Getting Clueful: Five Things You Should Know About Fighting Spam
The battle for your users' e-mail inboxes probably will never end, but it's not a failure of technology. Experienced e-mail and system administrators share the key points they really, really wish you understood.
By Esther Schindler
February 15, 2007
When you started your e-mail client this morning, you were prepared for the usual set of correspondence: your daily dose of corporate politics, a dollop of technical emergencies and the background hum of projects under way. Annoyingly, your inbox also contained a few messages advertising products you would never buy, and perhaps a phishing notice warning that your account was frozen at a financial institution where you don't have an account. Your company has antispam measures in place; surely, the IT staff should be able to keep this junk out of your inbox?
Perhaps they can, but the task of doing so has become much more difficult in recent years, partly because 85 percent or more of all e-mail traffic today is spam. If you haven't been listening closely to the dark mutterings in your e-mail administrator's office, you may have missed out on significant clues about the nature of the problem and what the IT department can do to address it. However, when you do listen to the technical staff, it's easy to get lost in their arcane acronyms, such as SPF and RBLs, and you may drown in more information than you really wanted to know.
To learn what's really happening in the technical trenches, we asked several e-mail administrators to tell us about the key items—the single key item, in fact—that they wish their IT management understood. If you read through their wish list, you may be able to understand the nature of their challenges and, perhaps, help them clean out your inbox.
In brief, says Keith Brooks, vice president at Vanessa Brooks, "Stopping spam is a mixture of luck, intelligence, alcohol and planning." With luck, he says, your CEO never hears about spam. "But without it, the CIO never stops hearing about this issue."
1. Lose No Mail.
The primary directive, for e-mail admins, is "lose no mail." If that means that an occasional spam message wends its merry way into users' mailboxes, so be it. E-mail administrators would prefer that users encounter a few annoyances than miss an important business message.
Dr. Ken Olum, a research assistant professor in the Tufts Institute of Cosmology, also maintains the institute's computers. Olum explains, "The most important thing is never to silently drop an important e-mail. If you just drop it, your correspondent thinks you aren't answering on purpose or forgets all about you. So suspected spam should always be rejected and never dropped. Sequestering it is only slightly better than dropping it, because you have to look through the sequestered spam, and most people don't bother."
Nonetheless, many CIOs ask their IT department to keep the e-mail boxes clear of anything offensive. Yet, according to Scott Kitterman of ControlledMail.com, "I want zero spam and I want to never ever miss a legitimate message" isn't feasible. Kitterman explains, "This is a risk management practice, and you need to decide where you want to put your risk. Would you rather risk getting spam with lower risk of losing/delaying messages you actually wanted to get, or would you rather risk losing/delaying legitimate messages with lower risk of spam? You can't have both, no matter how loudly you scream."
Tom Limoncelli, author of The Practice of System and Network Administration (Addison-Wesley) and Time Management for System Administrators (O'Reilly), stresses that because fighting spam is not an exact science, there always will be false positives and false negatives. The IT department has to cope with this. Limoncelli had a CTO complain when he missed an important message because it was caught in the spam filter. Says Limoncelli, "This system sent him e-mail once a day with a list of his messages that had been blocked; clicking on any of them 'releases' it from the quarantine. … He wanted a report for every message that was blocked. At least that was his initial request; he then realized that he had asked for an e-mail to warn him of every e-mail!"
2. There's No Silver Bullet.
In many areas of IT, the long-term solution is a simple one: Adopt the single right methodology, hire the right consultant, buy the most appropriate product. But your IT staff wants you to understand that spam isn't a problem that can be solved with a single technology, a single product or any one answer.
Vendors of spam-fighting hardware and software will tell you different—but they're wrong. Bill Cole, senior technical specialist at T-Systems North America, has been fighting spam for more than a decade. Everyone involved in that fight, he says, dreams of the "Final Ultimate Solution to the Spam Problem." But, he cautions, people who yearn for a single answer may fall prey to a vendor's magical "answer," but "in a year or so, the magic is gone and the spammers have adapted." Then, he notes, "managers get upset, a new 'solution' gets deployed, and the cycle goes around again."
Brad Knowles, a consultant, author, and former senior Internet mail systems administrator for AOL, adds, "In almost all cases, the so-called 'simple' answers are the ones that don't work. In fact, they're almost always the ones that make the problem much worse than it already was. Since we've been fighting spam for over a decade, pretty much all the good simple ideas have already been thought of and implemented, and the spammers have already worked around them."
Unfortunately, the result is that fighting spam is a complex endeavor. Says Knowles, "You're probably going to have to use multiple solutions from multiple sources. You're going to have to keep a constant eye on things to make sure that, when they blow up, you find out as quickly as possible. And you [need] multiple layers of business continuity plans in place to handle the situation."
3. It's a Continuous Battle. Budget Accordingly.
Spammers succeed only when they get messages to user inboxes, so they are motivated to counter any barrier between them and their intended recipient. As a result, your IT department will never be done implementing solutions.
Points out David Linn, computer systems analyst III at Vanderbilt, "Spam pushers update their tools as fast as the spam defenders work out a defense to yesterday's attack type. This seems to be the thing that those who want to buy an off-the-shelf solution and then forget about it least understand and least want to understand. The very speed of innovation that makes 'Internet time' so attractive in other contexts is the enemy here."
Cole describes spam as mail that evolves and adapts and thus requires an adaptive and evolutionary approach to defense. Spam cannot be handled as a discrete project with a list of deliverables and a three-month project plan. While you may initially have success by doing so, he says, "Expect to repeat the exercise again next year, and the year after that, and on infinitely."
This is a major nuisance to managers, because they have to pay a staff of high-skill people (either directly or indirectly) for ongoing open-ended work. As Cole notes, "Like many other areas of security, it is a potential bottomless pit for computing resources and the best technical staff and hence for money, so drawing the lines on it are a managerial challenge."
Martin Schuster, in charge of IT at CenterPoint, argues the business case for spam defense by extending spam fighting past technical and ethical issues (such as, say, forcing everyone to use PNG instead of GIF, not use special characters in file names, and so on). Schuster focuses on the financial cost and motivations, from the cost of sending spam to the cost of removing it (from infrastructure to manually deleting messages). He comments, "Fighting spam costs money. If your mail server administrator talks to you about fighting spam, and wants equipment and time to implement it, listen to him. His haircut may seem weird, but he's talking about saving money."
Adam Moskowitz, a Boston-area independent consultant and author of Budgeting for Sysadmins, says, "If a sysadmin can't show that fighting spam is costing the company money, then that sysadmin has no business talking to management about the problem. If the sysadmin doesn't understand and can't demonstrate how fighting spam affects the company's bottom line, upper management certainly isn't going to be able to make the connection."
Does all this seem insurmountable, given your company's resources? If you aren't willing or able to manage the e-mail and spam measures yourself, outsource it. Plenty of hosted e-mail service providers can handle part or all of a company's e-mail system. According to Limoncelli, "The spam system has to be upgraded constantly. This can fill an entire full-time position. If you don't have that kind of staffing, the best solution is to let someone else handle it."
4. Understand the Basics of E-mail Technology.
Administrator Micheal Espinola Jr. says his primary wish is for "top management to understand the mechanics of how e-mail works. Then, and I believe only then, would they be able to grasp the concepts that elude most users of e-mail." When management has the right information, Espinola believes, it can make excellent decisions, but a lack of understanding can severely hinder that ability. "If the admin is wasting time troubleshooting or improvising because of subpar technology, it takes away from time spent for the productivity issues of others."
This doesn't mean you have to become a guru on the subject; just learn enough to understand what your e-mail administrator is telling you. Michael Silver, network administrator at Parkland Regional Library, emphasizes, "A great deal of difficulty arises when trying to address spam—and e-mail problems in general—if the people involved don't have a good understanding of how the mail system works, including a basic understanding of the different protocols, services, etc. I don't expect [CIOs] to know the ins and outs of configuring sendmail, but [they] should have a basic understanding of terms like POP, SMTP, IMAP, MTA and MUA." Added an admin named Eric, "If the CIO knows and understands the mechanisms of how e-mail is received and sent, then explaining the need for additional servers, bandwidth, storage, redundancy, etc., is accomplished much more easily. ... Once you understand that, you get a very good insight in the shortcomings of the SMTP protocol and how/why spam is becoming such a huge problem and cost nightmare."
While most admins want you to understand e-mail basics to make it easier to explain corporate challenges, sometimes it gets personal. Larry Ware, Federal Signal Global Network Boffin, is frustrated by managers who don't understand how the technology works. "They spent some money for some software; why is spam still getting in? Even worse: Why did the system block mail from my nephew? He is running a mail server on his cable modem; he clearly knows how to set up a mail system, why can't you? Explaining why his nephew's mail server is in dozens of public blocking lists for being a spam cannon is a lot harder than you might think. How do you do it without implying his nephew is an idiot?"
Another side effect of the lax understanding of e-mail technology is that the entire system is misused, with spam only one tiny part. Stewart Dean, a Unix system admin at Bard College, says, "The result is users who regard e-mail as a sort of problematic tool that might as well be magic. Not understanding it, they bang on it and misuse it in the most preposterous ways." According to Dean, that's why your e-mail admin screams when users attach a 200MB file to a mail message without knowing that it was 200MB or even what 200MB means. Then those same users wonder why it doesn't go through. Worse, they then repeatedly resend the message. Finally, Dean says, "they get furious at IT that the goddamn magic isn't working."
5. People are Making Money on Spam. Respond Appropriately.
Most of e-mail administrators' time is spent dealing with technology issues or trying to explain it to you in business terms. But for some, the issue is a larger one: someone else's business model. They want you to understand that spam is sent by an intelligent, adaptable and well-funded enemy. Some admins believe that with corporate budgets and legal resources, it's even possible to fight back.
Brent Jones, network technician at Smarsh Financial Technologies, wants IT management to understand that someone is working very hard to destroy the spam barriers administrators put in place. "There is a large financial incentive [for spammers] to get their spam into your mailbox," he says. "They will fight to get your eyes, and it costs them nothing to try everything in the book."
Nor are spammers ordinary businessmen. Alessandro Vesely, a freelance programmer and service provider in Milano, Italy, points out that "much spam is the result of criminal actions, such as infecting IT systems and using false identities. Technically, spam can be stopped if everybody else wants to be responsible for what they send. What lacks is the political will to do so."
Sam Varshavchik is an independent contract consultant who serves many of the better-known financial firms on Wall Street. He believes strongly that "CIOs should stop giving their business to Internet providers with a bad track record of engaging in spam support services and instead encourage and support—with their budgets—lesser-known but more socially responsible and respected providers of data and Internet service." If CIOs instituted a policy of disqualifying any vendor of Internet, data or communication services that appears anywhere on Spamhaus's top 10 list from doing any business with the company, Varshavchik feels, "the spam problem will pretty much disappear, mostly overnight." Few CIOs who are considering vendors take the time to do so, he says, and those few minutes can save an untold amount of grief.
Perhaps you'll take some of the e-mail admins' advice; perhaps not. But they desperately wish that company management would support them in the endeavor to clean up users' e-mail inboxes. Fritz Borgsted, a system engineer at Unicorn Communications who also leads the development of ASSP (Anti-Spam SMTP Proxy, an open-source project), believes that fighting spam reflects the quality of life in the digital age. Borgsted says, "A mailbox without spam is like a private restroom; with spam, it looks like a public one."