Fight Spam Smarter!

So a lot of clients have asked about spam this week. Many of my clients feel helpless when it comes to spam and are uncertain how to be able to stave-off the flood of unsolicited email. Believe it or not, though, the small business does have a variety of options available to them:

1. Legal Remedy
2. Education
3. Client-side Software
4. Server-side Software and Configuration
5. Dial-Up Listing (DUL) IP Addresses

First, there are legal tools available to consumers and to business. The Federal CAN-SPAM Act of 2003 (Controlling the Assault of Non-Solicited Pornography and Marketing Act) addresses legal requirements for solicitors that use email and websites for commercial advertisement. The CAN-SPAM Act of 2003:

1. Bans false or misleading information in email solicitation.
2. Prohibits deceptive subject lines in email solicitation.
3. Requires that email recipients are given an opt-out method.
4. Requires that commercial email be identified as an advertisement and include the sender’s valid physical postal address.
5. Deceptive commercial email subject to laws banning false or misleading advertising.

The CAN-SPAM Act is enforced by the FTC and may refer complaints to the Department of Justice for civil and criminal penalties. Each violation can subject a party to fines up to $11,000, and if there is intentional hacker-like mechanisms involved, additional fines and criminal imprisonment isn’t out of the question.

Small businesses and consumers should visit the FTC’s website on spam for more information. If you receive a suspicious email, the FTC encourages you to forward that email to spam@uce.gov to have it examined and placed into a national database. And if you wanted to go a bit further, you could file an online complaint with the FTC for investigation.

How effective is enforcement? Questionable. Many spammers are outside US jurisdiction – using the FTC to enforce spam requirements, though, is one way to help build their knowledge base and make it better for everybody.

Second, there are some common-sense and practical tools that small businesses can do to educate their employees on the risks that encourage and facilitate spam. Knowledge is Power: educate your staff. The Federal Government offers Onguard Online – a website dedicated to informing the consumer on best practices. Personally, I think this advice is practical and easy to digest; a good resource for the small business.

Third, some technical tools for the client computer. If you’re running Microsoft Outlook 2003, enable the Junk Email Filter and use Microsoft Update to manually update your spam definition file. Set your filter to “high” and keep a good eye on your Junk Mail folder – sometimes, legitimate content will be placed there. This provides a layer of protection built into the email application itself. Also, purchase an anti-virus package with built-in anti-spam protection. These kinds of software will investigate email prior to it being introduced to your email software, and it provides another layer of protection. For a freebie solution, a buddy of mine recommends Panda Software to his clients. Hey, free is good, and something like Panda can offer a bit of protection, but watch problems with support and compatibility.

Fourth, some technical tools for the email server.

1. Your email application server should be appropriately patched and all relaying either managed to a specific IP, or, all relaying and proxy-services turned off all together if at all possible.

2. Anti-virus should be current and the operating system patched to prevent your system from becoming a mail zombie for spammers.

3. Take a few minutes to review its SMTP relaying configuration. If your shop runs Microsoft Exchange, I’d highly recommend the Best Practices Analyzer Tool. A freebie from Microsoft, it analyzes the configuration of your Exchange installation and will spot significant problems or mis-configurations, and give you instructions on how to fix it.

4. Run a 3rd party anti-spam filter. This intercepts messages just like an anti-virus solution and scans its content against a definition file. Some good commercial names in this area is Symantec’s Brightmail solution and the Extensible Messaging Platform from Korsmeyer; a personal opinion: never run 3rd party freebie anti-spam product on your server – this would seem like an invitation to disaster. Now, if you run Microsoft Exchange 2003 and have patched up to service pack 2, I recommend you get to know the Intelligent Message Filter: the native anti-spam filter inside of the Exchange product. It’s not sophisticated (Microsoft is pushing its hosted services for higher-scale), but it’s something. A lot of small businesses I meet don’t even have this appropriately configured and working for them.

And finally, dial-up xDSL accounts are issued from a pool of IP’s from the ISP that are categorically classified as DUL IP’s. Some email servers actually filter or prohibit DUL-IP’s from delivering, relaying, or receiving email. Sometimes you’ll get an NDR (Non-Delivery Report) citing a failure due to your IP being in the DUL list. In this kind of situation, if you’re hosting your own mail server, the small business needs to upgrade their residential service to a commercial service to be assigned a static IP, or, consider a PPOE connection with their ISP, or, look at the ISP “smart hosting” their mail services on their behalf. This would avoid both being treated like a spammer, and, being attractive to spammer automation on the web.

My experience tells me that most small businesses concentrate on client-side software tools only, when in fact, there’s a more holistic strategy to consider. Good luck in blocking that spam!

R

Russell Mickler works a technology consultant in Battle Ground, WA, USA. With over thirteen years of experience, Mickler holds a CISSP, MCSE, a Masters Degree in Information Technology, and is pursuing his Doctorate at Walden University. His website can be found at www.micklerandassociates.com; he can be contacted at mickler@micklerandassociates.com.

Name (required)

Mail (will not be published) (required)

Website

Notify me of follow-up comments by email.

Notify me of new posts by email.