Antispam measures – how far do you go?

It’s a common complaint - “We have antispam software, so why do we still receive spam ?”.

It’s simple really – antispam software is mostly playing catch up most of the time. In spite of regular updates to signature files and heuristics rules, the simple fact of the matter is, antispam software is no match to a person’s ability to read and interpret messages no matter how badly a cleverly misspelt word or paragraph looks. Throw in a mixture of text and graphics to form a spammer’s message and the antispam software will likely miss it. Setting your antispam software too sensitive and you will likely end up spending more time taking out legitimate mails from the quarantine (assuming you actually quarantine that is !) than actually reading them.

Spamming is big business. Those responsible are not likely to be just bored teenagers looking for a little easy fun. You can be sure that these spammers have already tested their e-mails against most of the common commercially available antispam products. If they didn’t, why bother sending the spam out at all if it will immediately be trapped by antispam software ? And that is why despite having up to date antispam software, users are still getting spam messages in their mailboxes. What about manual pattern block lists ? This is more often than not a wasted effort. During a spam flood, you might block some of it. However, after a short time, your antispam vendor should have already released an update that also covers that very spam you are trying to block with your manual entry making your entry redundant, but more importantly, as you build up your manual block list, your antispam software has more and more work to do to scan your mails making it more and more inefficient.

“But surely there’s better software out there ?” you may ask.

Hmmm… yes, who will determine which software is the best ? Every time a new roundup of antivirus / antispyware / antispam software gets reviewed, another product takes the crown as being the most effective or so called the best. No one product consistently takes the top honours every time around. Do you then buy flavour of the month every so often ? Most corporate wide security software lock you in for minimum of 12 months or longer. You can’t be switching your software every so often or it will cost your company thousands each time.

“ISPs offer mail filtering – should we be using them for e-mails instead ?”

Some of you already know the answer to that yourself. Some ISPs mail filtering causes more problems than the spam itself (ie. important mails going to the land of the never, never – not to be seen again, uncontrollable mail delays, etc.) And some of you who have used / are using ISP mail filtering also find that a substantial amount of spam still gets through. Sounds familiar ?

So, what can we do ? At the end of the day, we can only do what we can to minimise spam. Given current technology, there is no single solution to ensure you are spam free (well actually there is and it is called total internet abstinence ;)). There are a number of things you can do to minimise spam. How far you want to take it is up to you. The following options are available :-

Lowest level :

Integrated Antivirus / Antispam software for your mail server. This is what most of you will be using already.

Next level :

Gateway / perimeter level scanning. A gateway / perimeter server must be setup and runs mail filtering software. If you want to cover your bases, you will probably end up using a different vendor’s product at this level than at the lowest level.

Hosted Mail Scanning :

More and more security vendors are now offering hosted mail scanning. This basically requires that you change your Internet mails to flow through the security vendor’s hosted mail scanning systems before being delivered to your own servers. In addition to filtering out the nasties, there is also the added benefit of reducing the amount of traffic your internet connection consumes as the unwanted / undesirable mails would have been blocked or removed from ever reaching your internet gateway. We are greatly in favour of this option.

Will these measures ensure you don’t receive any spam at all ?

Doubtful.

Will it cost even more money ?

Most certainly (both in licensing costs as well as manual time costs to manage both quarantines).

It is worth it ?

I’ll leave that up to you to decide.

Posted in: