Combating SPAM Problems in a Corporate Environment
Perhaps no problem plagues the Internet as deeply as that of unsolicited junk E-mail, or SPAM. While there’s no doubt that SPAM can be annoying to the end users, SPAM can cause problems for both the network administrators and for those who own or manage a company. The reason for this is that SPAM robs your company of productivity and of system resources.
SPAM and Backend Mail Systems
First, let’s take a look at the system resource that are consumed by SPAM. Any time that an E-mail message is sent to someone in your organization, the message must first pass through your organization’s Internet connection and through the firewall before reaching your Exchange Server. Regardless of how much bandwidth your organization may have, there is a finite amount of data that the Internet connection can handle in a given amount of time. This means that if your organization is using their Internet connection at or near its total capacity then any time you receive a junk E-mail message, other legitimate messages are kept waiting until bandwidth becomes available.
Once a message passes into your organization, it must pass through your firewall, which then hands the message off to the appropriate Exchange Server. Both the firewall and the Exchange server use CPU cycles and memory when processing the message, resources that would be better used elsewhere. Keep in mind that each E-mail message that your organization receives consumes a tiny amount of resources such as bandwidth, memory, CPU cycles, etc. Most organizations would never even notice the impact caused by receiving a few junk E-mail messages. The real problem is caused by the sheer volume of junk mail that pours into many organizations. Before I implemented SPAM protection in my own organization, I was receiving more junk messages than legitimate messages; upward of 200 junk messages a day.
When an organization is plagued by excessive SPAM, disk space on the Exchange Server also becomes an issue. To most people, the idea of storing SPAM is absurd. However, a recent IDC report estimates that 44% of users retain E-mail messages for a year or more. Even if your users aren’t storing SPAM, Exchange is designed to retain deleted items for a period of time. Therefore, those SPAM messages that your users are deleting are still stored on the server for a period of time.
SPAM and Employee Productivity
SPAM not only impacts the back end information systems, it can lead to a loss of productivity as well. The most obvious way that productivity is impacted is that if users are busy deleting junk mail then that’s basically wasted time in which nothing productive is being accomplished. Furthermore, if a user is constantly flooded with SPAM, then there’s a good chance that in the midst of deleting the SPAM, important messages may also be accidentally deleted. On more than one occasion I personally have accidentally deleted important messages from clients while cleaning out SPAM. This has sometimes resulted in a loss of income.
Further more, if your employees jobs involve sending E-mail messages to clients or doing Internet based research, their Internet access could be greatly slowed because the steady flow of inbound SPAM is consuming a large portion of the company’s Internet bandwidth. As if that weren’t enough, SPAM sometimes contains malicious scripts, viruses, etc.
I recently helped a friend who owns a trucking company deal with a SPAM problem in their organization. The organization was receiving so much SPAM that it was becoming difficult to even use E-mail. Each user was receiving dozens of messages every hour. The real problems started though when the company received an outrageously expensive phone bill. One of the users had apparently opened a message containing a malicious script that caused the PC’s modem to dial a 900 number. In the end, I was able to get rid of the dialer, but the SPAM problem had grown so far out of control that everyone in the company had to get a new E-mail address. Of course that meant informing all of the clients of the new contact information. To make a long story short, this entire ordeal was a huge problem for this small company.
One of the more overlooked ways in which SPAM effects an organization’s productivity is in the amount of time that users spend deleting it. A recent IDC white paper estimates that one in every five E-mail messages that a person receives is SPAM and that the average employee spends about 5 seconds getting rid of each SPAM message.
Personally, I think that the ratio of SPAM to legitimate messages is much higher than one in 5. Typically, in an average day I get about 30 legitimate E-mails and well over 200 SPAM messages. Let’s assume that IDC is correct though and that one out of every five messages that your employees receive are SPAM. Now, let’s assume that the average employee gets 50 E-mail messages per day, ten of which are SPAM. If IDC is correct in saying that it takes 5 seconds to look at and delete a SPAM on average, then an employee that receives 10 SPAMs a day wastes 50 seconds dealing with SPAM.
At first, 50 seconds of wasted time sounds trivial. However, if an organization had 2000 employees, then the employees would be collectively wasting 10,000 seconds or 27.7 man hours per day. This works out to 7,222.2 wasted man hours each year. If the average employee earned $15 per hour then the company would be looking at a financial loss of $108,333.33 per year in wasted man hours, just because each employee spent a mere 50 seconds a day dealing with SPAM.
So the real question now is how do you deal with SPAM? Several states have passed legislation making SPAM illegal, but I personally don’t see the problem going away. Much of the SPAM is sent from foreign countries or from other states. This means that state level anti SPAM legislation is unenforceable.
Microsoft has built mechanisms into Outlook that allow you to fight SPAM. The problem is that configuring Outlook to filter SPAM without using third party software is a lot of work. I have described the necessary procedures in the article found at http://www.brienposey.com/kb/filtering_spam.asp. Additionally, Spammers are always using new spamming techniques, so the Outlook filters that work today may not work tomorrow. Even if you could keep an Outlook level SPAM filter up to date, there’s a huge administrative burden since each user’s Outlook profile must be maintained independently. The only real solution is to stop SPAM at the Exchange Server level, before it can make its way into the user’s mailboxes.
While no anti SPAM product is 100% effective, there are several good products for fighting SPAM at the Exchange level. My three personal favorites include GFI MailEssentials, Ipop, and SurfControl. Each of these products does a reasonably good job filtering SPAM at the Exchange level, but each also has its strengths and weaknesses.
Although all of the products that I listed above are good, my personal favorite is GFI MailEssentials (http://www.gfi.com/bes/,). The reason that I like the GFI product so much is that it has some really practical methods for catching SPAM. For starters, the product looks at what language the inbound messages are sent in. A lot of SPAM comes from foreign countries and is not even written in English. If a message comes into your organization and is in a foreign language, the message can automatically be treated as SPAM if you choose.
Another big plus is the way that GFI makes use of black lists and white lists. While all of the major anti SPAM products use black lists and white lists, the GFI product can also use third party blacklists. This means that the GFI product can take advantage of Internet databases containing the IP addresses of known spammers. What makes the product even more attractive is that the anti spam DNS blacklists checking (ORDBC etc.), custom blacklist and automatic white list modules are freeware. In addition, one can configure one disclaimer. These features will not time out after evaluation has ended!
Another nice perk to GFI MailEssentials is that they are now offering disclaimer software for free to users of GFI MailEssentials. The disclaimer product is an add on module that allows you to place a legal disclaimer at the end of end of outbound messages. Such disclaimers can protect your company against litigation arising from an employee’s inappropriate use of E-mail.
Perhaps my favorite feature of GFI MailEssentials was that it allows greater control of detected SPAM than some of the other products. For example, SPAM can be automatically deleted, forwarded to someone for review, or flagged as SPAM and sent to the user for review. This option to review mail flagged as SPAM allows for greater fine tuning and thus better SPAM detection accuracy than you would get from an out of the
box configuration. If a message has been flagged as SPAM, you can configure GFI MailEssentials to deliver a fake non delivery report to the sender. The idea is that if you can trick the sender into thinking that your E-mail address is bad then there is a really good chance that you will be removed from the sender’s mailing list.
SurfControl is another good anti SPAM product (http://www.surfcontrol.com). SurfControl takes an eight step approach to filtering SPAM. First, SurfControl closes the mail relay host. This prevents spammers from being able to relay SPAM through your server on its way to other destinations. Closing the relay host is a nice feature, but can be easily done directly through Exchange.
Next, SurfControl uses an anti SPAM agent to test each inbound message. Some of the tests performed on the messages include a dictionary based scan that looks for words and phrases commonly used in SPAM, and a client name DNS lookup. This lookup tests each address by comparing the sending domain’s DNS entry against the IP address that actually sent the message. This tests for spoofed E-mail addresses. Messages are also checked against a live database of blacklisted senders. Senders can be blacklisted by domain, E-mail address, and IP address. One of the features that I liked the best about SurfControl is that the online database contains actual SPAM messages that have been hashed to produce digital signatures. When a new message arrives, the message’s digital signature is compared against those stored in the database. Finally, if a message contains HTML code, the HTML code can be stripped from the message, removing any potentially harmful code.
My third pick for a mail filtering solution is Ipop (http://www.ipop.com/Solutions/EmailFiltering/Default.asp). Ipop works by first quarantining any message that is infected with a virus, and then performing some basic checks against the message. What I like is that these checks tend to work by asking some very logical questions about the message. These questions include things like: was the sender’s domain invalid? Is the sender a known spammer? Was the message sent from a server that allows SPAM to be relayed through it? Are the headers properly formatted? Is the message’s routing obscured? Although Ipop isn’t quite as robust as GFI MailEssentials or SurfControl, it tends to be easy to set up and does a reasonably good job.
Software Comparison By Feature
Now that I have revealed my top three picks for anti SPAM software, you’re probably wondering which product is the best. The truth is that best is a relative term because what works best for one environment may not necessarily work the best in another environment. In an effort to make my comparison as objective as possible, I have created the chart below which does a feature by feature comparison of the products. This should help you to be able to figure out what will work the best in your own environment. In case you’re wondering though, my personal choice for an Exchange level anti SPAM solution would be GFI MailEssentials. The only thing that GFI MailEssentials seems to be lacking that the other two products have is anti virus support. GFI does make a supplementary product called GFI MailSecurity that provides anti virus support to GFI MailEssentials, and addresses a number of other security issues as well. Additionally, you could address the anti virus problem by using a dedicated Exchange level anti virus product such as Hauri’s ViRobot for Exchange 2000 (http://www.hauriusa.net/groupware.asp).
|Closed Relay Host||X|
|Database based message comparison||X||X|
|Message tracking by message’s digital signature||X|
|Dictionary based detection||X||X|
|SPAM filtering by category||X|
|Adaptive learning||* Will Be Available in GFI MailEssentials in June 2003||X|
|Guard against false positives||X||X|
|Sender name spoofing detection||X||X||X|
|Blacklist by domain, E-mail address and IP address||X||X||X|
|Support for Third Party Blacklist Databases||X||X|
|Anti Virus Support||* By Adding GFI MailSecurity||X||* With anti virus agent|
|Message Language Test||X|
|Fake Non Delivery Report Creation||X|
|Disclaimer Software Included||X|
|Message Header Analysis||X||X|
|Advanced Mail Monitoring||X|
Brien Posey has written thousands of technical articles on a variety
topics. You can access many of them by signing up for a free membership
to Brien’s personal Web site at http://www.brienposey.com. Brien’s Web site
also contains a forum area where you can post your most difficult
technical questions and a live chat area where you can talk directly to