 |
||||||||||
| Email Solutions |
| How Mailborder Works |
| Mailborder FAQ |
| Mailborder Pricing |
| Security Central |
| Articles and Tutorials |
| Latest Spam News |
| Bugtraq Vulnerabilities |
| Internet Storm Center |
| Sophos Virus Alerts |
| Sophos Security News |
| Security Focus News |
| My Account |
| Control Panel Login |
| Instant Registration |
Battling Spam: Start with Policy
Author: Jerry Benton
The first step any organization should take to prevent itself from being deluged with spam is to develop e-mail usage policies for its user base. Many users simply do not understand the consequences associated with freely distributing their e-mail address across the Internet. Considering this, a security policy for appropriate e-mail use should not only contain what to do and what not to do, it should also contain some brief explanations as to why. Although this is not required, it goes a long way in getting the user base onboard with any new or revised policy. |
|
The e-mail policy itself should contain a statement emphasizing that the organizational e-mail address provided for its users belongs to the organization and not the users. In other words, the address is a company asset and not the personal address for the user. Next, the policy should provide specific examples on safeguarding the address by not using it to register or sign up for any service on the Internet. Also make it clear that the addresses should not be used in forums or user groups as these are often crawled by automated tools to harvest e-mail addresses. A brief explanation on these topics may help, but ensure that the policy doesn’t begin to sound like compliance is being requested. The tone should be that compliance is required and these are the reasons why the policy is required. Finally, ensure that the upper management approves and supports the policy, but don’t stop there. The best example is set by organizational leaders, but these are the same people that will often cause the most problems since upper management often considers themselves beyond the rules either consciously or subconsciously. Approach the management with the tone that their support and leadership examples are needed to the policy work. This slightly plays on one’s ego and usually works in favor of making new or revised policies successful. |
Technical Countermeasures
|
The next step on the battle with spam is to educate the user base on not only policy, but ethics. A lack of ethical behavior on a computer network can lead to legal problems, but also further problems with spam. It seems that a popular pastime with many employees is unethical behavior like file sharing through various peer-to-peer (P2P) programs. Of course most users intend to only half way violate what should be common ethical behavior by downloading items such as pirated music, but they can often put the entire organization at risk with questionable P2P software that either intentionally creates a security breach or does so by incorrect configuration by the user. These breaches can in turn be used to infect systems with viruses that can target the organization’s entire directory of e-mail addresses. This can be used to spread more viruses or create an army of zombie systems used as spam distribution points by spammers.
Unfortunately, the intended message of following policy and upholding ethical standards doesn’t always register until disaster strikes. And even after disaster does strike a network, the effect eventually wears off over time. To prevent this from happening, use the misfortunes of others within the community to regularly inform the user base and further justify organizational policies. The idea is to get everyone thinking about security on a regular basis. This is a form of social psychology and it works best if the user base feels involved and gains a sense of pride from that involvement. Other tactics like formal recognition and praise to users that have helped the organization by direct action or simple vigilance will give the individual a sense of importance and belonging. In turn this will also help gain further support and vigilance from that individual and perhaps others. However, care should be taken to ensure that a stigma of cajoling doesn’t become associated with willingness to help enforce policy.
Although these measures for battling spam will help, it is still essentially “security by obscurity” since the idea is to keep the user address space out of the hands of spammers. At some point your domain will gain the attention of a spammer. Even if a spammer does not have known e-mail addresses for your domain, spam bots are often put vigorously to work brute forcing random guesses at addresses for your domain. Once this happens you will not only have a lot of the user base complaining about spam, but those NDRs are going to start piling up on your mail servers eating away at precious drive space and system resources. At this point it will be time to move past policy and start to look for a technical approach to batting spam.