E-mail spam: Is it a Security Issue?

by [Published on 3 Feb. 2004 / Last Updated on 3 Feb. 2004]

The daily deluge of unsolicited commercial or offensive messages (more commonly known as spam) comprises one of the biggest problems facing network administrators and users today. In this article, we will examine how spam presents a security threat to your network, and we’ll discuss the most effective way to deal with it: a multi-layered or “defense in depth” approach that addresses spam at the firewall, server and client levels.

At last year’s Comdex event in Las Vegas, Bill Gates named spam as one of the major challenges for the technology world. Lawmakers in the U.S. Congress recently passed the “Can Spam” Act. And no wonder – spam costs companies money in excess bandwidth usage. It takes up the time of employees who could otherwise be engaged in more productive work. It puts a heavy processing load on the mail server. It eats up disk space on both servers and client machines. It reduces overall performance of the network. Everyone knows it’s a nuisance – but is it also a security issue?

Does spam threaten your network’s security?

Certainly if dozens of salespeople came to your door every day, strong-armed their way into your house or place of business (often using false names or fraudulent premises to talk you into letting them inside) and then deluged you with sales pitches or displayed offensive photos to you and your children, you would feel your security had been breached. That’s exactly what spam does to your computer.

Every access point into your network presents a potential threat to the security of your systems. Spam is no exception. In an effort to “stand out from the crowd,” spammers often send their messages as HTML mail, which can carry embedded malicious code. Other spam messages include attachments that can contain macro viruses. Spam mail may point recipients to Web sites that contain scripts to collect information, or include links that purport to take you off the spammer’s mailing list but in fact just verify that your e-mail address is a “live” or active one (and thus valuable for sale to other spammers). Spammers use “harvest attack” techniques to collect addresses from corporate email directories. Some spammers spoof the addresses of legitimate companies, banks, etc. and attempting to gather credit card and other personal information. Even when spam consists of “only” plain text messages advertising a product, the sheer volume can threaten the integrity of your network, causing an unintended denial of service.

Types of spam

We tend to think of spam as unwanted email, but it’s more than that. Spammers also send unwanted messages of other types, including newsgroup posts, instant messages, Web board postings, and even exploitation of services such as Windows messenger to get their advertising or obnoxious messages through.

Spam can also be categorized in other ways:

  • Junk mail – mass mailings from legitimate businesses that is unwanted.
  • Non-commercial spam – chain letters, urban legends, joke collections and other mass mailings of unsolicited messages without an apparent commercial motive.
  • Porno spam – mass mailings of “adult” advertisements or pornographic pictures
  • Spam scams – mass mailings of fraudulent messages or those designed to con people out of personal information for the purpose of identity theft and other criminal acts
  • Virus spam – mass mailings that contain viruses, Trojans, malicious scripts, etc.

Last year, Spamcop (www.spamcop.net), which runs a service that allows you to report spammers, received over 183 million spam reports.

Anti-spam technologies: Which is the best?

“Spam whackers” are some of the most popular software programs available, but not all are created equal. There are a number of different types of anti-spam technology, so it pays to examine your options before you invest, especially when considering a high dollar server-side solution.

Some spam control techniques include:

  • Key word filtering: this is a type of application layer filtering (ALF) that lets you block all messages containing particular keywords or phrases (text strings) that commonly appear in spam (for instance, “Viagra” or “hot sexy babes”).
  • Address blocking: this is a filtering method that blocks mail from particular IP addresses, email addresses or domains of known spammers.
  • Black listing: maintaining a list of known spammers’ addresses that can be shared with others, so each user doesn’t have to develop the list from scratch.
  • White listing: filtering method that, instead of specifying which senders should be blocked, specifies which senders should be allowed.
  • Heuristic filtering: rules-based filtering that uses pattern matching to identify spam.
  • Bayesian filtering: “intelligent” software that can analyze spam messages and recognize other messages as spam based on the “learning” experience.
  • Challenge/Response filtering: replies to email from senders not on a “trusted senders” list with a challenge, usually involving solving a task that is easy for humans but difficult for automated bots or scripts.

Note: Tasks that can be easily done by humans but not by computers are sometimes called “captchas.” An example is the display of a distorted bit of text, with the requirement that you type in the word that it spells. For more about challenge/response filtering and captchas, see http://email.about.com/cs/spamgeneral/a/challenge_resp.htm.

No one method can ensure 100% effectiveness against spam. Spammers are constantly changing their addresses, updating their content and using “tricks of the trade” such as misspelling key words or using spaces or periods (e.g., “v.i.a.g.r.a.”) to circumvent the filtering systems.

A particular problem with spam filtering software is the possibility of false positives – messages that are identified as spam and intercepted, but which are actually legitimate (and sometimes important) email messages. The only thing worse than spam getting through to the user’s inbox is for the user to miss a critical message because it was caught by the spam filters. Regardless of the methods used to identify spam, a good anti-spam program should include a white listing mechanism, by which users can specify that mail messages from certain addresses should be delivered regardless of what “spam triggers” they trip.

Fighting spam effectively: a multi-layered approach

Because no single spam control program can do it all, the most effective way to filter spam is by setting up a “defense in depth” plan. An application layer filtering firewall can be configured to stop the most egregious spam at the network perimeter. Then a good filtering program on the server can catch most of the rest of the spam there, so that it never reaches the end-user’s computer. Finally, the email client’s built in filters or a client-side add-on can redirect any remaining suspect email into a “junk mail” folder on the user’s system.

Fighting spam at the firewall level

ALF enabled firewalls (such as Microsoft’s ISA Server) can filter messages based on key words or character strings. At this level, you should be careful to only set filters for words or phrases that never will be expected to appear in legitimate email. IP addresses and domains can also be blocked at this level if they are known to belong to spammers.

The big advantage of doing some of the spam filtering at the firewall is that it takes some of the processing load off the mail server. Spam filtering is a processor intensive activity, so spreading that load increases performance of your mail servers and saves local network bandwidth.

Fighting spam at the server level

There are many applications designed to block spam at the server level. Some of these are installed on the email server itself and others are installed on a separate server. The latter requires a greater initial expenditure for hardware but relieves the processing load on the mail server so it can do its primary job more efficiently.

Server side tools are often fairly expensive, but have the advantage of blocking spam for large numbers of users in the organization. The more spam is blocked at the server level, the less time end-users will spend reading and deleting it, thus resulting in increased worker productivity. Server side spam blockers such as GFI’s Mail Essentials (http://www.gfi.com/mes/) are designed to work with specific mail server software, such as Exchange, and may also contain additional email enhancement features such as monitoring, reporting and mail archiving capabilities.

Exchange Server 2003 will be able to use Microsoft’s Intelligent Message Filter add-on, based on their SmartScreen spam filtering technology. SmartScreen is the same technology used for Web-based Hotmail and MSN mail and is integrated into Office 2003’s version of Outlook. For more information about SmartScreen, see http://www.microsoft.com/presspass/press/2003/nov03/11-17ComdexAntiSpamPR.asp.

Fighting spam at the client level

Most popular email clients include some form of spam filtering built in. For example, Outlook and Outlook Express both include junk email filtering, as do Eudora, Netscape Mail and most other commonly used clients.

Outlook 2003 has greatly improved its junk mail filtering, adding the ability to configure “safe senders” and “safe recipients” lists so you can whitelist individuals or mailing lists whose mail you want to get through even if it meets other spam criteria. It also lets you blacklist particular senders or domains using the “blocked senders” list.

Note: In Outlook 2003, if you’re using an Exchange server account, you’ll need to work in Cached Exchange mode before you can set up the junk mail filters.

Many third-party products are available for filtering email. These include POP3 filters, POP3 Proxy filters (that sit between the client and the POP3 mail server) and IMAP filters. There are programs that integrate with your email client and add rules to be used by its filtering mechanism. There are also Webmail spam filters for those who use Yahoo, MSN, AOL, Hotmail and similar services for their email.

For a list of client-side spam filtering programs, see http://www.geocities.com/spamresources/filter-client-win.htm

Summary

Spam is a big problem for everyone from the individual home Internet user to the multi-national corporation that depends on email communications to conduct business. Not only is it a nuisance, it can also present a security threat to your network. There are hundreds of products designed to combat spam, but the most effective anti-spam plan utilizes a multi-layered, “defense in depth” approach. This means intercepting spam at the network perimeter (firewall filtering), at the mail server, and on the client side. In this article, we’ve provided an overview of how such a strategy can help you get a handle on the deluge of spam that threatens your network on a daily basis.

See Also


The Author — Deb Shinder

Deb Shinder avatar

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.