Control Your Spam!

It is presumed that nearly 2/3rds of email traffic is spam even though spamming is technically considered illegal by the federal US Government; the Federal CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing) Act of 2003 has been largely unenforceable. It’s not just an annoyance though: spam is increasingly responsible for transmitting malware that can harm your computer, convince users to accidentally share private information, or – worse yet – turn your machine into a mindless spamming zombie.

Spam filtering and the response small business has to spam is therefore largely in the hands of individual users. Here are a couple of good ideas for approaching spam.

1. Create an internal email Acceptable Use Policy (AUP).

Demonstrate that the company is serious about controlling spam by creating email acceptable use policies. Policies reflect management intent – if management doesn’t set policy, management never intended to implement a control. Therefore, small business should officially encourage employees to avoid using their work email address for any unofficial purpose.

2. Install Technical Controls that inact the AUP.

Administrators responsible for the networks of small business should enable Technical Controls that reinforce the AUP and support best practices. These controls should regularly update anti-spyware, anti-spam, and anti-virus protections on workstations and server computers, and a regular patching process for operating systems. It also should involve auditing and compliance verification.

3. Email aliases should not be simple names.

Names like “Jack@” or “Mark@” are easily guessed by spam automation systems. Administrators for small business should create more random aliases like “mark.hayes@” or “mhayes@” to make it more difficult to guess at potential email addresses.

4. A number of reasonable precautions should be taken on the client workstation:

a. Turn off automatic acceptance of meeting requests. Automatic acceptance allows the spammer to know that they hit a live, working email address.

b. Turn off read-receipts. When a read-receipt is generated, this also notifies the spammer that the email address is valid and will target more mail to it.

c. Turn off HTML rendering in preview screens. When a client reaches out to a graphic to display in an email, the act of downloading the image notifies the spammer’s server that a human potentially read the message, thus allowing them to target more effectively.

5. A number of reasonable precautions should be taken by end-users:

a. Do not open spam. Delete it immediately from your inbox.

b. Buy nothing from spammers. Buying only once will subscribe you to additional lists.

c. Never reply to spam and never unsubscribe from a list; this will only get you on another list.

d. Never provide personal private information (PPI) in email for any reason. Not only is email insecure, but no respectful company will ask you for PPI in email.

e. Never click on a hyperlink delivered in an email from somebody you do not know or trust.

f. Do not forward chain emails or letters. This only copies the email address of everyone you forward them to on to spam lists. Never broadcast bulk emails with public email addresses in TO:’s or CC:’s because all you’re doing is providing the spammer with more email addresses to spam to. Bottom line: don’t spam others.

g. Never contribute to a charity via email. This would more likely be a phishing attack.

6. And finally, some best practices for everyone:

a. Be conscious of where you post your email address. Never post your email address in a public space like forums, community groups, websites, blogs, IM’s, or in picture or video descriptions. Your email should always be obscured through the use of scripts and other technologies that prevent them from being “scraped” off the Internet.

b. Read the Terms and Conditions of the sites you submit your email to. Read the Privacy Policy. Know where you are submitting your PPI to and what they intend to use it for. Don’t subscribe to news or mail lists that don’t publish a privacy policy.

c. Do set up a spam email address separate from your normal email address. Use the spam address for public content and keep your private email address a secret. Use Google and it’s automatic, free anti-spam utilities for your spam email address. It’s free and simple.

d. Watch out for the little check boxes at the end of subscription processes that encourage your being contacted by third parties. 

Spam, in some degree, is an unavoidable part of modern computing. Absolutely, though, is there a direct correlation between the volume of spam received and the behaviors of managers, technology administrators, and end-users alike. Management should consider spam as a form of Denial of Service attack that takes resources away from the vital processing of legitimate email and can harm brand and reputation; technology administrators need to be more proactive in installing and monitoring defense safeguards; end-users must take on more personal responsibility for not sharing email addresses with others. Together, all of these parties can work towards a better, more constructive business solution.

R

Name (required)

Mail (will not be published) (required)

Website