E-mail SPAM White Paper

The "No Network is 100% Secure" series
- Electronic Mail SPAM -
A White Paper

What is SPAM?: It is widely believed the term spam is derived from the 1970 SPAM sketch of the BBC television comedy series "Monty Python's Flying Circus". The sketch is set in a cafe where nearly every item on the menu includes SPAM luncheon meat. As the waiter recites the SPAM-filled menu, a chorus of Viking patrons drowns out all conversations with a song repeating "SPAM, SPAM, SPAM, SPAM... lovely SPAM, wonderful SPAM", hence "SPAMming" the dialog. The excessive amount of SPAM mentioned in the sketch is a reference to British rationing during World War II. SPAM was one of the few meat products that was excluded from rationing, and hence was widely available.

In it's purest form, SPAM is any unwanted message, typically sent via electronic e-mail. Multiple postings (e.g. on usenet newsgroups or forums) can also be referred to as SPAM. For the purpose of this white paper, SPAM will mean unwanted, bulk e-mail sent for devious and often for criminal purposes. Other forms of SPAMMING are usually more accurately defined as hacking and are accomplished by breaking into a computer system, typically a web server.

Why is there so much SPAMMING going on?: Spamming remains economically viable because advertisers have no operating costs beyond the management of their mailing lists. Additionally, it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge. Spamming is widely reviled, and has been the subject of legislation in many jurisdictions.

Is SPAM a security concern?: The short answer is no, but with caveats. Very few people these days are dumb enough to actually buy Viagra over the Internet or fall for erectile disfunction scams by responding to a piece of SPAM. However, SPAM is the delivery method for many viruses and other malware. As SPAMMERS become more sophisticated, SPAM with forged headers has been responsible for many "phishing" campaigns that cyber-criminals use to gain access to user accounts and computer services. The end goal for phishing is usually to gain access to credit card numbers, bank accounts, social security numbers and so forth. Phishing scams seek to trick users into going to a bogus but legitimate looking web site to enter their user names, passwords, SSNs and so forth. While Employee identity theft and these types of crimes may not be the direct concern of IT Managers, there are many reasons why you would want to do everything possible to keep SPAM out of your enterprise.

SPAM is also used as a method to harvest e-mail addresses, infect computers with bots and trojans and many other bad things that you do not want to happen to computers that are in your charge.

How do I stop SPAM from getting into my enterprise?: Volumes have been written on this subject so this white paper will just hit the high points. The short answer is that completely eliminating SPAM is impossible under today's technology. Additionally, legislation and enforcement has so far been totally ineffective in abating these types of criminal activities. The reasons for this are beyond the scope of this paper.

However, there are a few relatively simply and often common sense things you can do to at least reduce your vulnerability to SPAM. It is an assumption that the IT Manager has already implemented anti-virus software on every computer in the network. This is an absolute minimum precaution. It is also assumed that virus definitions are kept up to date.

Important best practices: You can remind users to never open attachments unless they are sure of the sender until you are blue in the face. But the fact is that many of your users are just not very technically savvy. So while training and education is important, the best strategy is to prevent SPAM from ever reaching their mailbox in the first place. If you don't do this, you WILL spend a lot of time and energy dealing with viruses, bots, trojans, hack attemps as so on. SPAM is definitely a situation where you can either invest your time being proactive about it or you can deal with fire after fire, reacting every time some user opens up an e-mail attachment or goes to a URL that they "thought" was okay. You only have to pick up the newspaper or turn on the news to learn about the lastest company to be "knocked off the air" by cyber-criminals. I'm sure the IT guys at these companies have some 'splaining to do....

First steps: For SPAM to be delivered, there has to be a legitimate e-mail address to send SPAM to. Therefore, in my opinion, task number one is to not provide SPAMMERS with e-mail addresses to send to. Duh.... So how do we accomplish this? There are many things that can be done to thwart e-mail address harvesters. Implementing policies and procedures that prohibit personal use of company equipment, including company e-mail addresses, for example. Changes to the way e-mail addresses are displayed on web sites (including Internet forums and e-commerce sites that are accessed by employees), for another. Requiring "hardened" usernames so that SPAMMERS can't guess e-mail addresses. That is, Joseph.Jones@your_company.com versus joe or jones @your_company.com. As you can see, there's lots that can be done that's easy and inexpensive to implement but will make a BIG difference in SPAM reduction. Easyrider LAN Pro consulting services can be a huge help in identifying lots of things that data centers are doing that inadvertently promote incoming SPAM. We are always happy to talk to IT Managers about this.

What else?: So the barn door is already open and SPAMMERS have lots of addresses in your domain to SPAM already. What else can be done? Software tools can be a big help too. A great deal of SPAM these days is sent from computers that are infected with bots and in some cases are running as open relays. That is to say that the SPAM is coming from computers that aren't legitimate MX mail servers at all. There are several methods to check incoming mail to see if it came from an open relay, a legitimate MX server or from an IP that is blacklisted.

There are also ways to look at the content of incoming e-mail to see if if has SPAM "signatures". Spamassassin is very popular for doing this and it's free! Servers can also be set up to challange incoming mail by replying with a verification e-mail that the sender must acknowledge before their address is "whitelisted". There is some debate on how effective this approach is but it's still an available option that you may want to take advantage of.

If you are a company, you may want to block ALL e-mail from Google (gmail), Hotmail, Yahoo and so forth since these are clearly not business e-mail addresses. Google and others have done very little to prevent SPAMMERS from using their services to SPAM the Planet. Personally, I block everything from Google, Theplanet and RIPE IP addresses. In your business environment, you may not be able to be quite that aggressive. But personally, I would not hesitate to blacklist scumbag ISPs who host SPAMMERS and Hackers, from my entire network, at the border router. If one of their customers doesn't like having their e-mail blocked, they can vote with their dollars and move to a more responsible ISP. I also block everything from Russian and Nigerian IP address blocks.

As stated earlier, SPAM is a serious, complex and detailed problem. This white paper barely scratches the surface on this issue but we hope you find the information here to be helpful and informative. Easyrider LAN Pro is happy to do consulting work for IT Managers and companies that would like to tighten up their computing environment and who would like to see a lot less SPAM coming into their environment. We often receive consulting inquiries right AFTER a high visibility, expensive, painful intrusion event takes place. But you don't have to wait until your local TV station is interviewing the company president to find out the details about how your data center was attacked before you call us. Level zero in the Information Technology Service Management (ITSM) is chaos mode. You'd like to be way more proactive than that, right?

Next in the security white paper series:

Virus White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Shelfware White Paper