsecurity during the last four years. These guidelines are just a small part of our general work on
promoting an IT-security culture among Danish companies. We have made booklets on several topics,
an IT-security homepage, established networks among users and vendors of IT-security solutions, made
conferences, made virtual networks, extensive studies on the degree of industrial compliance with the
Danish edition of BS7799, and we are establishing an online IT-security benchmark test related to an
online panel of experts.
If you have any comments to any part of this paper please feel free to contact:
The Confederation of Danish Industries / ITEK
att.: Henning Mortensen
H. C. Andersens Boulevard 18
1787 Copenhagen V
Denmark
email: [email protected]
web: http://www.di.dk and http://www.itek.di.dk.
A Description of SPAM
SPAM is often defined as unsolicited e-mail. That definition is not adequately precise as most people
often receive e-mails containing information that has not been asked for, but information that
nevertheless is useful – for instance: an invitation to a party or an e-mail from an unknown family
member.
Instead we define SPAM as a circular that is irrelevant for the receiver within the context of:
-
the receiver did not ask for it
the content is not relevant for the receiver
the receiver has no direct relation to neither the content nor the sending party
the circular has been communicated to the receiver in an electronic form
This guide emphasizes a focus on e-mail carried SPAM. According to the above definition, SPAM
could take other forms: for instance by SMS / MMS. SPAM is not directly related to the use of a PC,
but can be observed on any electronic communication device: for instance cell phones and PDA’s.
Within this context, paper-ad is not considered SPAM.
SPAM comes in different types, of which many share a common skeleton, a skeleton that roughly can
be outlined as: An authoritative verification of the sender – for instance a well-known firm or an
authoritative person. Then “the bait”, an enticing offer that must be taken advantage of. Next there is
often a threat in the sense that something will happen to the receiver or others in case the offer is
rejected. Finally the receiver is often encouraged to distribute the mail.
Some types of SPAM:
-
"Letters from Nigeria", tempting with a huge amount of money for helping a helpless person.
Ads for products or services.
Chain letters.
Hoaxes, mostly concerning viruses or worms.
Virus, worms or hacker-tools which the receiver is lured into installing. This type of SPAM
often impersonates as another type of SPAM or as an official e-mail.
The origin of the word “spam” as denoting unsolicited e-mail is not clear. The English word “spam”
originally referred to canned meat, implying meat of a poor quality and doubtful origin. Another
explanation refers to the lyric in the Monthy Python song: “Spam spam spam spam, spam spam spam
spam, lovely spam, wonderful spam…". In this sense, SPAM is an unendingly repeated word, and
therefore nonsense. At last there is the alleged origin of the word coming from the computerlab at the
University of Southern California as a description of the lunch-meat:
- Nobody asks for it.
- Nobody eats it – it’s just pushed aside.
- On rare occasions it’s eatable, maybe even tasty – as some SPAM e-mails are sometimes
relevant.
SPAM has become a problem: due to how easy it is for the spammers to spread their messages to an
enormous number of people; the costs of distributing the SPAM is ignorable for the spammer; it’s easy
for the spammer to meter the effect of the SPAM; it’s a flexible way of distributing a message. And so
far the risk of getting caught is almost immeasurable.
The extent of the problem
On the 3rd of June 2003 the Danish periodical “Ingeniøren” quoted a new survey done by the security
company MessageLabs. The survey showed that out of 133.9 million e-mails the 51% were SPAM. (A
link to the article:
http://www.ing.dk/apps/pbcs.dll/article?Dato=20030603&Kategori=IT&Lopenr=106060018&Ref=AR
)
There is great uncertainty when trying to establish an estimate of the dimensions of the SPAM. First of
all there is a variation depending on which region of the world that we survey. Secondly, the numbers
used for the estimate originate from companies that in some way or other already have focus on the
problem, due to the fact that they do perform some sort of measurements. It may be assumed that a
company that does measure the amount of SPAM does that because they are hit harder than average.
Thirdly, there is considerable uncertainty when it comes to deciding what is, and counts as SPAM. We
will take a closer look at the multitude of different sources in an attempt to further estimate the
magnitude of SPAM.
The EU-Commission has estimated the global magnitude of SPAM to be more than 50% of all e-mails.
At the same time it is thought that the amount of productivity loss in European companies in 2002, as a
consequence of SPAM, was 2.5 billion Euros. (See
http://www.comon.dk/index?page=news:print,id=14576 and
http://www.computerworld.dk/default.asp?Mode=10&ArticleID=19865).
In 2002 the Gartner Group predicted an exponential growth of SPAM (J. Graff and M. Grey,
Management Alert: 2003 E-Mail Predictions Highlight the Rising Risk Factor, Gartner, 4. December
2002) with an initial growth-rate of more than 1000% p.a. and furthermore that in 2004 more than 50%
of all electronic communication will be SPAM (a prediction with more than 0.8 probability). According
to the statement from MessageLabs that prophecy has already been fulfilled regarding e-mail. Likewise
the Gartner Group predicted:
- A decrease in productivity as a direct consequence of the huge load of communication.
- A rising number of criminal cases concerning issues regarding electronic communication.
- That the market for anti-spam products will consolidate during 2003 (a prediction that does
not appear to have been fulfilled).
Several international analysts anticipate an exploding amount of e-mails within the next few years,
from an estimated level of 55 per employee per day. Independent of SPAM, that amount calls for
automated e-mail response systems to analyze, handle and perhaps do an automated reply.
To further illustrate, the Center for Democracy & Technology did a survey (see
http://www.cdt.org/speech/spam/030319spamreport.pdf) where the findings were that 8,842 out of
10,000 e-mails were SPAM. A finding of more than 88% SPAM must be seen in the context that the
researchers had done many things to actively attract SPAM.
There are no known figures for the number of e-mails sent from within Denmark each day.
Correspondingly, neither are there any figures for the number of employees, but we can estimate the
number of persons in Denmark that supposedly take care of a substantial part of their job in front of a
PC to be approximately 1,300,000. If we assume the same number of e-mails per person per day (55),
as the estimated worldwide average, and use the estimate within Danish conditions we get: 55 e-mails
per day times 220 working days per year times 1,300,000 equals 15,7030,000,000 e-mails sent per
year. If more than 50% of that number of e-mails is SPAM, it underlines the gravity of the problem,
both regarding wasted working hours of the employees and regarding the poor utilization of the
bandwidth of the network
If we include other forms of electronic communication the picture gets even worse. According to a
survey published in the “IT- og Telestyrelsens Teleårbog” (a Danish periodical (Trans. note)) (see
http://www.itst.dk/static/teleaarbog/2002/html/chapter02.htm) 2,018,654,000 SMS were sent in 2002.
SMS is not yet hit as badly by SPAM, but it is anticipated that SPAM is likely to have a bad impact on
the communication channel in a foreseeable future,- maybe even rendering SMS unusable.
Looking exclusively at Danish figures, it is obvious that the problem of SPAM is less than what’s
reported from US or the world in average.
The Danish firm Commendo filters approx. 300,000 e-mails for SPAM on a daily basis for approx.
1100 customers (2003 figures). According to their findings almost one third is SPAM.
Figure 1: Percentage of SPAM e-mails recorded in the period: Week 25-34, 2003.
A similar picture is drawn if one looks at each individual day within any given month.
Figure 2: Percentage of SPAM e-mails in the period 23.July 2003 – 21.August 2003.
Figure 2 show a systematic fluctuation of the percentage of SPAM during the week that can be
attributed to a drop of the numbers of e-mails during the weekend, while the number of SPAM e-mails
is unaltered or even slightly increased, thus an increase of the percentage of SPAM e-mails is seen
during weekends. Updated figures can be seen at http://www.comendo.dk.
At the international anti-SPAM day, May 22nd 2003, statistics where made regarding which countries
were the major source of SPAM targeting Danish e-mail systems. The top ten were:
Table 1: Top ten origins of countries targeting SPAM towards Danish e-mail servers on May. 22nd 2003.
Rating
1
2
3
4
5
6
7
8
9
10
Other
Land
USA
China
Chorea
Brazil
Canada
Great Brittan
Denmark
Sweden
Germany
Spain
All other countries
Percent
38,59
12,24
8,64
4,32
3,28
2,24
2,18
2,16
2,04
1,83
22,48
The results depicted in table 1 show:
- That the origins of the SPAM observed primarily stems from countries having no regulation
regarding electronic marketing.
- That the servers that send the SPAM primarily are located in the developed countries where it
is possible to get a free e-mail-account.
Figures provided by Commendo show a great number of types of SPAM. On the international antiSPAM day 2003, 73,445 e-mails were stopped. Of these stopped e-mails table 2 shows some typical
examples.
Table 2: Typical examples indicating the wide-ranging mixture of products, services, medicine and porn offered by SPAM that
was stopped on the 22nd of May 2003 by Commendo.
Adope Photoshop, over 85% off retail.. save over $400!
Earn a six-figure income from home with Ebay!
Unlimited adult DVD downloads, for free..
Mortgage Aprroved… get the home loan you deserve – lowest
40% off the leading AntiVirus software in the world…
Someone Sent You An Instakiss! See who!
You can order Anti-depressants, weight loss meds, and pain…
Viagra, Phentermine, Xenical & many others prescribed online
Cum watch med play =)
The nuisances of SPAM
Most companies got the policy that it is easy to identify SPAM in your inbox, and that SPAM has not
yet escalated to a level that calls for any immediate actions. Such an intuitive approach towards SPAM
might not be the best way to handle it. Instead it may be more profitable to look at the different
elements comprising SPAM, how it bothers the company.
SPAM can have a profound psychological impact on people. Quite a few are provoked by being sent
pornographic material; offers for hormones; offers for psychopharmaca; and so on. Those types of
messages impede the private sphere most people have regarding such subjects. A few other people will
instead get their attention drawn towards these subjects and will start using time within the working
hours to look through the material.
It could be stated that companies have a social responsibility to protect young people and weak-minded
people from the offers contained within SPAM. Along the same line of argumentation it can be stated
that there is no reason for people to be using their spare time trying to sort out and get rid of SPAM.
The impact SPAM is posing on the network bandwidth is also a problem. To handle the rapidly
growing amount of SPAM an increase of both bandwidth and server-capacity are called for. The
amount of SPAM can even reduce the stability of the network.
Malicious code in conjunction with SPAM can lead to great costs for the companies. There are signs
that SPAM is increasingly used to cover up deliberate attempts to implant malicious code into the
companies' network – either by code sent within the e-mail or links contained within the e-mail, links
pointing to sites from where the code will be fetched when the e-mail is opened. The malicious code
can be worms, viruses, trojan programs, programs designed to detect the targets infrastructure or to
prove the email-address live and working.
The time spent by the employees handling SPAM is another significant nuisance. Most people think
that it is only a matter of seconds but normally the process is much lengthier. A common scenery is a
person working by his computer, an e-mail arrives and some sort of signal is triggered, interrupting the
user in his work. The user shifts into the e-mail program and starts reading. Depending on how good
the e-mail has been composed it can take from a few seconds up till half a minute to identify the e-mail
as SPAM. If it is SPAM one normally decides to stop reading, then goes on to closing and deleting the
e-mail and then shifts back to the interrupted work. After shifting back one has to recollect and
recommence the work from where it had been left of. Surveys indicate that on an average it takes 30-40
seconds to receive a SPAM email. Assuming that every employee receives 55 e-mails per day – which
approximately half is SPAM – that amounts to 13,5 minutes per day per employee to get rid of SPAM.
Assuming an hourly wage of 150 DKK the SPAM handling sums to 33,75 DKK per employee per day.
On top of that one has to include the costs for the need for an added network capacity and an indirect
cost stemming from a possible lack of network stability. At last there is the unpleasantness the
employees feel by being victims of SPAM. SPAM does cost at the company bottom line.
In some countries the employer is held responsible for effect SPAM might cause upon the mental state
of the employee, especially if the employer did not do anything that could reasonably be expected to
filter out SPAM before reaching the employee. Such an attempt to hold the employer morally
responsible for the handling of SPAM is not yet established in Europe. In Denmark, for example, the
employer has no objective responsibility to ensure that no SPAM reaches the employees. But it is
conceivable that such a responsibility might be imposed in the future, and it might therefore be wise to
prepare a policy regarding SPAM.
Methods used to harvest e-mail-addresses
People that are about to send SPAM deploy several different methods for getting hold of interesting email addresses:
- Methods like the scanning of webpages and newsgroups are common practice using
harvesting-programs like “Atomic Harvester”, “Perfect E-mail Harvester” and “Power E-mail
Harvester”. The harvesting method is according to a survey done by Center for Democracy &
Technology, http://www.cdt.org/speech/spam/030319spamreport.pdf the biggest reason for
subsequent reception of SPAM.
- Buying of collections of e-mail addresses and tools to e-mail SPAM.
- They try by iterating combinations of alphanumeric characters like: [email protected],
[email protected], …… Or they might try likely shortnames like “info”, “carl” and the
like or other dictionary based approaches.
Some possible solutions to regulate the behavior of
the users
The cost of fighting SPAM may not be of the same gross magnitude as the cost of just letting the
employees handle the SPAM according to policies. A lot can be gained, regarding a reduction of the
amount of SPAM received, by following a set of simple behavior regulating rules.
a.
There is a connection between the management responsibility and IT-security policies
It is within the IT-security realm that the management has the responsibility to outline the directions
governing behavior aimed at securing the company electronic data and electronic communication. As a
logic subset of these directions are policies for handling of received SPAM as well as guidelines for use
electronic marketing. The rules for outgoing electronic marketing – to avoid that the company itself
acts as a spammer - can be read in the following sections regarding the law governing marketing. Rules
for ingoing SPAM must be written within the company’s IT-security policies. The mindset must reflect
the attitude towards demands on subjects such as: what technical security measures that must be
acquired as well as the employee’s desired behavior regarding avoidance of exposing the company to
SPAM. Some elements to be considered part of the precise policies are the subject for the following
sections.
b.
Estimate to what extent the company must be protected
The company ought to consider to what extent it is desirable to be protected. Within that scope one
should consider:
- How to define SPAM.
- What magnitude of SPAM can be tolerated seen in the context of network capacity, server
capacity, and so on.
- Are there types of SPAM that in no circumstance can be tolerated?
- What costs (regarding the employee handling SPAM personally – see the calculations of an
estimate above) are the company willing to take?
- Which segments of the company are to be protected in a different way or at a different level?
- Is the company willing to deploy special servers within the company that the employees may
use for private purposes?
c.
Should employee’s have a free web-based e-mail account
The company must consider if it is allowable for the employee to use the company supplied e-mail
address for private purposes. Within that scope it is imperative to take into consideration if the
employee should be encouraged to get a web-based e-mail account to be used for private purposes, or
even that the employee uses such a web-based e-mail account for distinct company related purposes.
For instance it might be a good idea to use such an address in conjunction with newsletters and e-maillists, especially if the lists are particularly hit by SPAM. The benefit of such a scheme is that the
company IT is not directly exposed to the load, and the likelihood of getting the employee’s real email-address compromised / harvested into SPAM-target lists is reduced greatly. But of course SPAM
can hit the web-based e-mail too. Using such a web-based scheme, the company must be aware that it
is very difficult to impose the same restrictions and policies as though the e-mail was handled by a
standard e-mail client program. For instance, many companies have chosen to ban or filter e-mails
containing files with specific extensions (“.vbs”, “.exe” etcetera). Such rules might not be possible to
enforce when it comes to downloads from the Internet, and therefore also when the files are coming
through a web-based e-mail client. If the company encourages web-based e-mail, the implied problems
must be carefully considered. It is recommended that the company help the employee to get a webbased e-mail address complying as closely as possible to the company IT-security policies. One
possibility is that the company provides a smaller web-based email server for just such a purpose.
d.
Guidelines for the external use of the official email-address
One should create guidelines governing in what instances it is allowable to use the official emailaddress in conjunction with newsgroups, newsletters and email-lists. Exposing one's email-address
through those channels is known to be a significant source of SPAM, though the use of those channels
of information can be very relevant regarding the work.
e.
Do not reply to SPAM
It is most sincerely recommended that one never replies to SPAM and never use any link to “opt out”
(or for that matter; any link at all). Such links are often a way to discover if the email-address in
question is still active and valid (specially coded references to pictures embedded into html-based
emails may have the same function but without the user's need to actively do anything but look at the
email). Email-addresses proven valid and active will most likely receive even greater amounts of
SPAM.
f.
Protection of customer data
The company must be aware of the current legislation governing the protection of customer-data
against trade or other sorts of transfer of the data. (Referring to the Danish legislation. (Trans.note.)) In
Denmark it is illegal to trade or transfer such types of data to any third party without the written
consensus of the person(s) the data concerns.
g.
Read the privacy policies
If one needs to use the official email-address for enrolment into some sort of service through a webpage, it is important to read the privacy policies governing the use of the web-site and services.
Especially the policies regarding how to withdraw from the use of the service(s) and the policies
regarding the web-site’s sharing of the data with other third party partners or companies. According to
statistics (http://www.cdt.org/speech/spam/030319spamreport.pdf) almost all sites having a privacy
policy do adhere to it.
h.
Do not relay nor forward SPAM
The amount of SPAM is gross and there is no reason to grow the amount even more by forwarding
SPAM to others – no matter how tempting the offers sound. People receiving SPAM are able to see
from where it originates, and it may give an unwanted impression of both the sender and the sender's
company, besides one may run the risk of being registered as a spam-site, making it impossible for the
company to send legitimate e-mails.
i.
Create an internal email-address for SPAM
Having an internal email-address the employees can forward SPAM to give the email-system
administrator an opportunity to gather evidence of SPAM and make use of the date that can be gathered
from the SPAM to block further e-mails from the same origin.
Some technical solutions
A number of solutions exist that are able to – almost flawlessly – filter and sort the incoming e-mails.
One should consider employing such a system.
a.
On-site handling of SPAM or a third party solution?
When a company decides to take a technical approach towards SPAM-handling two fundamental
different paths can be taken: Deploying a “box” / program or buying the service from a third party.
The types of systems / programs that can be deployed internally at the network depend heavily on one's
specific needs and the supplier contacted. Hardware solutions often contain a broad spectrum of
services, for instance anti-virus, content scanning, anti-spam, secure web-email and so on. The
hardware solutions also differ in respect to the need of maintenance: Must one implement updated
filters several times a week or will the “box” do it automatically via the Internet?
A common aspect of the hardware solutions of the SPAM-handling is that they are based on the
concept of one or several filters. The characteristics of the filters depend on the goals:
-
-
-
-
One filter-type peruses a database of known email-addresses of senders of SPAM. The
database is updated through the Internet so that every time it is known that a SPAM has been
delivered from a specific email-address, that email-address is blacklisted, and one will no
longer be able to receive email from it.
Another filter is based upon the recognition of already known SPAM-mails. When a SPAMemail is recognized as SPAM and blacklisted, a checksum is generated and compared with
checksums computed on all emails destined the company. If an email is recognized as SPAM
it is then removed from the server.
A third filter is based on the principle that the number of times that a specific email has been
seen on the Internet, is a good indication of the likelihood that the emails indeed is SPAM.
Given a specific threshold of – say one million times seen on the net – one can assume a
specific email as SPAM.
A fourth filter uses specific characteristics within the email: Does it come from a news
service; What colour are the letters; Are some known phrases or words used.
A fifth filter analyzes the SPAM and determines some common characteristics identifying
SPAM. Those characteristics are used to identify and possibly classify subsequent emails as
being SPAM. The filtering algorithm analyzes all ingoing emails and learns what language(s)
is used at the company. This way very deviating e-mail can be identified and sorted out. It is
-
for instance credible to assume that the word “creditcard” might be a sign of SPAM if
contained within an email sent to a glazier but likely to be the sign of a legitimate email if sent
to a bank.
The last type of filter (known at the time of writing) is the sort configured by oneself based on
one's experience. For instance the usage of white- and blacklisting of particular senders. It
means that if one does not ever want to receive e-mail from a particular senders, that sender
may be permanently blacklisted, or if there is any sender that one does not ever want to be
rejected that sender can be whitelisted. Basically the concept is to give it a thorough thought:
Who is the “enemy” and who is the “friend”, and perhaps how to identify, why and when.
As stated, the usage of locally placed hardware to handle SPAM is only one of the possible solutions.
One may decide to get the SPAM filtered out before it enters the company network. A range of
companies offer the service of sorting and filtering email for viruses, worms, SPAM and the like. They
are using the same techniques as stated above. The convenience is that one does not have to have the
hardware within the company premises, instead one relies on others to maintain the update of the filters
and doing whatever is needed manually to ensure a major attack does not affect the company. One does
not have to worry about exceeding use of bandwidth nor the need for extra capacity for storage of emails. One major drawback by this solution is that the privacy of the sending party might be considered
breached as the owner of the system doing the filtering can read the e-mail in transit. Some systemadministrators would prefer to own and handle the hardware, to plan and control the infra-structural
needs and at last the organization may not want to outsource this type of task.
(Trans. note: third party solutions may have an even deeper impact on the possibility to utilize digital
signatures).
If the chosen solution for handling SPAM is by employing filtering techniques of some sort, one must
beware the consequences: If employing a too restrictive set of filtering rules, or if the customers are
using a relay ISP that is marked as a SPAM-origin, the consequence might be that the company will not
be able to receive some of the emails needed for the business. The filter must therefore be carefully
crafted and supervised.
If one chooses an external filtering party the company email is then routed through the external
company before entering one's own email-system. If one chooses to handle the filtering task, then there
are three approaches that might be taken:
1.
3.
To install an anti-SPAM product on the company SMTP relay (which does not need to be an
email-server)
To install an anti-SPAM product on the company email-server (which conveniently might be
supposed to be the SMTP relay). In addition, use the built-in anti-SPAM services that might
be present within the server-software.
To use functions embedded in the email-client software.
b.
What is embedded into the software which the company has got already
2.
Several of the products that most companies are using these days have some properties enabling some
potential for employing one or several filtering techniques so at least some SPAM can be wedged out
already.
b1. Lotus
Lotus Domino contains elements designed to handle SPAM. It can be dealt with on a server level so
that the user does not have to consider if the e-mail received is SPAM – it will be a company decision.
On top of that, the user has got an option to get rid of the SPAM that bypasses the rules and criteria
defined by the company, and slips through.
On the server side Lotus Domino have the following facilities:
- Server email rules
- DNS-based blacklist filtering
- Restrictions for acting as relay
- Blocking of internet-based email
A brief walk-through of the above mentioned elements:
The Lotus Domino server based email-rules:
For handling of SPAM one can setup rule sets on the server-level (when the email arrives) by defining
criteria’s for handling of email, The major issue is to define some characteristics pinpointing SPAM.
This can be:
- Who is the sender
- What is the subject
- What is the content
- From what domain does the email originate
- How big is the email
- What files are attached (name and count)
The criteria can be used sole or in combinations defining whether the email should be refused,
quarantined or accepted.
DNS-based blacklist filtering:
DNS-based blacklists are based on the lookup of the sending server through external databases,
databases that are keeping track SMTP-hosts that can be considered as SPAM-origins. By using this
service each email can be checked and a decision whether the email should be rejected, quarantined or
delivered, can be made. Because the external databases are updated regularly the task of maintenance is
relieved somewhat for the company.
Restrictions for acting as a relay:
One of the more “elegant” ways for a spammer to get the SPAM distributed is by letting another host
act as a relay and to hide traces of the origin of the SPAM. This is not desired by three reasons: It
bypasses restrictions imposed by the system for the sender; it gives rise to an unwanted load on the
server and network; and worst of all – the company will be acting as a SPAM-origin (and most likely
be known as that).
Lotus Domino has several possibilities to avoid such a situation: You can control which Internetdomains that the server will accept to relay to; Which Internet-hosts that are accepted as relaying
through this host.
Blocking and control of Internet-based email:
Beyond the possibilities mentioned so far, other mechanisms can be used in conjunction with the
filtering. For instance, the possibility to define if a user may or may not receive Internet email.
Secondly, does the user exist, or not. And finaly, who may receive from what Internet domain.
The Lotus Notes client:
Even though these above mentioned server based possibilities can ease the load of SPAM quite
significantly, some SPAM email will slip through to the user. It is a choice how restrictive one wants to
define the server-based filtering weighted against the fact that there are that there are some e-mails that
one wants to receive, e-mails that might be ruled out as possible SPAM. Therefore some restrictions
should up to the user to define and refine.
That is an option in Lotus Domino, or – rather – in the client: Lotus Notes.
The user has got the option to define his own rule sets for the handling of incoming email, parallel to
the server-based rule sets. The user can choose to delete e-mails based on sender, content or domain,
among other options.
The above mentioned double set of filters gives a way to minimize the damage / impact that SPAM can
cause on the company’s daily operations. First by using the company wide administrator defined filter,
then by using the filters refined by the user.
b2. Microsoft
Microsoft has very actively entered into the fighting of SPAM by both making improvement and
development of the anti-SPAM measures within its own products and by joining forces with some
other actor in the market: Yahoo! and AOL. The corporation aims at the production of a “best practice
codex” defining guidelines for sending and handling of commercial emails. And finally Microsoft has
gone the legal path by issuing law-suits against 15 originators of SPAM and more is on its way.
Products with built-in SPAM-filters:
The most sensible way to fight SPAM is to assure that the SPAM does not reach the intended
recipients. Users of Microsoft products have access to a range of tools to accomplish this.
No matter if one is using Microsoft Outlook, Outlook Express or utilize a hotmail-address at
http://msn.dk, there is access to some professional grade SPAM-filters. All it takes is to activate the
built-in SPAM-filter, after which, the email-client will sort all emails received.
A quick how-to guide for the Microsoft products:
New anti-spam tools have been introduced with the Exchange Server 2003 that is being launched
autumn 2003. These tools aim at limiting the company to minimize the loss of time and money due to
the impact of SPAM.
One functionality enables the possibility to do a scanning of all incoming e-mails and assigns each a
score (a Spam Confidence Level) estimating the likelihood that the particular email is SPAM. Based on
some criteria defined by the administrator it is decided whether to let the e-mail enter the user's inbox
or being redirected into a junk mail folder. This way it is avoided that the employee must spend time
sorting unwanted e-mail away from their inbox.
You can read more about the new anti-SPAM tools in the Exchange Server 2003 on
http://www.microsoft.com/presspass/press/2003/Apr03/04-14AntiSpamPR.asp
The new version of Outlook, Outlook 2003, likewise contains new features adding to the range of antiSPAM tools. An advanced “junk e-mail filter” will automatically sort unwanted e-mails based on
criteria such as: Content; Structure; Sender-type etcetera. A “safe senders list” can be defined to
indicate senders that will always be accepted. Likewise a “block senders list” can be defined to
unconditionally block certain senders. This is but a few of the new anti-SPAM features contained in the
Outlook 2003 (see http://www.microsoft.com/office/preview/editions/junkmail.asp)
More general information on how Microsoft fight SPAM can be read at
http://www.microsoft.com/mscorp/innovation/twc/strategies/arbogast_spam.asp
b3. Novell
Novell GroupWise is a groupware platform that is offered to the Windows environment, the Netware
environment, and soon (primo 2004) offered to the Linux environment. The platform offers a policy
governed SPAM-handling at several levels, aimed at meeting the different demands individual
companies pose. The technology perused within this product to identify and handle SPAM can either
be delivered as a built-in component of GroupWise (from version 6.5) or it can be delivered by third
party suppliers as an add-on component for GroupWise. This functionality within GroupWise makes it
possible to build, for instance, a anti-SPAM gateway in conjunction with the company GroupWisesystem, or to outsource that functionality to an external service provider. An alternative solution is to
establish an anti-SPAM service to be directly integrated into the company GroupWise domain- and
mailoffice-servers.
The methods used for identifying SPAM can for example be based on information about the sender by
lookup through real-time blacklists (RBL) – or the filtering could be based on the content of the email,
for instance by keyword, size or type of attached file and heuristic. GroupWise 6.5 has a built-in
blacklist functionality to identify and handle SPAM. Anti-SPAM functionality can be defined on an
Internet Gateway level where both manually maintained (address) blacklists and one or more third
party RBL’s can be defined to protect against SPAM. Any GroupWise user can at the same time create
his own “positive” and “negative” lists to either allow or deny email from particular senders to come
through, to deliver the received emails into a junk mail folder or delete the emails at the post-office
level before the emails reach the intended recipients.
The use of blacklists has the inherent drawback that they may be labor-intensive to define and
maintain, and there is a risk of getting a number of “false positive” (emails that by the automatic
mechanisms is defined as SPAM but is not). The blacklist function can with success be combined with
other mechanisms into third party anti-SPAM services (like the before mentioned filtering based on
keywords, size etcetera). Especially the heuristic function is interesting as the function employs a range
of tests to decide whether the email is SPAM or not. The “intensity” of these tests can be finetuned
when needed and the heuristic can be modified as ongoing efforts so that one can tune the filter to
detect the specific type of SPAM that one is most bothered by at any one time. Heuristics can be an
effective tool to detect new (unknown) types of SPAM.
Leading third party anti-SPAM software supports GroupWise from version 5.5 (or newer), but the
possibility to use the new security related functions has greatly improved in GroupWise 6.5 because of
a new open architecture. The same products typically contain a range of other security related functions
such as virus-eliminating, bandwidth-control, extended archiving, auditing and other security functions
for the GroupWise-system.
Read more about the GroupWise system at http://www.novell.com/products/groupwise/
b4. Sendmail
Sendmail is a program that can be obtained for almost any conceivable operating system, but its most
widespread use is on different flavors of UNIX-systems. Sendmail (and other mostly UNIX-based
systems like Postfix, Qmail, Exim etcetera) are mostly deployed as gateways / relays between the
company's internal email-servers and the Internet. Sendmail can be delivered and updated on a regular
basis by most major hardware- / software-vendors, or Sendmail can be fetched freely from
http://www.sendmail.org/
Anti-SPAM provisions in Sendmail can be obtained by using a broad range of tools and options for
configuration. As a start, most common distributions of the Sendmail package is by default configured
not to let the system act as an open relay, and the set of rules employed and the possibilities for
configuration and fine-tuning are updated on a regular basis when new vulnerabilities are found, when
SPAM “attackers” find new ways of emitting SPAM, and when new versions of Sendmail are released.
So for that reason it is very important to keep the installation updated till current version.
Sendmail (and Postfix, Qmail, Exim etcetera) can be configured to provide very efficient protection
against SPAM. Used together with internal email-servers and clients equipped with good tools, it is
possible to have a very cost-effective solution with a great flexibility for the users.
Protocol and check of the sender:
Sendmail is in its origin very restrictive regarding conformance to formalia of the communication (are
the protocols used correctly and does domain-names resolve etcetera), but Sendmail can be tuned to
adhere with a higher / lesser degree of checking of protocols, from the default “restrictive” behavior to
either “paranoid” or in the other direction to “ignorant”. The more restrictive you make your site
towards that other sites must adhere to the protocols, the fewer sites will be able to send to your
gateway unless you explicitly do a white-listing of them. The other way around, being relaxed
regarding the protocols rises the demand for effective filter rules dramatically. The general rule of
thumb is: Being restrictive regarding protocols gives more maintenance and easy configuration. A
more relaxed approach towards the checking of protocols gives a more easy maintenance but a rather
complicated configuration and a significant risk of becoming a site easily used as a springboard for
SPAM.
Filtering based on sender- / sending-system:
A vanilla Sendmail-system can operate on black-lists, white-lists, pattern-based rules, lookup through
internal and external databases and through DNS. You can specify the filters to use the specific sender,
receiver, hostnames, Internet domains and IP-addresses, to some degree by protocol and combinations
thereof (see http://www.sendmail.org/m4/anti_spam.html). In the newer versions of Sendmail it is quite
easy to configure and test new configurations without the need to go off-line, and it is possible to run
several instances of Sendmail – each with a specific functionality and set of filters. It is also a
possibility to use third party “plug-ins”, like it is possible to write one's own specific set of filters (see
http://www.sendmail.org/m4/adding_mailfilters.html).
Sendmail can easily be configured to deny to accept e-mail coming through open-relays by using
specialized DNS-lookups (see for instance. http://www.ordb.org/faq/) like it is easy to use lookup
through public database of known SPAM-sites (se for instance: http://www.spamcop.net/fomserve/cache/291.html (tran. note: RBL)).
Content filtering:
Content filtering is not a part of a vanilla Sendmail. Instead it is normal to use third party filters (as
plug-ins) or to let several instances of Sendmail hand the e-mail down through external filters and then
back into Sendmail. An example of a widely used system building upon this concept is
“SpamAssassin” (see http://spamassissin.taint.org/ and
http://www.ijs.si/software/amavisd/README.sendmail-dual) that has a very good success-rate, and
includes the possibility to do a virus-scan before the e-mail enters the company network. SpamAssassin
operates with a broad range of rules and filter like: Analysis of the email-header; Content analysis
(heuristic, keywords and learned patterns); Dynamic maintained blacklists and external databases. The
system can unpack and uncompress and scan most forms of coding and compression formats.
SpamAssassin can also operate in a mode where it “learns” the content of the company’s “normal” and
“abnormal” (IE. SPAM) type of e-mails. Company’s having a big email-flow might consider
employing CRM114 (see http://crm114.sourceforge.net/) as an extra learning and filtering tool in
conjunction with SpamAssassin. Sendmail can also use external servers (like Exchange and Lotus) to
provide even further filtering (or to use the Exchange / Lotus as a central place for site-wide policies),
and archiving and sorting etcetera.
c.
SPAM in conjunction with mobile access
An increasing number of employees work in the field or from home and use some sort of mobile access
to the company network. These types of access are typically slower than the company network overall.
It is therefore important to protect mobile offices to avoid spending time downloading loads of junk.
d.
Avoid using email-addresses on web-pages
One should consider how to avoid exposing one's email-addresses in a form easy harvestable for
scanners. One possibility is to restrict exposure to having only one dedicated company email-address at
the web-site. Another possibility is to mask email-addresses by different techniques: Avoiding “@” by
rewriting to “name at firm dot com”; Replacing “@” by the equivalent ISO-code “@” (see
http://www.w3.org/TR/REC-html32); Masking the whole address, like changing “[email protected]” to
“test@test.dk” (a
generator to create these rewritten addresses can be found at
http://www.wbwip.com/wbw/emailencoder.html).
Such rewritten email-addresses will not be recognized by the current majority of automatic emailaddress harvesters. A survey done by Center for Democracy & Technology,
http://www.cdt.org/speech/spam/030319spamreport.pdf, has shown that if this method to obscure the
email-address is used, it is possible to avoid SPAM. It is though probably only a short while before the
automatic harvesters may be able to recognize obscured email-addresses. Another alternative is to write
the email-address into a link-field with the subject pre-filled with a white-listed text, and subsequently
use a specific filter that only allows e-mails to the address with the matching white-listed subject. The
last possibility is not to use any email-addresses on the web-page but instead to create a form stressing
the need to have the sender to fill in his own (valid) email-address and sending the e-mail from the
web-server (this introduces other security considerations outside the scope of this article).
e.
Get a digital signature
It is recommendable to have and use a digital signature. When using a digital signature one can
establish authenticity regarding one's own identity in communication with others. It means that the
receiver of a signed e-mail can identify the sender, and over time that could probably limit the amount
of SPAM because senders of SPAM probably won’t sign the email. A digital signature might therefore
be a key part of SPAM-filtering and sorting.
f.
Hide your email-addresses
If you need to be able to communicate with someone on the Internet, someone that asks for your emailaddress, but is someone that you do not trust or even suspect of misusing the address for SPAM, then it
is possible to hide behind another email-address. In principle a simple method: Give the address you
have obtained from a company that provides such fake addresses. The fake-address must be set up to
provide routing of the email to and from your real email-address. When SPAM starts to arrive to the
fake address, then it is simple to drop it again.
g.
Avoid having open relay email-servers
Email-servers can send emails to other servers without either the sender or the receiver being a user of
the system. This is called relaying and is a vital part of most chains of email-flow in and out of the
networks that comprise the Internet, but it also means that it is possible to send email claiming to be
another when sending the email. This possibility, combined with a list of recipients to be targeted, is a
description of a SPAM scenario where the alleged origin is the relaying system and a faked senderaddress. An email-server should be configured to only allow relaying for users and systems known to
be part of one's own network (or other trusted networks).
You can test your own email-server (if you are the owner and administrator) by using tools at
http://www.ordb.org/. At the site “ordb.org” open-relay servers are registered – independent of
voluntary tests or not – and can be looked up by both other email-servers and by hand. If your emailserver winds up in that register, you will probably not be able to communicate with most other emailservers around the world, until the server has been reconfigured to disallow open-relaying.
h.
Create email-addresses with some thought
It is very common for SPAM-senders to use systematic combinations of letters (like “aaa”, “aab”,
“aac”, …) or by using common names (like “jens”, “bill”, “info”). It is therefore advisable to use long
addresses to limit the possibility of guessing valid names. You might use “surname.christian
[email protected]” instead of just “[email protected]” (or even worse:
“[email protected]”).
The Danish marketing-law regulating SPAM
The marketing-law was changed during the summer of 2003 after the subject “SPAM” had been read
in a European context. The change of the legislation meant that a new subsection 2 was inserted into
article 4 in law no. 450 - 10. June 2003 regarding change of law regulating competition- and consumerconditions at the tele-market. (Implementation of the directive »99-review«). Subsection 2-6 in the old
law became subsection 3-7. The regulation implements parts of the European Parliament and Council
directive 2002/58/EF – 12. July 2002 regarding handling of personal information and protection of
privacy within the electronic communication sector (the data protection directive) (“EF-Tidende” 2002
no. L 201, p. 37). The change of law is in effect from the 25. July 2003. The changes in the law are best
illustrated by looking at the actual law-text.
Article 6a before the change of the law
Tradesmen may not address anybody directly by
means of electronic mail, by use of an automated
dialing-system, or by use of telefax, with the
intention to offer goods, real-estate and capital
goods, and to offer work and other assistance,
unless the concerned party has given his consent
in advance.
New subsection 2
A tradesman may not address any particular
physical person by means of other methods for
remote communication for offering goods, as
Article 6a after the change of the law
Unchanged
A tradesman can regardless of subsection 1 market
by electronic mail, similar products or services if he
has got the customer's email-address as part of a
sale. It does, however, precondition that the
customer must have the opportunity to discontinue
the reception of the emails, both when the emailaddress is given and at all later times when emails
are received.
Unchanged
mentioned in subsection 1: if the customer has
asked not to receive such offerings; if it appears
that the customer is to be found in the register
maintained and updated quarterly by “Det
Centrale Personregister” (the central register of
Danish citizens: CPR) as a person that does not
condone such a marketing approach; if the
tradesman by looking through the CPR-register
has learned the fact that the person does not
condone such a marketing approach. If
approaching the customer by phone, further
regulation is in effect.
Subsection 3 does not apply if the person has
expressed a previous request for the approach.
The first time a tradesman approaches a physical
person that is not mentioned in the register
(CPR), as mentioned in subsection 3, the
tradesman must inform the person in a clear and
comprehensible way about the right to request no
further approaches. The person must furthermore
be given an easy access to request no further
approaches.
The tradesman may not ask for payment for
receiving or handling the request for no further
approaches: Either a revocation of permission (as
stated in subsection 1) or a denial of any
approaches (as stated in subsection 3).
The Minister of Trade and Commerce may
establish further rules regarding the tradesmen
compulsory delivery of information (as stated in
subsection 5) and regarding the compulsory
access for customers to be able to deny further
contact.
Unchanged, except a reference to a subsection.
Unchanged, except a reference to a subsection.
Unchanged, except a reference to a subsection.
Unchanged, except a reference to a subsection.
The central issue regarding this change of law is that the companies were not allowed to send
commercial emails to any customer unless the customer had expressed explicit permit. After the change
of the law the company may send unsolicited commercial emails to a customer if:
- The customer has bought goods or services at the company after the law came into force.
- The customer has given his email-address by part of the transactions taken place.
- The customer, as part of the buying, has been notified that he will be receiving advertising
materials, and by what channel.
- The customer has been given the option to say no to the advertisement.
- The customer has the opportunity at no cost to ask for no further advertising materials being
delivered, at each delivery.
- The company only advertises for “much alike products or services”.
Said in another way: The Company may now send advertising emails to customers, without an
expressed previous consent from the customer, if the above stated conditions are met. That was not the
earlier practice: The customer must now actively say “no” – formerly the customer had to actively say
“yes”.
An interpretation of the law implies that:
- Even though the regulation of marketing targets all channels for marketing, the change in the
laws aims at marketing by use of e-mail, SMS, MMS and the like, but not by use of telefax
and ordinary mail.
- In a given advertise the company may seek the consent from the customer to be allowed to
send advertising material for other products.
- The email-address given by the customer must have been given as part of the information
given when buying a product – email-addresses given in any other context is not within the
scope of this regulation.
-
-
A company may only advertise its own products – not any third party products.
Customers listed within the CPR-register Robinson-list (persons that have stated not to accept
advertisements by regular mail) are not within the scope of this regulation, so the company
may send advertisements to those individuals.
It is not acceptable to ask for consent by a customer for accepting advertisements by the use of
email.
The difficult part of this law is for the companies to define the meaning and coverage of the
phrase: “Similar products or services”. The consumer-ombudsman gives the following
examples of what can be regarded as legal interpretations of the law. Each example has been
augmented by a column indicating problematic “areas” – goods that the consumer might
indicate (through the previous buy) to be interested in, but the same goods may not be
considered sufficiently “similar” according to the interpretation of the law.
If the consumer has bought …
Trousers
A music CD
Shoes
Toys
Car
Shaver
Soda
PC-games
It would be OK to advertise
for …
Other clothes
Other music, but not film
Different types of foot-wear,
but not clothes
Toy, but not other products
specifically aimed at children
Other cars, but not
accessories nor service for
cars
Other electronic products for
personal care
Other drinks
Other PC-games but not other
software
Problem area:
Lady / Gents / Children clothes
Music video featuring the same
band
Lady / Gents / Children shoes
Is a computer-game a toy?
You probably do not need
another car, but probably
accessories
Electric toothbrush
Operating systems mandatory
for running the games
The consumer-ombudsman has drafted a set of rules to be used as a guide to help clarifying what rights
one has as a consumer and in what circumstances a company may send advertising emails (see
http://www.net-tjek.dk/ehandel/regler.htm). The consumer-ombudsman further augments the
underlying principles for the guides at http://www.net-tjek.dk/jura/fjura/jb00/00010000.htm and
http://www.net-tjek.dk/jura/loveregl/mfl/rt_h00uh.htm.
Quite a few critical voices have been heard regarding the change of the law. A point of view advocated
by a lot of concerned parties is the fear that the change might lead to an increase of the amount of
SPAM. The argument is that the consumer is less protected because the consumer must actively revoke
the right for the company to use the email-address, gathered as part of the sale, to be used for
advertising emails. That revocation must be done each time a sale is carried out. That is deemed an
unnecessary burden for the consumers. The consumers must also pay for the time being on-line each
time such an email is downloaded to the email-client-program. At the same time, a growing fear that
less serious companies might misuse the relaxation in the law seeing that the financial benefits by
bending the law may be bigger than the supposedly limited fine they might get (since the writing of
this, the first Danish sentence regarding SPAM has been passed. The Judge imposed a fine of 100 DKK
per sent email. See http://www.bitconomy.dk/magasin.asp?printarticle=3012).
Among the skeptics is the ”e-handelsfonden” (the association behind the Danish e-trade-mark), they
have decided that none of their members carrying the “e-mark” may use the new regulation (see
http://www.computerworld.dk/default.asp?Mode=10&ArticleID=19933). Among the other skeptics are
those who argue that as the rules are still relatively unknown for the companies, misinterpretation will
inevitably lead to a rise in the amount of SPAM emitted (see
http://www.comon.dk/index.php?page=news:print,id=15098).
Adherents argue that the forwarding of the directive was a positive development, thus giving the EU
common rules governing this area. In many countries no prior regulation existed covering this field of
interest. The consumers in those countries are therefore much better protected now. In addition one can
argue that the change of the law reflects the new and more effective business models used nowadays.
If, for instance, a consumer has bought some products and an update becomes available or some
accessories become available, then most consumers might be glad to be notified automatically. In
addition, the choice of either to remember to opt out of enrollment at each buy or to take on the
responsibility for keeping an eye on product-updates might be a choice of convenience for most
consumers, to get the free after-sales service,- thus an overall improvement for the consumer. Lastly,
one could argue that the change is small and thus not likely to increase the amount of SPAM. The latter
argumentation has been used by the office of the consumer-ombudsman (see
http://www.comon.dk/index.php?page=news:print,id=14514)
SPAM contains – as shown above – much more than just advertisements. The advertising is only a
fraction of what would be classified as SPAM, and there is no indication of this legislation to have any
impact on the amount of the rest of the SPAM.
Surveys show that companies having a “statement of privacy / privacy policy” do observe their own
statements and therefore do not contribute to the SPAM-problem in any significant way (see
http://www.cdt.org/speech/spam/030319spamreport.pdf). A final argument is that serious companies
would never misuse the regulation as the immediate consequence would most probably be disgruntled
customers / loss of customers, if bothered by irrelevant information and contacts. The companies do
know that it is the customers that decide what is to be classified as SPAM.
It is possible (in Denmark) to file a complaint over SPAM through the Consumer Council
(“Forbrugerstyrelsen”) at the address: http://www.net-tjek.dk – or more precisely: http://www.nettjek.dk/ehandel/indh1.htm.
If any additional information on how to conform marketing to international standards is needed we can
recommend the homepages of The International Chamber of Commerce, http://www.iccwbo.org, or
The Federation of European Direct Marketing, http://www.fedma. org.
Summary
Email is a handy communication tool that has eased the possibility of communication for a lot of
people and it is as such a good thing. But the effectiveness and ease of use of email and other electronic
communication services is severely threatened by SPAM. At the time of writing the ratio of SPAM (in
Denmark) is on an average level of 30% and the ratio is fast and steadily growing. If we want to be able
to use email in the future as an effective means of communication, then imposing some sort of behavior
regulation and / or technical countermeasures must be considered.
Provisions for behavior regulating means might include:
- There is a correlation between management responsibility and IT-security policies. The
management has got the responsibility for the company IT-security policy that should include
guidelines for the handling of SPAM.
- Do evaluate how, and to what extent, the company must be protected. In accordance with the
company strategy and economic situation a focus on what to be protected against, and in
particular from whom to be protected.
- Consider encouraging employees to get a free web-based email-account to be used for private
purposes and – in some instances – for use in conjunction with public email-list servers.
Consider if the employees are to be allowed to receive private emails into the company emailsystems, and if special recommendations should be put into effect regarding private emails.
- The company ought to issue guidelines specifying how the employee may use the company
email-accounts – especially regarding the use of newsgroups and the posting of newsletters.
In addition a recommendation to enforce reading of privacy policies for newsgroups and –
letters et cetera where the company email-address is to be used.
- Do not reply or forward SPAM. Among the rules the company should create, emphasis should
be put on a rule neither to reply nor forward SPAM.
- Protection of customer-data must be carried out in such a way that the company does not
inadvertently become a source of SPAM.
- Create an internal email-address for SPAM-reporting so that the employees have means to
report incidents.
-
Do not become a SPAMMER yourself. Read and abide the current regulations regarding
marketing, but do keep in mind that it is the customers that decide what to rule as SPAM.
Technical provisions might include:
- Does the company want to handle SPAM themselves or buy a third party solution? Either way
some decisions must be made: What sort of provisions to employ, for instance one might
activate filters in the software already in-house, or buy “boxes” for filtering SPAM - and are
the provisions to be controlled internally or by a third party?
- Review what effect is to be expected from using filters in the software / hardware already inhouse. Most probably the in-house products may have SPAM-filters of some sort. You must
gather an overview and state specific demands to the supplier of new software / hardware.
- SPAM and mobile connections may cause new un-dealt problems. Do evaluate the impact and
possible countermeasures.
- Do not use email-addresses on company web-sites, or minimize the number of exposed emailaddresses, or camouflage the unavoidable addresses, or use other means (like key worded
subject-fields), or use web-page-forms.
- Get a digital signature. The use of a digital signature is expected – over time – to contribute to
a reduction in the SPAM-problem.
- Hide your company email-addresses. For instance by usage of temporary addresses to be
disposed whenever they are hit by SPAM.
- Do not have an open relay email-server. Open relays are one major origin of SPAM. They are
used either to send SPAM or to hide the true origin of the SPAM. Having an open relay may
render it impossible for the company to receive or send email.
- Create your email-addresses in a suitable fashion so that it becomes difficult for a spammer to
guess. That means that email-addresses made up by mere names, initials and the like, are not a
wise choice.
Links
A list of relevant links to anti-SPAM related material will be published at the ITEK-website,
http://www.itek.di.dk.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz